enterprise ipv6 deployment strategies
Post on 12-May-2015
1.320 Views
Preview:
DESCRIPTION
TRANSCRIPT
Andrew Yourtchenko Technical Leader
ayourtch@cisco.com
7th Slovenian IPv6 summit, 18-19 Oct 2012
http://go6.si/7-slo-ipv6-summit/
Enterprise IPv6 deployment strategies
© 2012 Cisco and/or its affiliates. All rights reserved. 2
IPv6 Estimated Adoption Timeframes
Early Adopters
Globalization IPv6 Government
Mandate Deadlines
IPv4/IPv6 Co-existence
High Risk Low Risk Moderate Risk
2012 2012 2014
Transition Planning
• 2012: Mandates take effect – Globalization - WorldIPv6Launch - Massive Mobile deployment. Transition to IPv6 forces customers to acquire product or managed services to sustain business and customer reach
IPv6 Business Impact – The Cost of Waiting Goes Up
• 2012: Low Impact – Buying behavior shift limited to mandated and early adopters
• 2014: IPv6 is mainstream – customers without transition infrastructure experience reduced service levels, diminished customer reach
3 © 2012 Cisco and/or its affiliates. All rights reserved.
6lab.cisco.com/stats
Internet Transit
Content
Users
© 2012 Cisco and/or its affiliates. All rights reserved. 4
!"# $"# %!"# %$"# &!"# &$"#
'()*#
+,()-./#
%&,()-./#
&0#,()-./#
1(#234)#
%5#6
.*)#47*#8(9#:*
23(8;)<#
=>?+#;)#27(:9
@A()
#!"#$%"$#&'%$($")$&
65% of Cisco Enterprise Technology Advisory Board members will have IPv6 WEB sites by Q2 2013
© 2012 Cisco and/or its affiliates. All rights reserved. 5
!"# $"# %!"# %$"# &!"# &$"# '!"#
()*+,)+*#+-./01.)#
2/.34/5641.)#
7+)8.,#9*,4*+:;#
<+-5=+>?9#@AB?<C#
D4)84*+#
E+48+,6F5G#
?*F+,#
&H#I
F4*#4
,+#J.G
#'#8,5-
+,6#K
#
Internet Business Continuity B2C, B2B
© 2012 Cisco and/or its affiliates. All rights reserved. 6
Inside – Out • Globalization • Technology Leadership • Industry mandate • BYOD-Security-Visibility • Flatten management plane
Dual-Stack Enterprise IPv4 Internet
Outside – In • Internet Evolution • Business Continuity • B2C, B2B
IPv4 Enterprise IPv6 Internet
http://www.cisco.com/en/US/netsol/ns817/networking_solutions_program_home.html
© 2012 Cisco and/or its affiliates. All rights reserved. 7
IPv6
IPv4
IPv4-only Server
a) Server Load Balancer http reverse proxy
IPv6 Internet
ACE30
IPv4
Bac
k-E
nd
WEB
DMZ
IPv4-only Server
b) Software Proxy Web Tier
IPv6
IPv4
Apache MSFT PortProxy
IPv6 Internet
IPv4
DMZ
WEB
c) Stateful NAT64
IPv4-only Server
IPv6
IPv4
IPv6 Internet
ASR1000
IPv4
DMZ
Email VPN WEB
ASA
© 2012 Cisco and/or its affiliates. All rights reserved. 8
IPv6 Internet
IPv4
Ser
vice
s
DMZ
WEB Email ..etc..
Datacenter Block
Core - WAN
Campus Block
Branch
Ser
vice
s
• Life-Cycle management, depends on Timing and Use case • Native/Dual-Stack where you can, Tunnels where you must • Security – Visibility – Management • IPv6 Host Configuration.
© 2012 Cisco and/or its affiliates. All rights reserved. 9
IPv6 Internet
IPv4
Ser
vice
s
DMZ
WEB Email ..etc..
Orderly Transition – Slow to dual-Stack all the way to user • Dual-Stack Core – Network based Tunnel to connect island • ISATAP for IPv6 services to users… Design gotchas • Dual-Stack selected part of DC (server front-end)
Datacenter Block
Core - WAN
Campus Block
Branch
Ser
vice
s
ISATAP
© 2012 Cisco and/or its affiliates. All rights reserved. 10
IPv6 Internet
IPv4
Ser
vice
s
DMZ
WEB Email ..etc..
End User and Service first - Challenging but Doable • First Hop Security • Network based Tunnel to connect Islands • Dual-Stack selected part of DC (server front-end)
Datacenter Block
Core - WAN
Campus Block
Branch
Ser
vice
s
AnyC
onne
ct
© 2012 Cisco and/or its affiliates. All rights reserved. 11
L2
IPv6/IPv4 Dual Stack Hosts Access
Layer
Distribution Layer
Core Layer
L3 WLC 7.2
Dual-Stack WAN
802.1x and Port ACL • Authorize Device • Filter traffic on Layer 2 ports
IPv6 RA Guard / Throttler • Stops Rogue Router Advertisement
threats
IPv6 NDP inspection • Enforce Mac/IPv6 binding • Prevents Neighbor Discovery spoofing
attacks
IPv6 uRPF Blocks spoofed traffic in hardware
NDP Address Gleaning • Discover Address binding • Audit Trail • Revoke inactive devices
Source Guard: • Stops traffic from un-authorized sources.
Port Security: • Prevents TCAM overflow
DHCP Guard • Prevent rogue DHCP server
IPv6
Firs
t Hop
Sec
urity
Sui
te
© 2012 Cisco and/or its affiliates. All rights reserved. 12
L2
IPv6/IPv4 Dual Stack Hosts
IPv6 SLA: E2E test, measurement (UDP-Jitter, UDP-Echo, ICMP Echo, TCP Connect)
IPv6 Traffic Metering with NAM and Flexible Netflow, including tunnel (export over IPv4)
IPv6 Apps and Tunnel detection with NBAR2
L3 Campus
IPv6 MIBs and host support
IPv6 over IPv4 tunnel
IPv4 WAN
NAM Traffic Analyzer Integrated Management & Reporting Console
ASA and IOS Tunnel Filtering
© 2012 Cisco and/or its affiliates. All rights reserved. 13 © 2012 Cisco and/or its affiliates. All rights reserved. 13
© 2012 Cisco and/or its affiliates. All rights reserved. 14
© 2012 Cisco and/or its affiliates. All rights reserved. 15
• Do not jeopardize existing IPv4 services and applications, such as cisco.com and the internal corporate network
• Preserve the cisco.com brand and control over the cisco.com experience
• Do not compromise the corporate security posture
• Re-use existing infrastructure, capabilities, content, and application environments whenever possible
• Compile lessons learned to share with customers
© 2012 Cisco and/or its affiliates. All rights reserved. 16
© 2012 Cisco and/or its affiliates. All rights reserved. 17
© 2012 Cisco and/or its affiliates. All rights reserved. 18
© 2012 Cisco and/or its affiliates. All rights reserved. 19
IPv6 IPv4
Cisco.com Web Servers
Server Load Balancer (ACE)
DMZ Network, Security
Database
App Platforms
Data Center Network
Internet
Svc A
ssurance S
vc A
ssurance
Middleware
Content IdM, Authz
AKAMAI
ww
w.cisco.com
ww
w.cisco.com
Cisco.com Web Servers
Server Load Balancer (ACE)
DMZ Network, Security
Database
App Platforms
Data Center Network
Svc
Assurance
Svc
Assurance
Middleware
Content IdM, Authz
AKAMAI
Cisco.com Web Servers
Server Load Balancer (ACE)
DMZ Network, Security, Proxy
Database
App Platforms
Data Center Network
Svc
Assurance
Middleware
Content IdM, Authz
AKAMAI
IPv6 IPv4 Internet
ww
w.cisco.com
ww
w.cisco.com
IPv6 IPv4 Internet
ww
w.cisco.com
ww
w.cisco.com
Model 1 - Proxy at Internet Edge
Model 2 – SLB64 Model 3 – Dual Stack Web Servers
© 2012 Cisco and/or its affiliates. All rights reserved. 20
© 2012 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Cisco’s IPv6 Web Presence Design for www.cisco.com
SiSi
!"#$%&'()&*+,-&
!"#$%&.)/&0--+&
!"#$%&.!1&2-&%3"4"567778$"#$%8$%9&+--0:*+-:00-0:0::;&
!"#$%&!;<;=>#<&,?--&
!"#$%&.).&??@?&
'5<A35A<&
!"#$%&.!1&+-&%3"4"567778$"#$%8$%9&
B+80,28*80,0&
7778$"#$%8$%9
&
7778$"#$%8$%9
&
'(C*&'(C,&
'(C,& '(C*&
Cisco.com Web Servers
Server Load Balancer (ACE)
DMZ Network, Security
Database App Platforms
Data Center Network
Svc
Assurance
Svc
Assurance
Middleware Content IdM, Authz
AKAMAI
IPv6 IPv4 Internet
ww
w.cisco.c
om
ww
w.cisco.c
om
Model 2 – SLB64
© 2012 Cisco and/or its affiliates. All rights reserved. 21
© 2012 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Cisco’s IPv6 Web Presence
SiSi
!"#$%&'()&*+,-&
!"#$%&.)/&0--+&
!"#$%&.!1&2-&%3"4"567778$"#$%8$%9&+--0:*+-:00-0:0::;&
!"#$%&!;<;=>#<&,?--&
!"#$%&.).&??@?&
'5<A35A<&
!"#$%&.!1&+-&%3"4"567778$"#$%8$%9&
B+80,28*80,0&
Firewall Policy Anti-Spoofing
Firewall Policy
NetFlow v9 (forensic records BGP Blackhole (mitigation)
Logging
Arbor (Anomaly Detection)
V6-only signatures V4+V6 signatures
'(C,& '(C*&
Security for www.cisco.com
© 2012 Cisco and/or its affiliates. All rights reserved. 22
www.cisco.com www.webex.com home.cisco.com
© 2012 Cisco and/or its affiliates. All rights reserved. 23
© 2012 Cisco and/or its affiliates. All rights reserved. 24
© 2012 Cisco and/or its affiliates. All rights reserved. 25 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
IT IPv6Readiness
Assessment
CDO / VendorProduct
ReadinessIT Design and Certification
Technology Refresh
Partnership with AS and CDO, Leverage NDCS Fleet Program Approx. 5400 Out of 8800 Network Devices Required Upgrades or Refresh
Production Deployment
Post Production
Assessment
Limited Deployment
Pilot
© 2012 Cisco and/or its affiliates. All rights reserved. 26
• Anycast-based ISATAP since 2003
• Dualstack on the wired on selected sites
• Dualstack on the wireless
• DHCPv6 support for printers => static addresses
© 2012 Cisco and/or its affiliates. All rights reserved. 27
• Catalyst 6k & Nexus 7000 based => same as backbone
• Limited dualstacking in FY12 on systems, primarily Management systems for monitoring of IPv6 web presence IPv6 services to enable desktop operation, e.g. DHCPv6 on CNR 7.2
© 2012 Cisco and/or its affiliates. All rights reserved. 28
Khalid Jawaid, Network Engineer, Cisco IT
“
© 2012 Cisco and/or its affiliates. All rights reserved. 29
• 100% of the core network is IPv6-enabled • IPv6 interconnect between WebEx
datacenter & Cisco network • ± 30% of Cisco’s global offices are dualstack
80+ new global sites by the end of FY13
© 2012 Cisco and/or its affiliates. All rights reserved. 30
• Engage early with IT teams outside the core networking team.
• Consider the implications of IPv6 addresses with external parties.
• Account for lead time from vendors in your project plans.
• Realize that end-device operating systems behave differently with IPv6.
• Tuning of hardware
• Cross functional testing
• Freeze Periods
© 2012 Cisco and/or its affiliates. All rights reserved. 31 © 2012 Cisco and/or its affiliates. All rights reserved. 31
What have you enabled IPv6 on today ?
Winston Churchill
© 2012 Cisco and/or its affiliates. All rights reserved. 32
• IPv6 Education • Training: IPv6 FD • Certified Pro. CCIE/CCDE/CCDP/CCNA/CCNP • CiscoLive, Conferences & Webinars • Cisco Press
• IPv6 Knowledge Portal
• Comprehensive Advanced Services
• IPv6 Support Community
• IPV6 adoption Statistics
• Leading in Certification
www.cisco.com/go/ipv6
© 2012 Cisco and/or its affiliates. All rights reserved. 33
Hurricane Electric, IPv4 exhaust
IPv6 adoption statistics
ISOC, World IPv6 Launch
Cisco IPv6 home page
Cisco IPv6 Knowledge portal
Cisco IPv6 Support community
Cisco Blog IPv6 Tag
Lippis Report Podcast Interview - Alain Fiocco
Certification, USGv6/IPV6RL Ph2
Twittter
LinkedIn Group
http://ipv6.he.net/statistics/
http://6lab.cisco.com/stats/
www.worldipv6launch.org
www.cisco.com/go/ipv6
http://www.cisco.com/web/solutions/netsys/ipv6/knowledgebase/index.html
https://supportforums.cisco.com/community/netpro/network-infrastructure/ipv6-transition
blogs.cisco.com/tag/ipv6
http://lippisreport.com/2012/07/world-ipv6-day-marks-massive-transition-in-ip-addressing-what-it-means-to-you/
https://www.iol.unh.edu/services/testing/ipv6/usgv6tested.php
#IPv6, @alainfiocco, @Deploy360, @TeamARIN
http://www.linkedin.com Groups: IPv6, IPv6 Enthusiasts, IPv6Security
top related