© 2006 Cisco Systems, Inc. All rights reserved. IPVSDv Deployment of IPv6 Identifying IPv6 Enterprise Deployment Strategies

© 2006 Cisco Systems, Inc. All rights reserved. IPVSDv Set goals for the deployment: –Consider scope of effort and major milestones –Experimentation –Preparing for the future –Launching new service Review and rework policies and procedures related to network operations and management. Train technical staff. Plan the transition. Enterprise Networks Goals Policies Training Planning

© 2006 Cisco Systems, Inc. All rights reserved. IPVSDv Enterprise Networks (Cont.) Deployment Plan Select which hosts and applications will go to IPv6. Get IPv6 address space. Begin migrating applications. Plan the address allocation to internal networks and functions. Migrate the DNS infrastructure. Perform the network migration or IPv6-enable existing IPv4 network. Perform a security check. Connect the campus to the Internet. Implement network management for IPv6. Begin deploying hosts and applications on the dual stack.

© 2006 Cisco Systems, Inc. All rights reserved. IPVSDv Address Space Enterprise Networks (Cont.) Get address space from the same source as for IPv4. –Ask ISP, Local Internet Registry (LIR), or Regional Internet Registry (RIR). –Most likely you will need to obtain a /48 prefix or larger. Design the local IPv6 addressing plan. –Each subnet uses an assigned /64 prefix. –Campus has 16 bits to design internal topology. –Suggestion: Map IPv4 topology to IPv6. (1 logical link = 1 IPv4 subnet = 1 IPv6 subnet)

© 2006 Cisco Systems, Inc. All rights reserved. IPVSDv Campus Deployment Scenarios Full Layer 3 infrastructure upgrade to implement dual stack: Software or hardware-software dependent on expected performances Requires a lot of planning Enterprise Networks IPv6-Capable Layer 3 Switch IPv6-Capable Layer 3 Switch

© 2006 Cisco Systems, Inc. All rights reserved. IPVSDv Native IPv6 routers are on dedicated LANs interconnected with configured or ISATAP tunnels. Campus Deployment Scenarios (Cont.) Enterprise Networks (Cont.) ISATAP Router IPv4-Only Routers ISATAP Host IPv6-over- ISATAP Tunnels

© 2006 Cisco Systems, Inc. All rights reserved. IPVSDv Deploy WAN or LAN middlebox devices (firewalls) to maintain IPv4 mechanisms as needed and to unencumber new IPv6 applications. WAN Networks IPv4 Client Application IPv6 Peer Application IPv4 Server Application IPv4 NAT and inspection IPv6 inspection Only IPv4/IPv6 Security Gateway WAN NetworkSecure Network

© 2006 Cisco Systems, Inc. All rights reserved. IPVSDv Network Design Strategies WAN Networks (Cont.) EnvironmentScenario Cisco IOS Software Support WANIPv6 services available from ISPDual stackYes Dedicated data link layers (for example, LL, ATM and FR PVC, dWDM Lambda Dual stackYes No IPv6 services from ISP or experimentation – few sites Configured tunnels Yes No IPv6 services from ISP or experimentation – many sites, any-to-any communications 6to4Yes CampusLayer 3 infrastructure – IPv6-capableDual stackYes Layer 3 infrastructure – not IPv6-capable, or sparse IPv6 hosts population ISATAP, router-on- a-stick Yes

© 2006 Cisco Systems, Inc. All rights reserved. IPVSDv Corporate WAN Design WAN Networks (Cont.) TechnologyAdvantagesDisadvantagesPurposes HostsDual Stack IPv4, IPv6 can be used at the same time Wide support available Both IPv4 and IPv6 need to be managed on LAN IPv6 support for normal LANs IPv6 Comm Static tunneling Stable, wide support among routers Hard to change configuration, inflexible Inter-LAN connections Dynamic tunneling Simple to deployUnstable, less secure Experimental implementation IPv4-IPv6 Comm NAT-PT Allows for limited use of legacy IPv4 applications NAT issues remain; IPv4- to-IPv6 communication may be complex Provide interworking between IPv4 and IPv6 hosts Application Gateway Quick to deploy; small influence on existing systems Applications limited Proxy between IPv4 and IPv6 appliations

© 2006 Cisco Systems, Inc. All rights reserved. IPVSDv Impacts of Network Services Deploying services is a process that is independent from deploying routers and nodes. It is possible to deploy an IPv6-only service on a dual-stack node. Three strategies to deploy network services: –Deploy IPv6 services same as IPv4 services. –Deploy IPv6 only for new services. –Deploy IPv6 only for all services.

© 2006 Cisco Systems, Inc. All rights reserved. IPVSDv Impacts of Network Services (Cont.) Deploy IPv6 Same as IPv4 Deploy everything dual stack: –Any IPv6-enabled service should still be offered in IPv4. Use the same subnets. Use the same policies, except those in which IPv6 offers new capabilities or new deployment models, such as mobility and multicasting.

© 2006 Cisco Systems, Inc. All rights reserved. IPVSDv Impacts of Network Services (Cont.) Deploy IPv6 Same as IPv4 (Cont.) SMTP –Choose carefully IPv4 and IPv6 mail exchange. –Avoid IPv6-only mail exchange. DNS –A DNS server acting as the full resolver must be IPv4-only or dual-stack. –DNS servers acting as forwarders can be IPv6 only. –DNS zones must be served by at least one IPv4 server.

© 2006 Cisco Systems, Inc. All rights reserved. IPVSDv Impacts of Network Services (Cont.) Deploy IPv6 Only for Services Are all applications IPv6-ready? Do all hardware platforms support IPv6? What about infrastructure services? –Network monitoring, DNS, storage area network, network terminals, printers, and so on. What is there to gain by not keeping the existing IPv4 infrastructure as well (for support of legacy applications)?

© 2006 Cisco Systems, Inc. All rights reserved. IPVSDv Security Issues (Cont.) NAT Comparison IPv4 NAT removed visibility of the internal network from the outside. IPv6 reestablishes end-to-end connectivity while maintaining an effective security model: –Privacy extensions for addressing –IPv6 stateful firewalls –Host-based IPSec

© 2006 Cisco Systems, Inc. All rights reserved. IPVSDv Dual Stack: Advantage/Disadvantages Advantages –Relatively simple to deploy –Retains IPv4 support –Support widely available Disadvantages –Doubles most requirements (two routing tables, two routing processes, security)

© 2006 Cisco Systems, Inc. All rights reserved. IPVSDv Encapsulation: Advantages/Disadvantages Encapsulation has several benefits: Cost is low, unless performance is a requirement. It provides a simple solution: interconnection of IPv6 islands. It provides IPv6 Internet connectivity on existing IPv4 connections.

© 2006 Cisco Systems, Inc. All rights reserved. IPVSDv Encapsulation: Advantages/Disadvantages (Cont.) Encapsulation has several drawbacks: The overhead of tunneling/decapsulation adds to delay/jitter and consumes router resources. Management can be more complexoverlay networks make management more difficult. IPv4 fragmentation may be introduced as tunnel methods reduce effective MTU. Some tunneling methods create security risks. The tunnel interface is always up. Use a routing protocol to determine link failures.

© 2006 Cisco Systems, Inc. All rights reserved. IPVSDv NAT-PT: Advantages/Disadvantages NAT-PT benefits include: –Communication possible with legacy applications that may never attain IPv6 support NAT-PT has several drawbacks: –All the issues behind regular NAT and more –Breaks end-to-end security –Single point of failure and performance –Prevents full deployment of new applications

© 2006 Cisco Systems, Inc. All rights reserved. IPVSDv Summary IPv6 deployment strategies will differ based on whether deployment occurs in: –Single-location, enterprise network –Campus network –Multiple-location enterprise that networks across a WAN There are numerous approaches to IPv6 integration, including dual stacking, encapsulation, and NAT-PT. While each of these has advantages and disadvantages, the most important function is end-to- end IPv6 traffic forwarding. Service providers and enterprises may have different deployment needs and mechanisms, but the following basic steps are common: –Definition of an IPv6 addressing scheme –Selection of the IPv6 routing protocol or protocols –DNS server ready to support AAAA and other IPv6-format records –IPv6 device management capability

© 2006 Cisco Systems, Inc. All rights reserved. IPVSDv