enterprise ipv6 deployment strategies

Andrew Yourtchenko Technical Leader

[email protected]

7th Slovenian IPv6 summit, 18-19 Oct 2012

http://go6.si/7-slo-ipv6-summit/

Enterprise IPv6 deployment strategies

© 2012 Cisco and/or its affiliates. All rights reserved. 2

IPv6 Estimated Adoption Timeframes

Early Adopters

Globalization IPv6 Government

Mandate Deadlines

IPv4/IPv6 Co-existence

High Risk Low Risk Moderate Risk

2012 2012 2014

Transition Planning

•  2012: Mandates take effect – Globalization - WorldIPv6Launch - Massive Mobile deployment. Transition to IPv6 forces customers to acquire product or managed services to sustain business and customer reach

IPv6 Business Impact – The Cost of Waiting Goes Up

•  2012: Low Impact – Buying behavior shift limited to mandated and early adopters

•  2014: IPv6 is mainstream – customers without transition infrastructure experience reduced service levels, diminished customer reach

3 © 2012 Cisco and/or its affiliates. All rights reserved.

6lab.cisco.com/stats

Internet Transit

Content

Users


!"# $"# %!"# %$"# &!"# &$"#

'()*#

+,()-./#

%&,()-./#

&0#,()-./#

1(#234)#

%5#6

.*)#47*#8(9#:*

23(8;)<#

=>?+#;)#27(:9

@A()

#!"#$%"$#&'%$($")$&

65% of Cisco Enterprise Technology Advisory Board members will have IPv6 WEB sites by Q2 2013


!"# $"# %!"# %$"# &!"# &$"# '!"#

()*+,)+*#+-./01.)#

2/.34/5641.)#

7+)8.,#9*,4*+:;#

<+-5=+>?9#@AB?<C#

D4)84*+#

E+48+,6F5G#

?*F+,#

&H#I

F4*#4

,+#J.G

#'#8,5-

+,6#K

#

Internet Business Continuity B2C, B2B


Inside – Out •  Globalization •  Technology Leadership •  Industry mandate •  BYOD-Security-Visibility •  Flatten management plane

Dual-Stack Enterprise IPv4 Internet

Outside – In •  Internet Evolution •  Business Continuity •  B2C, B2B

IPv4 Enterprise IPv6 Internet

http://www.cisco.com/en/US/netsol/ns817/networking_solutions_program_home.html


IPv6

IPv4

IPv4-only Server

a) Server Load Balancer http reverse proxy

IPv6 Internet

ACE30

IPv4

Bac

k-E

nd

WEB

DMZ

IPv4-only Server

b) Software Proxy Web Tier

IPv6

IPv4

Apache MSFT PortProxy

IPv6 Internet

IPv4

DMZ

WEB

c) Stateful NAT64

IPv4-only Server

IPv6

IPv4

IPv6 Internet

ASR1000

IPv4

DMZ

Email VPN WEB

ASA


IPv6 Internet

IPv4

Ser

vice

s

DMZ

WEB Email ..etc..

Datacenter Block

Core - WAN

Campus Block

Branch

Ser

vice

s

•  Life-Cycle management, depends on Timing and Use case •  Native/Dual-Stack where you can, Tunnels where you must •  Security – Visibility – Management •  IPv6 Host Configuration.


IPv6 Internet

IPv4

Ser

vice

s

DMZ

WEB Email ..etc..

Orderly Transition – Slow to dual-Stack all the way to user •  Dual-Stack Core – Network based Tunnel to connect island •  ISATAP for IPv6 services to users… Design gotchas •  Dual-Stack selected part of DC (server front-end)

Datacenter Block

Core - WAN

Campus Block

Branch

Ser

vice

s

ISATAP


IPv6 Internet

IPv4

Ser

vice

s

DMZ

WEB Email ..etc..

End User and Service first - Challenging but Doable •  First Hop Security •  Network based Tunnel to connect Islands •  Dual-Stack selected part of DC (server front-end)

Datacenter Block

Core - WAN

Campus Block

Branch

Ser

vice

s

AnyC

onne

ct


L2

IPv6/IPv4 Dual Stack Hosts Access

Layer

Distribution Layer

Core Layer

L3 WLC 7.2

Dual-Stack WAN

802.1x and Port ACL •  Authorize Device •  Filter traffic on Layer 2 ports

IPv6 RA Guard / Throttler •  Stops Rogue Router Advertisement

threats

IPv6 NDP inspection •  Enforce Mac/IPv6 binding •  Prevents Neighbor Discovery spoofing

attacks

IPv6 uRPF Blocks spoofed traffic in hardware

NDP Address Gleaning •  Discover Address binding •  Audit Trail •  Revoke inactive devices

Source Guard: •  Stops traffic from un-authorized sources.

Port Security: •  Prevents TCAM overflow

DHCP Guard •  Prevent rogue DHCP server

IPv6

Firs

t Hop

Sec

urity

Sui

te


L2

IPv6/IPv4 Dual Stack Hosts

IPv6 SLA: E2E test, measurement (UDP-Jitter, UDP-Echo, ICMP Echo, TCP Connect)

IPv6 Traffic Metering with NAM and Flexible Netflow, including tunnel (export over IPv4)

IPv6 Apps and Tunnel detection with NBAR2

L3 Campus

IPv6 MIBs and host support

IPv6 over IPv4 tunnel

IPv4 WAN

NAM Traffic Analyzer Integrated Management & Reporting Console

ASA and IOS Tunnel Filtering


•  Do not jeopardize existing IPv4 services and applications, such as cisco.com and the internal corporate network

•  Preserve the cisco.com brand and control over the cisco.com experience

•  Do not compromise the corporate security posture

•  Re-use existing infrastructure, capabilities, content, and application environments whenever possible

•  Compile lessons learned to share with customers


IPv6 IPv4

Cisco.com Web Servers

Server Load Balancer (ACE)

DMZ Network, Security

Database

App Platforms

Data Center Network

Internet

Svc A

ssurance S

vc A

ssurance

Middleware

Content IdM, Authz

AKAMAI

ww

w.cisco.com

ww

w.cisco.com




Database

App Platforms

Data Center Network

Svc

Assurance

Svc

Assurance

Middleware

Content IdM, Authz

AKAMAI



DMZ Network, Security, Proxy

Database

App Platforms

Data Center Network

Svc

Assurance

Middleware

Content IdM, Authz

AKAMAI

IPv6 IPv4 Internet

ww

w.cisco.com

ww

w.cisco.com

IPv6 IPv4 Internet

ww

w.cisco.com

ww

w.cisco.com

Model 1 - Proxy at Internet Edge

Model 2 – SLB64 Model 3 – Dual Stack Web Servers


© 2012 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public

Cisco’s IPv6 Web Presence Design for www.cisco.com

SiSi

!"#$%&'()&*+,-&

!"#$%&.)/&0--+&

!"#$%&.!1&2-&%3"4"567778$"#$%8$%9&+--0:*+-:00-0:0::;&

!"#$%&!;<;=>#<&,?--&

!"#$%&.).&??@?&

'5<A35A<&

!"#$%&.!1&+-&%3"4"567778$"#$%8$%9&

B+80,28*80,0&

7778$"#$%8$%9

&

7778$"#$%8$%9

&

'(C*&'(C,&

'(C,& '(C*&




Database App Platforms

Data Center Network

Svc

Assurance

Svc

Assurance

Middleware Content IdM, Authz

AKAMAI

IPv6 IPv4 Internet

ww

w.cisco.c

om

ww

w.cisco.c

om

Model 2 – SLB64


© 2012 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public

Cisco’s IPv6 Web Presence

SiSi

!"#$%&'()&*+,-&

!"#$%&.)/&0--+&

!"#$%&.!1&2-&%3"4"567778$"#$%8$%9&+--0:*+-:00-0:0::;&

!"#$%&!;<;=>#<&,?--&

!"#$%&.).&??@?&

'5<A35A<&

!"#$%&.!1&+-&%3"4"567778$"#$%8$%9&

B+80,28*80,0&

Firewall Policy Anti-Spoofing

Firewall Policy

NetFlow v9 (forensic records BGP Blackhole (mitigation)

Logging

Arbor (Anomaly Detection)

V6-only signatures V4+V6 signatures

'(C,& '(C*&

Security for www.cisco.com


www.cisco.com www.webex.com home.cisco.com

© 2012 Cisco and/or its affiliates. All rights reserved. 25 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16

IT IPv6Readiness

Assessment

CDO / VendorProduct

ReadinessIT Design and Certification

Technology Refresh

Partnership with AS and CDO, Leverage NDCS Fleet Program Approx. 5400 Out of 8800 Network Devices Required Upgrades or Refresh

Production Deployment

Post Production

Assessment

Limited Deployment

Pilot


•  Anycast-based ISATAP since 2003

•  Dualstack on the wired on selected sites

•  Dualstack on the wireless

•  DHCPv6 support for printers => static addresses


•  Catalyst 6k & Nexus 7000 based => same as backbone

•  Limited dualstacking in FY12 on systems, primarily Management systems for monitoring of IPv6 web presence IPv6 services to enable desktop operation, e.g. DHCPv6 on CNR 7.2


Khalid Jawaid, Network Engineer, Cisco IT

“ 


• 100% of the core network is IPv6-enabled •  IPv6 interconnect between WebEx

datacenter & Cisco network • ± 30% of Cisco’s global offices are dualstack

80+ new global sites by the end of FY13


•  Engage early with IT teams outside the core networking team.

•  Consider the implications of IPv6 addresses with external parties.

•  Account for lead time from vendors in your project plans.

•  Realize that end-device operating systems behave differently with IPv6.

•  Tuning of hardware

•  Cross functional testing

•  Freeze Periods


•  IPv6 Education •  Training: IPv6 FD •  Certified Pro. CCIE/CCDE/CCDP/CCNA/CCNP •  CiscoLive, Conferences & Webinars •  Cisco Press

•  IPv6 Knowledge Portal

•  Comprehensive Advanced Services

•  IPv6 Support Community

•  IPV6 adoption Statistics

•  Leading in Certification

www.cisco.com/go/ipv6


Hurricane Electric, IPv4 exhaust

IPv6 adoption statistics

ISOC, World IPv6 Launch

Cisco IPv6 home page

Cisco IPv6 Knowledge portal

Cisco IPv6 Support community

Cisco Blog IPv6 Tag

Lippis Report Podcast Interview - Alain Fiocco

Certification, USGv6/IPV6RL Ph2

Twittter

LinkedIn Group

http://ipv6.he.net/statistics/

http://6lab.cisco.com/stats/

www.worldipv6launch.org

www.cisco.com/go/ipv6

http://www.cisco.com/web/solutions/netsys/ipv6/knowledgebase/index.html

https://supportforums.cisco.com/community/netpro/network-infrastructure/ipv6-transition

blogs.cisco.com/tag/ipv6

http://lippisreport.com/2012/07/world-ipv6-day-marks-massive-transition-in-ip-addressing-what-it-means-to-you/

https://www.iol.unh.edu/services/testing/ipv6/usgv6tested.php

#IPv6, @alainfiocco, @Deploy360, @TeamARIN

http://www.linkedin.com Groups: IPv6, IPv6 Enthusiasts, IPv6Security

enterprise ipv6 deployment strategies

Technology

cisco andor

ipv6enabled ipv6 interconnect

ipv6 enthusiasts

cisco ipv6 home pagewww

ipv6 web sites

ipv6 forces customers

slovenian ipv6 summit

implications of ipv6