Sei sulla pagina 1di 69

BRKIP6-2301

Enterprise IPv6 Deployment

Tim Martin

CCIE #2020

BRKIP6-2301 Enterprise IPv6 Deployment Tim Martin CCIE #2020 @bckcntryskr
BRKIP6-2301 Enterprise IPv6 Deployment Tim Martin CCIE #2020 @bckcntryskr

@bckcntryskr

BRKIP6-2301 Enterprise IPv6 Deployment Tim Martin CCIE #2020 @bckcntryskr
BRKIP6-2301 Enterprise IPv6 Deployment Tim Martin CCIE #2020 @bckcntryskr
BRKIP6-2301 Enterprise IPv6 Deployment Tim Martin CCIE #2020 @bckcntryskr
cs.co/ciscolivebot#BRKIP6-2301 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
cs.co/ciscolivebot#BRKIP6-2301
© 2018 Cisco and/or its affiliates. All rights reserved.
Cisco Public
and/or its affiliates. All rights reserved. Cisco Public Cisco Spark Questions? Use Cisco Spark to communicate

Cisco Spark

affiliates. All rights reserved. Cisco Public Cisco Spark Questions? Use Cisco Spark to communicate with the

Questions?

Use Cisco Spark to communicate with the speaker after the session

How

1.

2.

3.

4.

Find this session in the Cisco Live Mobile App

Click “Join the Discussion”

Install Spark or go directly to the space

Enter messages/questions in the space

Mobile App Click “Join the Discussion” Install Spark or go directly to the space Enter messages/questions
Mobile App Click “Join the Discussion” Install Spark or go directly to the space Enter messages/questions

Agenda

General Design

Host Configuration

Access Layer

Data Center

WAN Deployment

Internet Edge

Conclusion

Design • Host Configuration • Access Layer • Data Center • WAN Deployment • Internet Edge
Design • Host Configuration • Access Layer • Data Center • WAN Deployment • Internet Edge

Enterprise IPv6 Guidance

RFC 7381 enterprise IPv6 guidelines

White paper Cisco.com

Cisco Press Live Lesson

Offer: 60% off
Offer: 60% off

Code: MARTIN60

ISBN: 9780134655512

Lesson Offer: 60% off Code: MARTIN60 ISBN: 9780134655512 BRKRST-2301 © 2018 Cisco and/or its affiliates. All
Lesson Offer: 60% off Code: MARTIN60 ISBN: 9780134655512 BRKRST-2301 © 2018 Cisco and/or its affiliates. All
Lesson Offer: 60% off Code: MARTIN60 ISBN: 9780134655512 BRKRST-2301 © 2018 Cisco and/or its affiliates. All

BRKRST-2301

© 2018 Cisco and/or its affiliates. All rights reserved.

Cisco Public

5

Where Do We Start?

Core-to-Access Gain experience with IPv6 Turn up your servers Enable the experience Access-to-Core Securing and monitoring Internet Edge Business continuity

and monitoring • Internet Edge – Business continuity Access ISP Campus Core Internet Edge ISP WAN
and monitoring • Internet Edge – Business continuity Access ISP Campus Core Internet Edge ISP WAN
and monitoring • Internet Edge – Business continuity Access ISP Campus Core Internet Edge ISP WAN

Access

ISP Campus Core
ISP
Campus Core

Internet

Edge

ISP WAN
ISP
WAN
Servers
Servers
Access ISP Campus Core Internet Edge ISP WAN Servers Branch BRKRST-2301 Access © 2018 Cisco and/or
Branch
Branch

BRKRST-2301

Access
Access

© 2018 Cisco and/or its affiliates. All rights reserved.

Cisco Public

6

Dual Stack Mode

Preferred Method, Versatile, Scalable and Highest Performance

No Dependency on IPv4, runs in parallel on the same HW

No tunnelling, MTU, NAT or performance degrading technologies

Does require IPv6 support on all devices

technologies • Does require IPv6 support on all devices Access Distribution Core Aggregation Access Layer
Access Distribution Core Aggregation Access Layer Layer Layer Layer (DC) Layer (DC) IPv6/IPv4 Dual-stack Hosts
Access
Distribution
Core
Aggregation
Access
Layer
Layer
Layer
Layer (DC)
Layer (DC)
IPv6/IPv4
Dual-stack Hosts
IPv6/IPv4
Dual-stack
Server
BRKRST-2301
© 2018 Cisco and/or its affiliates. All rights reserved.
Cisco Public
7

What about IPv6 only?

Is everything ready?

Network services

Applications

Operations and Management

Connectivity to non-IPv6 resources

NAT64/DNS64

RFCs are out there

RFC 6586 - Experiences from an IPv6-Only Network

RFC 7755 - SIIT-DC: Stateless

IP/ICMP Translation for IPv6 Data Center Environments

RFC 7756 - Explicit Address Mappings

for Stateless IP/ICMP Translation

IPv6 FWD
IPv6
FWD
IPv6 FWD
IPv6
FWD
IPv6 FWD FWDFWD
IPv6
FWD
FWDFWD
IPv6 IPv6 IPv6 IPv6 IPv6 IPv6 IPv6 IPv6 IPv6 FWD FWD FWD FWD FWD FWD
IPv6
IPv6
IPv6
IPv6
IPv6
IPv6
IPv6
IPv6
IPv6
FWD
FWD
FWD
FWD
FWD
FWD
FWD
FWD
FWDFWD
FWD
IPv6 FWD
IPv6
FWD
IPv6 FWD
IPv6
FWD

End

Customer

Access

SP

Core

DC

DC Edge

DC Network

Servers/

Point

Edge

Network:

Edge

Transport

Edge

Services

Point Edge Network: Edge Transport Edge Services VM

VM

Core DC DC Edge DC Network Servers/ Point Edge Network: Edge Transport Edge Services VM
Core DC DC Edge DC Network Servers/ Point Edge Network: Edge Transport Edge Services VM
Core DC DC Edge DC Network Servers/ Point Edge Network: Edge Transport Edge Services VM
Core DC DC Edge DC Network Servers/ Point Edge Network: Edge Transport Edge Services VM
Core DC DC Edge DC Network Servers/ Point Edge Network: Edge Transport Edge Services VM
Core DC DC Edge DC Network Servers/ Point Edge Network: Edge Transport Edge Services VM
Core DC DC Edge DC Network Servers/ Point Edge Network: Edge Transport Edge Services VM
Core DC DC Edge DC Network Servers/ Point Edge Network: Edge Transport Edge Services VM

Apps

Service

Services
Services

Processes

s
s
s
Point Edge Network: Edge Transport Edge Services VM Apps Service Services Processes s
VM Apps Service Services Processes s BRKRST-2301 © 2018 Cisco and/or its affiliates. All rights

BRKRST-2301

© 2018 Cisco and/or its affiliates. All rights reserved.

Cisco Public

8

Global Address Assignment

Provider Allocated (PA)

From your ISP, single homed

/48 - /60

Provider Independent (PI)

Multi home, Multi provider

/32 - /48

Local Internet Registry (LIR)

Regional registry member

Acquire & manage space

/29 - /32

member • Acquire & manage space • /29 - /32 PA PI 2000::/3 2000::/3 IANA Registries
PA PI 2000::/3 2000::/3 IANA Registries /12 /12 RIR /32 ISP Org /32 /48 Level
PA
PI
2000::/3
2000::/3
IANA
Registries
/12
/12
RIR
/32
ISP
Org
/32
/48
Level Four
/48
Entity
Subordinate
/48
BRKRST-2301
© 2018 Cisco and/or its affiliates. All rights reserved.
Cisco Public
9

Multinational Model

PA or PI from each region you operate in

Coordination of advertised space within each RIR

Most run PI from primary region as an LIR

each RIR • Most run PI from primary region as an LIR 2a00:0000::/12 2600:0000::/12 2400:0000::/12
2a00:0000::/12 2600:0000::/12 2400:0000::/12 2c00:0000::/12 2800:0000::/12
2a00:0000::/12
2600:0000::/12
2400:0000::/12
2c00:0000::/12
2800:0000::/12

BRKRST-2301

© 2018 Cisco and/or its affiliates. All rights reserved.

Cisco Public

10

Prefix Length Considerations

Point to Point /127

RFC 6164, cache exhaustion

Reserve a /64, configure a /127

Loopback or Anycast /128

Anywhere a host exists /64

RFC 7421, rational for /64

Anywhere a host exists /64 • RFC 7421, rational for /64 Hosts /64 Core /64 or

Hosts

/64

host exists /64 • RFC 7421, rational for /64 Hosts /64 Core /64 or /127 Pt
host exists /64 • RFC 7421, rational for /64 Hosts /64 Core /64 or /127 Pt

Core

/64 or /127

RFC 7421, rational for /64 Hosts /64 Core /64 or /127 Pt 2 Pt /127 Hosts
Pt 2 Pt /127
Pt 2 Pt
/127
rational for /64 Hosts /64 Core /64 or /127 Pt 2 Pt /127 Hosts /64 Servers

Hosts

/64

/64 Hosts /64 Core /64 or /127 Pt 2 Pt /127 Hosts /64 Servers /64 Loopback

Servers

/64

Loopback

/128

or /127 Pt 2 Pt /127 Hosts /64 Servers /64 Loopback /128 BRKRST-2301 © 2018 Cisco
or /127 Pt 2 Pt /127 Hosts /64 Servers /64 Loopback /128 BRKRST-2301 © 2018 Cisco

BRKRST-2301

© 2018 Cisco and/or its affiliates. All rights reserved.

Cisco Public

11

Explaining BIG Numbers With Math

The LAN size standard has been set at a /64

18,446,744,073,709,600,000 IPv6 addresses

Let’s attempt to exhaust all of the available addresses

We will allocate 10,000,000 addresses per second

Hint: there are 31,536,000 seconds per year

10,000,000 x 31,536,000 = 315,360,000,000,000

18,446,744,073,709,600,000

31,536,000 = 315,360,000,000,000 18,446,744,073,709,600,000 / 315,360,000,000,000 = 58,494 years BRKRST-2301 Source:

/ 315,360,000,000,000 = 58,494 years

BRKRST-2301

Source: ©fotofabrika
Source: ©fotofabrika

Attribution: Ed Horley

© 2018 Cisco and/or its affiliates. All rights reserved.

Cisco Public

12

Building the IPv6 Address Plan Location-based Plan (/48)

4 bits = (16) Locations (states, counties, agencies, etc ) 4 bits = (16) Buildings or sub levels within a location 4 bits = (16) Floors or directional pointers 4 bits = (16) Traffic Types (Admin, Guest, Telephony, etc )

2001:db8:4646:xxxx::

Types (Admin, Guest, Telephony, etc ) 2001:db8:4646: xxxx :: 0001 1000 0011 0110 2001:db8:4646: 1 8

0001 1000 0011 0110

etc ) 2001:db8:4646: xxxx :: 0001 1000 0011 0110 2001:db8:4646: 1 8 3 6 :: BRKRST-2301

2001:db8:4646:1836::

xxxx :: 0001 1000 0011 0110 2001:db8:4646: 1 8 3 6 :: BRKRST-2301 © 2018 Cisco

BRKRST-2301

© 2018 Cisco and/or its affiliates. All rights reserved.

Cisco Public

13

Building the IPv6 Address Plan Function-based Plan (/48)

4 bits = (16) Traffic Types (Admin, Guest, Telephony, etc ) 4 bits = (16) Locations (states, counties, agencies, etc ) 4 bits = (16) Buildings or sub levels within a location 4 bits = (16) Floors or directional pointers

2001:db8:4646:xxxx::

= (16) Floors or directional pointers 2001:db8:4646: xxxx :: 0110 0001 1000 0011 2001:db8:4646: 6 1

0110 0001 1000 0011

pointers 2001:db8:4646: xxxx :: 0110 0001 1000 0011 2001:db8:4646: 6 1 8 3 :: BRKRST-2301 ©

2001:db8:4646:6183::

xxxx :: 0110 0001 1000 0011 2001:db8:4646: 6 1 8 3 :: BRKRST-2301 © 2018 Cisco

BRKRST-2301

© 2018 Cisco and/or its affiliates. All rights reserved.

Cisco Public

14

Unique Local Address (ULA)

Automatic Prefix Generation (RFC 4193) non sequential /48

Some may find it attractive (home net, Sec Ops)

Multiple policies to maintain (ACL, QoS, Routing)

Caution - source address selection using ULA & IPv4

fc00::/7

fc00::/8 reserved fd00::/8 - private

IPv4 fc00::/7 fc00::/8 – reserved fd00::/8 - private Internet 2001:db8:cafe::/48 Corporate Backbone
Internet
Internet
fc00::/8 – reserved fd00::/8 - private Internet 2001:db8:cafe::/48 Corporate Backbone fd9c:58ed:7d73::/48
fc00::/8 – reserved fd00::/8 - private Internet 2001:db8:cafe::/48 Corporate Backbone fd9c:58ed:7d73::/48

2001:db8:cafe::/48

Corporate Backbone
Corporate
Backbone
- private Internet 2001:db8:cafe::/48 Corporate Backbone fd9c:58ed:7d73::/48 fd9c:58ed:7d73:2000::/64

fd9c:58ed:7d73::/48

2001:db8:cafe::/48 Corporate Backbone fd9c:58ed:7d73::/48 fd9c:58ed:7d73:2000::/64 2001:db8:cafe:2000::/64 Cisco
2001:db8:cafe::/48 Corporate Backbone fd9c:58ed:7d73::/48 fd9c:58ed:7d73:2000::/64 2001:db8:cafe:2000::/64 Cisco

fd9c:58ed:7d73:2000::/64

2001:db8:cafe:2000::/64

Cisco Public

fd9c:58ed:7d73:4000::/64

2001:db8:café:4000::/64

Public fd9c:58ed:7d73: 4000::/64 2001:db8:café:4000::/64 fd9c:58ed:7d73: 3000::/64 2001:db8:cafe:3000::/64 ULA -

fd9c:58ed:7d73:3000::/64

2001:db8:cafe:3000::/64

fd9c:58ed:7d73: 3000::/64 2001:db8:cafe:3000::/64 ULA - fd9c:58ed:7d73::/48 Global – 2001:db8:cafe::/48
fd9c:58ed:7d73: 3000::/64 2001:db8:cafe:3000::/64 ULA - fd9c:58ed:7d73::/48 Global – 2001:db8:cafe::/48

ULA - fd9c:58ed:7d73::/48 Global 2001:db8:cafe::/48

BRKRST-2301

© 2018 Cisco and/or its affiliates. All rights reserved.

15

Infrastructure Link Local Addressing

Topology hiding, Interfaces cannot be seen by off link devices

Reduces routing table prefix count, less configuration

Need to use GUA for generating ICMPv6 messages

What about DNS?, Traceroute, WAN Connections, etc

RFC 7404 Details pros and cons

GUA

etc • RFC 7404 – Details pros and cons GUA GUA GUA Internet fe80::/64 GUA WAN/MAN
etc • RFC 7404 – Details pros and cons GUA GUA GUA Internet fe80::/64 GUA WAN/MAN
etc • RFC 7404 – Details pros and cons GUA GUA GUA Internet fe80::/64 GUA WAN/MAN

GUA

etc • RFC 7404 – Details pros and cons GUA GUA GUA Internet fe80::/64 GUA WAN/MAN

GUA

Internet
Internet
fe80::/64 GUA WAN/MAN
fe80::/64
GUA
WAN/MAN

GUA

BRKRST-2301

© 2018 Cisco and/or its affiliates. All rights reserved.

Cisco Public

16

GUA WAN/MAN GUA BRKRST-2301 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
GUA WAN/MAN GUA BRKRST-2301 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16

fe80::/64

GUA WAN/MAN GUA BRKRST-2301 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16

fe80::/64

GUA WAN/MAN GUA BRKRST-2301 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
GUA WAN/MAN GUA BRKRST-2301 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
GUA WAN/MAN GUA BRKRST-2301 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16

Agenda

General Design

Host Configuration

Access Layer

Data Center

WAN Deployment

Internet Edge

Conclusion

Design • Host Configuration • Access Layer • Data Center • WAN Deployment • Internet Edge
Design • Host Configuration • Access Layer • Data Center • WAN Deployment • Internet Edge

IPv6 Host Portion Address Assignment

Similar to IPv4
Similar to IPv4

Manually configured

Address Assignment Similar to IPv4 Manually configured Assigned via DHCPv6 New in IPv6 Stateless Address Auto

Assigned via DHCPv6

Similar to IPv4 Manually configured Assigned via DHCPv6 New in IPv6 Stateless Address Auto Configuration SLAAC
New in IPv6
New in IPv6

Stateless Address Auto Configuration

SLAAC EUI64
SLAAC EUI64
SLAAC Privacy Addressing
SLAAC
Privacy Addressing

* Secure Neighbor Discovery (SeND)

SLAAC Privacy Addressing * Secure Neighbor Discovery (SeND) BRKRST-2301 © 2018 Cisco and/or its affiliates. All

BRKRST-2301

© 2018 Cisco and/or its affiliates. All rights reserved.

Cisco Public

18

Router Advertisment Provisioning

Type: 134 (RA) Code: 0

Checksum: 0xff78 [correct] Cur hop limit: 64

Flags: 0x84

M-Flag Stateful DHCPv6 to acquire IPv6 address O-Flag Stateless DHCPv6 in addition to SLAAC

Preference Bits low, med, high

Router Lifetime Must be >0 for default

Options - Prefix Information, Length, Flags

L bit Host installs the prefix as on link

A bit Instructs hosts to auto configure an address

1… …. = Managed (M flag)

…. = Not other (O flag)

.0

0. …. = Not Home (H flag)

…0 1… = Router pref: High

Router lifetime: (s)1800 Reachable time: (ms) 3000000

Retrans timer: (ms) 1000 ICMPv6 Option 3 (Prefix Info)

Prefix length: 64

∞ Flags: 0x84 1… …. = On link (L Bit) 1= Autonomous (A Bit)

Prefix: 2001:db8:4646:234::/64

RA
RA

BRKRST-2301

(A Bit) Prefix: 2001:db8:4646:234::/64 RA BRKRST-2301 © 2018 Cisco and/or its affiliates. All rights reserved.

© 2018 Cisco and/or its affiliates. All rights reserved.

Cisco Public

19

Host Address Acquisition

C:\Documents and Settings\>netsh

netsh>interface ipv6 netsh interface ipv6>show address

Querying active state Interface 5: Local Area Connection

Addr Type

DAD State Valid Life

Pref. Life

Address

---------

---------- ------------ ------------ -----------------------------

Public

Preferred 29d23h58m25s 6d23h58m25s 2001:db8:4646:1:4f02:8a49:41ad:a136

Temporary Preferred 6d21h48m47s

infinite

Link Preferred

21h46m 2001:db8:4646:1:bd86:eac2:f5f1:39c1 infinite fe80::4f02:8a49:41ad:a136

netsh interface ipv6>show route Querying active state

Met Prefix

Publish Type

------- -------- ---- ------------------------ --- ---------------------

Idx Gateway/Interface Name

no

Autoconf

8

2001:db8:4646:1::/64

5 Local Area Connection

no

Autoconf

256

::/0

5 fe80::20d:bdff:fe87:f6f9

no Autoconf 256 ::/0 5 fe80::20d:bdff:fe87:f6f9 BRKRST-2301 © 2018 Cisco and/or its affiliates. All rights

BRKRST-2301

© 2018 Cisco and/or its affiliates. All rights reserved.

Cisco Public

20

Client Provisioning DHCPv6 & SLAAC

SLAAC address tracking

Radius accounting, CAM table scrapes

Older OS’s (MSFT) lack support RDNSS

DHCPv6 challenges

username=joe@example.org Acct-Session-Id=xyz Acct-Status-Type=Start Framed-IP-Address=192.0.2.1

Framed-IPv6-Address=fe80::d00d

username=joe@example.org Acct-Session-Id=xyz Acct-Status-Type=Alive Framed-IP-Address=192.0.2.1 Framed-IPv6-Address=fe80::d00d Framed-IPv6- Address=2001:db8::d00d Framed-IPv6-

Address=2001:db8::d00d

MAC address for reservations, inventory, tracking

Android doesn't support DHCPv6

Understand the implications of switching methods

Inconsistent amongst the OS’s

of switching methods • Inconsistent amongst the OS’s DHCPv6 Server Internet A B C RA BRKRST-2301

DHCPv6

Server

Internet
Internet
• Inconsistent amongst the OS’s DHCPv6 Server Internet A B C RA BRKRST-2301 © 2018 Cisco
• Inconsistent amongst the OS’s DHCPv6 Server Internet A B C RA BRKRST-2301 © 2018 Cisco
• Inconsistent amongst the OS’s DHCPv6 Server Internet A B C RA BRKRST-2301 © 2018 Cisco
• Inconsistent amongst the OS’s DHCPv6 Server Internet A B C RA BRKRST-2301 © 2018 Cisco
A B C RA
A
B
C
RA

BRKRST-2301

the OS’s DHCPv6 Server Internet A B C RA BRKRST-2301 © 2018 Cisco and/or its affiliates.

© 2018 Cisco and/or its affiliates. All rights reserved.

Cisco Public

21

Disabling SLAAC/Privacy Addresses

Enable DHCPv6 via the M flag

Disable prefix auto configuration

Enable router preference to high

Enable DHCPv6 relay destination

interface fastEthernet 0/0

ipv6 address 2001:db8:4646:acc1::1/64 ipv6 nd managed-config-flag ipv6 nd prefix default no-autoconfig ipv6 nd router-preference high ipv6 dhcp relay destination 2001:db8:4646::café

high ipv6 dhcp relay destination 2001:db8:4646::café BRKRST-2301 © 2018 Cisco and/or its affiliates. All rights

BRKRST-2301

© 2018 Cisco and/or its affiliates. All rights reserved.

Cisco Public

22

Agenda

General Design

Host Configuration

Access Layer

Data Center

WAN Deployment

Internet Edge

Conclusion

Design • Host Configuration • Access Layer • Data Center • WAN Deployment • Internet Edge
Design • Host Configuration • Access Layer • Data Center • WAN Deployment • Internet Edge

IPv6 First Hop Redundancy Protocols

FHRPs provide resilient default gateway

First hop address to end-stations

IPv6 has a “built in” FHRP mechanism

Neighbor Unreachability Detection (NUD)

HSRP, GLBP, and VRRP alternatives

Millisecond timers for fast convergence

Preempt timers need to be tuned

To avoid black-holed traffic

timers need to be tuned • To avoid black-holed traffic SiSi SiSi fe80::234 BRKRST-2301 © 2018
SiSi SiSi fe80::234
SiSi
SiSi
fe80::234

BRKRST-2301

© 2018 Cisco and/or its affiliates. All rights reserved.

Cisco Public

24

IPv6 FHS
IPv6 FHS
ND RA DHCPv6 Source/Prefix Destination RA Multicast Guard Guard Guard Throttle Guard Suppress Protection:
ND
RA
DHCPv6
Source/Prefix
Destination
RA
Multicast
Guard
Guard
Guard
Throttle
Guard
Suppress
Protection:
Protection:
Protection:
Protection:
Facilitates:
Reduces:
• Invalid source
• Rogue or
malicious RA
• Invalid DHCP
• DoS attacks
Scale
Control traffic
address
Offers
• Scanning
converting
necessary for
• Invalid prefix
• MiM attacks
• DoS attacks
• Invalid
multicast traffic
proper link
• Source address
• MiM attacks
destination
to unicast
operations to
spoofing
address
improve
performance

Core Features

Advance Features

Scalability & Performance

IPv6 Snooping

Advance Features Scalability & Performance IPv6 Snooping BRKRST-2301 © 2018 Cisco and/or its affiliates. All rights

BRKRST-2301

© 2018 Cisco and/or its affiliates. All rights reserved.

Cisco Public

25

IPv6 Wi-Fi & RA Throttler

Scaling the 802.11 multicast reliability issues

Controller response (proxy) to RS with unicast RA

Controller rate limits the period RAs, while allowing RS to flow

Proxy services reduce the amount of processing on end devices

services reduce the amount of processing on end devices 2 (RS) 4 BRKRST-2301 Periodic (RAs) ©
2 (RS)
2
(RS)
4
4

BRKRST-2301

Periodic (RAs)

on end devices 2 (RS) 4 BRKRST-2301 Periodic (RAs) © 2018 Cisco and/or its affiliates. All
on end devices 2 (RS) 4 BRKRST-2301 Periodic (RAs) © 2018 Cisco and/or its affiliates. All
on end devices 2 (RS) 4 BRKRST-2301 Periodic (RAs) © 2018 Cisco and/or its affiliates. All

© 2018 Cisco and/or its affiliates. All rights reserved.

Cisco Public

26

IPv6 Wi-Fi & ND Multicast Suppression

Uses a binding table similar to RFC 6620

Binding table keeps track of “associated” MAC addresses

Purges MAC addresses from device when they “disassociate”

Caching allows the Controller to “proxy” the NA, based on gleaning

the Controller to “proxy” the NA, based on gleaning 00:24:56:75:44:33 2001:db8:0:20::2 00:24:56:11:93:28
00:24:56:75:44:33 2001:db8:0:20::2 00:24:56:11:93:28 2001:db8:0:20::4
00:24:56:75:44:33
2001:db8:0:20::2
00:24:56:11:93:28
2001:db8:0:20::4

BRKRST-2301

© 2018 Cisco and/or its affiliates. All rights reserved.

Cisco Public

27

2
2
4
4
(Unicast NA)
(Unicast NA)

(NS)

BRKRST-2301 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 27 2 4 (Unicast

Cisco is Rewriting the Network Playbook

Traditional Network

Hardware Centric

Hardware Centric

Manual

Manual

Fragmented Security

Fragmented Security

Network Data

Network Data

Hardware Centric Manual Fragmented Security Network Data The New Network Software Driven Automated Built-In Security

The New Network

Manual Fragmented Security Network Data The New Network Software Driven Automated Built-In Security Business

Software Driven

Security Network Data The New Network Software Driven Automated Built-In Security Business Insights Powered by

Automated

Network Data The New Network Software Driven Automated Built-In Security Business Insights Powered by Cisco

Built-In Security

The New Network Software Driven Automated Built-In Security Business Insights Powered by Cisco DNA-Center BRKRST-2301 ©

Business Insights

Driven Automated Built-In Security Business Insights Powered by Cisco DNA-Center BRKRST-2301 © 2018 Cisco and/or

Powered by Cisco DNA-Center

BRKRST-2301

© 2018 Cisco and/or its affiliates. All rights reserved.

Cisco Public

28

Software Defined Access (SDA)

Host Mobility without stretching VLANs

Layer 3 VPN Segmentation without implementing MPLS

Policy based Access Control with ‘End-to-End’ TrustSec

Real time network monitoring, analytics and user/device assurance

time network monitoring, analytics and user/device assurance BRKRST-2301 © 2018 Cisco and/or its affiliates. All rights
time network monitoring, analytics and user/device assurance BRKRST-2301 © 2018 Cisco and/or its affiliates. All rights
time network monitoring, analytics and user/device assurance BRKRST-2301 © 2018 Cisco and/or its affiliates. All rights
time network monitoring, analytics and user/device assurance BRKRST-2301 © 2018 Cisco and/or its affiliates. All rights
time network monitoring, analytics and user/device assurance BRKRST-2301 © 2018 Cisco and/or its affiliates. All rights

BRKRST-2301

© 2018 Cisco and/or its affiliates. All rights reserved.

Cisco Public

29

IPv6 Support in Software Defined Access (SDA)

Control-Plane Node Database 2001:db8:46:1::/64 – 10.0.255.1 2001:db8:46:3::/64 – 10.0.255.3 2001:db8:46:1::ac –
Control-Plane Node Database
2001:db8:46:1::/64
– 10.0.255.1
2001:db8:46:3::/64
– 10.0.255.3
2001:db8:46:1::ac – 10.0.255.1
2001:db8:46:1::ac – 10.0.255.3
Edge Node Routing Table 2001:db8:46:1::/64 – Local 2001:db8:46:3::/64 – Local 2001:db8:46:1::ac/128 - Local
Edge Node Routing Table
2001:db8:46:1::/64 – Local
2001:db8:46:3::/64 – Local
2001:db8:46:1::ac/128 - Local
DNA Center ISE / AD Map Register Endpoint 2001:db8:46:1::ac Edge Node: 10.0.255.1 B B C
DNA
Center
ISE / AD
Map Register
Endpoint 2001:db8:46:1::ac
Edge Node: 10.0.255.1
B B
C
10.0.255.3
Edge Node Routing Table 2001:db8:46:1::/64 – Local 2001:db8:46:1::ac/128 – Local Anycast Gateway
Edge Node Routing Table
2001:db8:46:1::/64 – Local
2001:db8:46:1::ac/128 – Local
Anycast Gateway

10.0.255.1

fe80::1

2001:db8:46:1:/64

Campus

Building 1

2001:db8:46:1::ac

2001:db8:46:1::ac

2001:db8:46:3::/64

Campus

Building 2

BRKRST-2301

© 2018 Cisco and/or its affiliates. All rights reserved.

Cisco Public

30

Agenda

General Design

Host Configuration

Access Layer

Routing Protocols

Data Center

WAN Deployment

Internet Edge

Conclusion

• Access Layer • Routing Protocols • Data Center • WAN Deployment • Internet Edge •
• Access Layer • Routing Protocols • Data Center • WAN Deployment • Internet Edge •

Static Routing

IGPs use Link Local Addresses

Redistribution needs GUA or ULA

Direct (interface)

Recursive (next hop)

Fully qualified (interface) (next hop)

Default route ::/0

ipv6 unicast-routing !direct

ipv6 route 2001:db8:1::/48 ethernet1/0

!recursive ipv6 route 2001:db8:5::/48 2001:db8:4::1 !fully qualified

ipv6 route 2001:46::/32 ethernet0/0 fe80::9

!default ipv6 route ::/0 ethernet0/2 fe80::2

fe80::9 !default ipv6 route ::/0 ethernet0/2 fe80::2 BRKRST-2301 © 2018 Cisco and/or its affiliates. All rights
fe80::9 !default ipv6 route ::/0 ethernet0/2 fe80::2 BRKRST-2301 © 2018 Cisco and/or its affiliates. All rights
BRKRST-2301
BRKRST-2301

© 2018 Cisco and/or its affiliates. All rights reserved.

Cisco Public

32

Classic EIGRP or EIGRPv6

EIGRP IP 88

fe80::/64 Source ff02::a Destination

No shutdown for older versions

Apply the route process to interfaces

Auto Summary disabled

Transport & peering over IPv6

Auto Summary disabled • Transport & peering over IPv6 BRKRST-2301 ipv6 unicast-routing ! Interface ethernet
Auto Summary disabled • Transport & peering over IPv6 BRKRST-2301 ipv6 unicast-routing ! Interface ethernet

BRKRST-2301

ipv6 unicast-routing

!

Interface ethernet 0/0

ipv6 address 2001:db8:1000::1/128 ipv6 eigrp 11

!

interface ethernet 0/1

ipv6 address 2001:db8:50:31::1/64 ipv6 eigrp 11

!

ipv6 router eigrp 11 no shutdown eigrp router-id 4.4.4.4

© 2018 Cisco and/or its affiliates. All rights reserved.

Cisco Public

33

EIGRP Named Mode

Name creates a virtual instance

Does not need to be common in domain

Address family configures protocol instance

AS number must common within domain

Auto Applied to all IPv6 enabled interfaces

EIGRP can perform better

Large-scale hub and spoke environments

perform better • Large-scale hub and spoke environments BRKRST-2301 router eigrp IPv6rocks ! address-family ipv6
BRKRST-2301
BRKRST-2301

router eigrp IPv6rocks

!

address-family ipv6 unicast autonomous-system 11

!

af-interface Loopback0 passive-interface exit-af-interface

!

af-interface Ethernet0/0

summary-address ::/0 exit-af-topology

eigrp router-id 4.6.4.6

exit-address-family

© 2018 Cisco and/or its affiliates. All rights reserved.

Cisco Public

34

OSPFv3

OSPFv3 IP 89

fe80::/64 Source ff02::5, ff02::6 (DR’s)

Link-LSA (8) Local Scope, NH

Intra-Area-Prefix-LSA (9) – Routers’ Prefixes

Use Inter-Area-Prefix-LSA (3) Between ABRs

Can converge quickly to a point of scale

Initial database build takes time

LSPs generally perform better in full mesh

takes time • LSPs generally perform better in full mesh BRKRST-2301 ipv6 unicast-routing ! interface loopback0
BRKRST-2301
BRKRST-2301

ipv6 unicast-routing

!

interface loopback0 ipv6 address 2001:db8:1000::1/128 ipv6 ospf 8 area 0

!

interface ethernet 0/0 ipv6 address 2001:db8:50:31::1/64

ipv6 ospf 8 area 0

!

ipv6 router ospf 8 router-id 8.8.8.8 passive-interface loopback0

© 2018 Cisco and/or its affiliates. All rights reserved.

Cisco Public

35

Agenda

General Design

Host Configuration

Access Layer

Routing Protocols

Data Center

WAN Deployment

Internet Edge

Conclusion

• Access Layer • Routing Protocols • Data Center • WAN Deployment • Internet Edge •
• Access Layer • Routing Protocols • Data Center • WAN Deployment • Internet Edge •
IPv6 Only Data Center • Dual stack front end • Translation via NAT/Proxy/SLB • Forces
IPv6 Only Data Center
• Dual stack front end
• Translation via NAT/Proxy/SLB
• Forces developers to use IPv6
• Reduces operational costs
• Eliminates complexity within the DC
NAT/Proxy/SLB
IPv4/IPv6
IPv6
Internet
Load Balancer
Switch
Web, Email, Etc.
BRKRST-2301
© 2018 Cisco and/or its affiliates. All rights reserved.
Cisco Public
37

Stateless IP/ICMP Translation

RFC 7757

IPv6-only Internet Data Center (IDC)

Primarily RFC 6144, scenario’s 2, 4, 6

IPv4 to IPv6 header

2

4

6

Operator configured mapping between IPv4 & IPv6

Fragmentation converts to EH 44

No other options in extension headers

ICMP to ICMPv6 header

Pseudo Checksum for IPv6

Type Translated (IPv4 8, 0 to IPv6 128, 129)

Fragmented ICMP packets not translated

IPv6 128, 129) • Fragmented ICMP packets not translated BRKRST-2301 IPv4 Internet IPv4 Network IPv4 Network

BRKRST-2301

IPv4 Internet IPv4 Network IPv4 Network
IPv4
Internet
IPv4
Network
IPv4
Network
BRKRST-2301 IPv4 Internet IPv4 Network IPv4 Network IPv6 Network IPv6 Internet IPv6 Network Internet IPv4
BRKRST-2301 IPv4 Internet IPv4 Network IPv4 Network IPv6 Network IPv6 Internet IPv6 Network Internet IPv4
BRKRST-2301 IPv4 Internet IPv4 Network IPv4 Network IPv6 Network IPv6 Internet IPv6 Network Internet IPv4
IPv6 Network IPv6 Internet IPv6 Network
IPv6
Network
IPv6
Internet
IPv6
Network
Internet IPv4 IPv6 IPv6
Internet
IPv4
IPv6
IPv6

© 2018 Cisco and/or its affiliates. All rights reserved.

Cisco Public

38

Static Server Addressing

Predictable & deterministic

Address, default gateway, DNS

Requires disabling key IPv6 components

RA’s, DHCPv6

Should still configure FHS

Readdressing will take time

Operationally intensive

Readdressing will take time • Operationally intensive RA ipv6 nd prefix default no-advertise ipv6 nd ra
RA
RA

ipv6 nd prefix default no-advertise

ipv6 nd ra suppress all

ipv6 nd prefix default no-advertise ipv6 nd ra suppress all BRKRST-2301 © 2018 Cisco and/or its

BRKRST-2301

© 2018 Cisco and/or its affiliates. All rights reserved.

no-advertise ipv6 nd ra suppress all BRKRST-2301 © 2018 Cisco and/or its affiliates. All rights reserved.

Cisco Public

39

Dynamic Server Addressing

Aligns well with SDN

DHCPv6

Converting lease to reservation

Reservation mechanisms (RFC6939)

Dynamic DNS update for critical services

Link-IP-address

DHCPv6 Server
DHCPv6 Server

2001:db8::feed

Prefix Delegation

A /64 per host

Application or content addressing

• A /64 per host • Application or content addressing BRKRST-2301 © 2018 Cisco and/or its
• A /64 per host • Application or content addressing BRKRST-2301 © 2018 Cisco and/or its
• A /64 per host • Application or content addressing BRKRST-2301 © 2018 Cisco and/or its
• A /64 per host • Application or content addressing BRKRST-2301 © 2018 Cisco and/or its

BRKRST-2301

© 2018 Cisco and/or its affiliates. All rights reserved.

Application or content addressing BRKRST-2301 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Public

40

Agenda

General Design

Host Configuration

Access Layer

Routing Protocols

Data Center

WAN Deployment

Internet Edge

Conclusion

• Access Layer • Routing Protocols • Data Center • WAN Deployment • Internet Edge •
• Access Layer • Routing Protocols • Data Center • WAN Deployment • Internet Edge •

Point-to-Point Routed Links

Use a prefix length of /127

Reserve the /64, configure the /127

Nodes 1 & 2 are NOT in the same subnet

Suppress RAs for global assigned addressing

Disable ICMPv6 redirects Don’t send ICMPv6 unreachable

ICMPv6 redirects • Don’t send ICMPv6 unreachable 2001:db8:46:67:: /127 :: a :: b interface FastEthernet0/1
ICMPv6 redirects • Don’t send ICMPv6 unreachable 2001:db8:46:67:: /127 :: a :: b interface FastEthernet0/1

2001:db8:46:67::/127

• Don’t send ICMPv6 unreachable 2001:db8:46:67:: /127 :: a :: b interface FastEthernet0/1 ipv6 address

::a

::b

send ICMPv6 unreachable 2001:db8:46:67:: /127 :: a :: b interface FastEthernet0/1 ipv6 address

interface FastEthernet0/1

ipv6 address 2001:db8:46:67::a/127

ipv6 nd ra suppress

no ipv6 redirects no ipv6 unreachables

BRKRST-2301

© 2018 Cisco and/or its affiliates. All rights reserved.

Cisco Public

42

IPv6 & MPLS

6PE (RFC 4798)

MP-BGP next hop ::ffff:A.B.C.D/96

6VPE (RFC 4659)

Utilizes address family (AF) in VRF context

(RFC 4659) • Utilizes address family (AF) in VRF context BRKRST-2301 © 2018 Cisco and/or its
(RFC 4659) • Utilizes address family (AF) in VRF context BRKRST-2301 © 2018 Cisco and/or its

BRKRST-2301

© 2018 Cisco and/or its affiliates. All rights reserved.

Cisco Public

43

AnyConnect & IPv6

A dual-stacked host can connect via IPv4 or IPv6

Tries IPv6 address first, then IPv4 address

No DHCPv6 or SLAAC, uses pool from ASA

Also defined on client side

SLAAC, uses pool from ASA • Also defined on client side ipv6 local pool pool6 2001:db8:46:37::/64
ipv6 local pool pool6 2001:db8:46:37::/64 ASA Internet BRKRST-2301 © 2018 Cisco and/or its affiliates. All
ipv6 local pool pool6 2001:db8:46:37::/64
ASA
Internet
BRKRST-2301
© 2018 Cisco and/or its affiliates. All rights reserved.
Cisco Public
44

Agenda

General Design

Host Configuration

Access Layer

Routing Protocols

Data Center

WAN Deployment

Internet Edge

Conclusion

• Access Layer • Routing Protocols • Data Center • WAN Deployment • Internet Edge •
• Access Layer • Routing Protocols • Data Center • WAN Deployment • Internet Edge •

IngressEgress

Internet Edge Design Characteristics

How will your enterprise use the Internet?

Does the Enterprise host content?

Does the Enterprise access content?

Ingress How traffic will enter your domain

High availability, congestion

Balanced across multiple providers

Egress How traffic will leave your domain

High availability, congestion, cost

Firewall’s holding state

congestion, cost • Firewall’s holding state BRKRST-2301 Internet ISP A ISP B © 2018 Cisco and/or

BRKRST-2301

congestion, cost • Firewall’s holding state BRKRST-2301 Internet ISP A ISP B © 2018 Cisco and/or
Internet ISP A ISP B
Internet
ISP A
ISP B
holding state BRKRST-2301 Internet ISP A ISP B © 2018 Cisco and/or its affiliates. All rights
holding state BRKRST-2301 Internet ISP A ISP B © 2018 Cisco and/or its affiliates. All rights

© 2018 Cisco and/or its affiliates. All rights reserved.

Cisco Public

46

Multihomed, Multiprefix (BGP)

Peer over IPv6 for IPv6 prefixes

Use GUA for neighbor peering Controlling hop limit, accepting ~254 only

MD5 shared secrets, IPsec possible

router bgp 200 bgp router-id 4.6.4.6 no bgp default ipv4-unicast neighbor 2001:db8:460:102::2 remote-as 2014

neighbor 2001:db8:460:102::2 ttl-security hops 1

neighbor 2001:db8:460:102::2 password cisco4646

hops 1 neighbor 2001:db8:460:102::2 password cisco4646 BRKRST-2301 Internet ISP A ISP B © 2018 Cisco and/or

BRKRST-2301

Internet ISP A ISP B © 2018 Cisco and/or its affiliates. All rights reserved. Cisco
Internet
ISP A
ISP B
© 2018 Cisco and/or its affiliates. All rights reserved.
Cisco Public
47

Translation Techniques

Translation Techniques
Translation Techniques

IPv6 Translation Definitions

Translation algorithms

RFC 6052 (implementation details)

Framework for Translation

RFC 6144 (implementation scenarios)

Stateless NAT64 (inbound)

RFC 6145 7915 (IP/ICMP translation algorithm)

Stateful NAT64 (outbound)

RFC 6146 (state table for IPv4/IPv6 translation)

IPv6-only clients need to access IPv4 services

DNS64

RFC 6147 (IPv6 client to IPv4 server)

• DNS64 • RFC 6147 (IPv6 client to IPv4 server) BRKRST-2301 Source: ©vchalup IPv4 IPv6 198.51.100.2

BRKRST-2301

Source: ©vchalup
Source: ©vchalup
IPv4
IPv4
IPv6
IPv6

198.51.100.2

2001:db8::1c6:3364:2

Source: ©marsea
Source: ©marsea

© 2018 Cisco and/or its affiliates. All rights reserved.

Cisco Public

49

DNS64 Operation

Step 5 Translates it to a AAAA record

Step 4 DNS server responds A record for IPv4 server

DNS46
DNS46

Network-Specific Prefix

3001::/96

::1 .1 2001:db8:122:344::/64 192.0.2.0/24
::1
.1
2001:db8:122:344::/64
192.0.2.0/24

IPv6 client

2001:db8:122:344::6

DNS Server

192.168.90.101

AAAA Record DNS64
AAAA Record
DNS64

Step 1IPv6 client queries AAAA record for IPv4 server Step 2 DNS responds “empty” AAAA record

Step 3Translator asks for A record of IPv4 server

Step 3  Translator asks for A record of IPv4 server BRKRST-2301 © 2018 Cisco and/or

BRKRST-2301

© 2018 Cisco and/or its affiliates. All rights reserved.

Cisco Public

50

NAT64 Operation

Source IPv6 3001::c000:221 Dest. IPv6 2001:db8:122:344::6

Source IPv4 192.0.2.33 Dest. IPv4 192.0.2.1

Network-Specific Prefix 3001::/96 ::1 .1 192.0.2.0/24 2001:db8:122:344::/64
Network-Specific
Prefix
3001::/96
::1
.1
192.0.2.0/24
2001:db8:122:344::/64
3001::/96 ::1 .1 192.0.2.0/24 2001:db8:122:344::/64 IPv6 client IPv4 Server 2001:db8:122:344::6 192.0.2.33 

IPv6 client

IPv4 Server

2001:db8:122:344::6

192.0.2.33

Source IPv6 2001:db8:122:344::6 Dest. IPv6 3001::c000:221 Source IPv4 192.0.2.1 Dest. IPv4 192.0.2.33

 Source IPv4 192.0.2.1 Dest. IPv4 192.0.2.33 BRKRST-2301 © 2018 Cisco and/or its affiliates. All rights

BRKRST-2301

© 2018 Cisco and/or its affiliates. All rights reserved.

Cisco Public

51

SLB64 Translation Technique

• Almost every network has some load balancing • Create Virtual IP (VIP) • Tie
• Almost every network has some load balancing
• Create Virtual IP (VIP)
• Tie the VIP to R-servers (WWW)
• Publish VIP AAAA record in DNS
• Establish a source NAT pool
2001:db8:feed::80
• Use as IPv4 source after translation
Dual Stack
• Citrix NetScaler or F5 BIG-IP
• Very quick to deploy
IPv4 Only
SNAT pool
• Hard to move forward
192.168.80.0/24
Servers
• Native IPv6 is the end goal
WWW
BRKRST-2301
© 2018 Cisco and/or its affiliates. All rights reserved.
Cisco Public
52

X-Forwarded-For (XFF)

Web Server Logging for Geo Location, Analytics, Security Source IP of client requests will be logged as SNAT address

Use XFF field of the HTTP header

as SNAT address • Use XFF field of the HTTP header • GET / HTTP/1.1 Host:
as SNAT address • Use XFF field of the HTTP header • GET / HTTP/1.1 Host:
as SNAT address • Use XFF field of the HTTP header • GET / HTTP/1.1 Host:
as SNAT address • Use XFF field of the HTTP header • GET / HTTP/1.1 Host:

GET / HTTP/1.1 Host: www.foo.org User-Agent: Mozilla Firefox/3.0.3

Accept: text/html,application/xhtml+xml,application/xml

Accept-Language: en-us,en Keep-Alive: 300

x-forward-for: 2001:db8:ea5e:1:49fa:b11a:aaf8:91a5

Connection: keep-alive

Global IPv6 Address

---Translation---

Source NAT Pool

Global IPv6 Address ---Translation--- Source NAT Pool Servers WWW BRKRST-2301 © 2018 Cisco and/or its affiliates.

Servers

WWW

IPv6 Address ---Translation--- Source NAT Pool Servers WWW BRKRST-2301 © 2018 Cisco and/or its affiliates. All

BRKRST-2301

© 2018 Cisco and/or its affiliates. All rights reserved.

Cisco Public

53

Network Prefix Translation IPv6

RFC 6296 - NPTv6

Unique Local Addressing (ULA) inside

Provider allocated addressing outside

Small-to-Medium Enterprise

Swaps Left Most Bits of Address

Equal length Prefixes

interface GigabitEthernet0/0/0

nat66 inside

interface GigabitEthernet0/0/1 nat66 outside

!

nat66 prefix inside fd07:18:4c::/48 outside 2001:db8:46::/48

Internet
Internet
inside fd07:18:4c::/48 outside 2001:db8:46::/48 Internet 2001:db8:46::/48 fd07:18:4c::/48 BRKRST-2301 © 2018 Cisco
inside fd07:18:4c::/48 outside 2001:db8:46::/48 Internet 2001:db8:46::/48 fd07:18:4c::/48 BRKRST-2301 © 2018 Cisco

2001:db8:46::/48

outside 2001:db8:46::/48 Internet 2001:db8:46::/48 fd07:18:4c::/48 BRKRST-2301 © 2018 Cisco and/or its
outside 2001:db8:46::/48 Internet 2001:db8:46::/48 fd07:18:4c::/48 BRKRST-2301 © 2018 Cisco and/or its

fd07:18:4c::/48

2001:db8:46::/48 Internet 2001:db8:46::/48 fd07:18:4c::/48 BRKRST-2301 © 2018 Cisco and/or its affiliates. All rights
2001:db8:46::/48 Internet 2001:db8:46::/48 fd07:18:4c::/48 BRKRST-2301 © 2018 Cisco and/or its affiliates. All rights
2001:db8:46::/48 Internet 2001:db8:46::/48 fd07:18:4c::/48 BRKRST-2301 © 2018 Cisco and/or its affiliates. All rights
2001:db8:46::/48 Internet 2001:db8:46::/48 fd07:18:4c::/48 BRKRST-2301 © 2018 Cisco and/or its affiliates. All rights
2001:db8:46::/48 Internet 2001:db8:46::/48 fd07:18:4c::/48 BRKRST-2301 © 2018 Cisco and/or its affiliates. All rights
2001:db8:46::/48 Internet 2001:db8:46::/48 fd07:18:4c::/48 BRKRST-2301 © 2018 Cisco and/or its affiliates. All rights

BRKRST-2301

© 2018 Cisco and/or its affiliates. All rights reserved.

Cisco Public

54

Securing The Internet Edge

Securing The Internet Edge
Securing The Internet Edge

IPv6 ACL Implicit Rules

IPv6 ACL Implicit Rules • IPv6 ACLs match IPv6, extension & Layer 4 headers • IPv6

IPv6 ACLs match IPv6, extension & Layer 4 headers IPv6 ACLs have multiple implicit rules

Similar to deny ip any any

IOS has 3 implicit IPv6 ACL rules

NXOS has 5 implicit IPv6 ACL rules

IOS-XE has no implicit IPv6 ACL rules

ipv6 access-list NXOS

permit icmp any any nd-na

permit icmp any any nd-ns

permit icmp any any router-advertisement

permit icmp any any router-solicitation

deny ipv6 any any

© 2018 Cisco and/or its affiliates. All rights reserved.

Cisco Public

56

ipv6 access-list IOS

permit icmp any any nd-na

permit icmp any any nd-ns deny ipv6 any any

deny ipv6 any any log undetermined-transport

icmp any any nd-na permit icmp any any nd-ns deny ipv6 any any deny ipv6 any

BRKRST-2301

IPv6 Bogon Filtering & Anti-Spoofing

Use perimeter router to reduce firewall log entries

Anti-spoofing (RFC2827, BCP38)

Multihomed filtering (RFC3704, BCP 84)

uRPF Unicast Reverse Path Forwarding

Bogon filtering (data plane & BGP route-map)

ipv6 access-list BOGONS

permit ip 2001::/16 any

permit ip 2002::/16 any

permit ip 2003::/18 any permit ip 2400::/12 any permit ip 2600::/10 any

permit ip 2800::/12 any

permit ip 2a00::/12 any permit ip 2c00::/12 any

Enterprise Internet ipv6 verify unicast reverse-path B2B BRKRST-2301 © 2018 Cisco and/or its affiliates. All
Enterprise
Internet
ipv6 verify unicast reverse-path
B2B
BRKRST-2301
© 2018 Cisco and/or its affiliates. All rights reserved.
Cisco Public

57

Perimeter Firewall Best Practices

Control address range of permit statements

Source of 2000::/3 at minimum vs. “any”

Watch for link local (fe80) to the firewall

Allow ICMPv6 messages RFC4890

Error (types 1-4), ping (types 128-129) NDP (type 135-136) to the firewall

Extension Headers

Allow Fragmentation, others as needed

Block HBH & RH type 0

others as needed • Block HBH & RH type 0 BRKRST-2301 © 2018 Cisco and/or its

BRKRST-2301

others as needed • Block HBH & RH type 0 BRKRST-2301 © 2018 Cisco and/or its
others as needed • Block HBH & RH type 0 BRKRST-2301 © 2018 Cisco and/or its
others as needed • Block HBH & RH type 0 BRKRST-2301 © 2018 Cisco and/or its

© 2018 Cisco and/or its affiliates. All rights reserved.

Cisco Public

58

IPv6 Route to Black Hole

interface Null0 no ipv6 unreachables

BGP peers have static route to null0

!

ipv6 route 100::/64 Null0

Using IPv6 discard prefix (100::/64)

No unreachables, prevents DOSing yourself

router bgp 65666

!

address-family IPv6 redistribute static route-map RTBH

!

route-map RTBH permit 10 match tag 66 set ipv6 next-hop 100::1

BGP allows route announcement to/from NOC sees bad actor (2001:db8::bad1)

NOC pushes route to network choke points

ipv6 route 2001:db8::bad1/128 100::1 tag 66

choke points • ipv6 route 2001:db8::bad1/128 100::1 tag 66 NOC BRKRST-2301 © 2018 Cisco and/or its
choke points • ipv6 route 2001:db8::bad1/128 100::1 tag 66 NOC BRKRST-2301 © 2018 Cisco and/or its
NOC
NOC
points • ipv6 route 2001:db8::bad1/128 100::1 tag 66 NOC BRKRST-2301 © 2018 Cisco and/or its affiliates.

BRKRST-2301

© 2018 Cisco and/or its affiliates. All rights reserved.

Cisco Public

59

Securing Email over IPv6

Email relies on DNS PTR records to mitigate bad actors

DNSSEC preserves integrity of DNS records

Sender Policy Framework (SPF)

Validates the IP address of the sender

Domain Keys Identified Mail (DKIM)

Validates the domain name of the sender

Receiving email servers use reputation (DNSBL)

Most reputation servers block IPv6 at /64

2001:db8:bad:d00d::666
2001:db8:bad:d00d::666
IPv4 IPv6 DMZ Email & DNS
IPv4
IPv6
DMZ
Email
&
DNS
2001:db8:bad:d00d::666 IPv4 IPv6 DMZ Email & DNS BRKRST-2301 © 2018 Cisco and/or its affiliates. All rights

BRKRST-2301

© 2018 Cisco and/or its affiliates. All rights reserved.

Cisco Public

60

Agenda

General Design

Host Configuration

Access Layer

Routing Protocols

Data Center

WAN Deployment

Internet Edge

Conclusion

• Access Layer • Routing Protocols • Data Center • WAN Deployment • Internet Edge •
• Access Layer • Routing Protocols • Data Center • WAN Deployment • Internet Edge •

Key Take Away

Gain Operational Experience now

IPv6, the time is now. Control IPv6 traffic as you would IPv4

“Poke” your Provider’s Lead your OT/LOB’s into the Internet

Provider’s • Lead your OT/LOB’s into the Internet BRKRST-2301 © 2018 Cisco and/or its affiliates. All
Provider’s • Lead your OT/LOB’s into the Internet BRKRST-2301 © 2018 Cisco and/or its affiliates. All
Provider’s • Lead your OT/LOB’s into the Internet BRKRST-2301 © 2018 Cisco and/or its affiliates. All

BRKRST-2301

© 2018 Cisco and/or its affiliates. All rights reserved.

Cisco Public

62

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
© 2018 Cisco and/or its affiliates. All rights reserved.
Cisco Public
cs.co/ciscolivebot#BRKIP6-2301
cs.co/ciscolivebot#BRKIP6-2301
cs.co/ciscolivebot#BRKIP6-2301 Cisco Spark Questions? Use Cisco Spark to communicate with the speaker after the session

Cisco Spark

cs.co/ciscolivebot#BRKIP6-2301 Cisco Spark Questions? Use Cisco Spark to communicate with the speaker after the session

Questions?

Use Cisco Spark to communicate with the speaker after the session

How

1.

2.

3.

4.

Find this session in the Cisco Live Mobile App

Click “Join the Discussion”

Install Spark or go directly to the space

Enter messages/questions in the space

directly to the space Enter messages/questions in the space © 2018 Cisco and/or its affiliates. All
directly to the space Enter messages/questions in the space © 2018 Cisco and/or its affiliates. All
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
© 2018 Cisco and/or its affiliates. All rights reserved.
Cisco Public

Please complete your Online

Session Evaluations after each

session

Complete 4 Session Evaluations & the Overall Conference

Evaluation (available from

Thursday) to receive your Cisco Live T-shirt

All surveys can be completed via the Cisco Live Mobile App or the Communication Stations

Don’t forget: Cisco Live sessions will be available

for viewing on-demand after the event at

the event at www.ciscolive.com/global/on-demand-library/ . Complete Your Online Session Evaluation © 2018 Cisco and/or

Complete Your Online

Session Evaluation

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
© 2018 Cisco and/or its affiliates. All rights reserved.
Cisco Public

Continue Your Education

Demos in the Cisco campus

Walk-in Self-Paced Labs

Tech Circle

Meet the Engineer 1:1 meetings

Related sessions

• Meet the Engineer 1:1 meetings • Related sessions BRKRST-2301 © 2018 Cisco and/or its affiliates.

BRKRST-2301

© 2018 Cisco and/or its affiliates. All rights reserved.

Cisco Public

66

Future IPv6 this week in Barcelona

BRKSEC-3200 - Advanced IPv6 Security Threats and Mitigation 30 Jan. 14:15

BRKIP6-2616 - Beyond Dual-Stack: Using IPv6 like you’ve never imagined – 30 Jan. 16:45

BRKRST-3304 - Hitchhiker's Guide to Troubleshooting IPv6 - Advanced 31 Jan. 9:00

BRKSPG-2602 - IPv4 Exhaustion: NAT and Transition to IPv6 for Service Providers 31 Jan. 9:00

BRKIP6-2301 - Enterprise IPv6 Deployment 31 Jan. 11:30

LABSPG-3122 - Advanced IPv6 Routing and services lab 31 Jan 14:00 & 1 Feb. 14:00

BRKCOL-2020 - IPv6 in Enterprise Unified Communications Networks 31 Jan. 16:30

BRKCOC-2388 - Inside Cisco IT: A Tale of Two Protocols 2 Feb. 9:00

BRKIP6-2002 - IPv6 for the World of IoT 2 Feb. 11:30

BRKIP6-2002 - IPv6 for the World of IoT – 2 Feb. 11:30 BRKRST-2301 © 2018 Cisco

BRKRST-2301

© 2018 Cisco and/or its affiliates. All rights reserved.

Cisco Public

67

Thank you
Thank you

Thank you

Thank you