BRKRST 2619

BRKRST-2619
IPv6 Deployment
Developing an IPv6 Address Plan and Deploying IPv6
Jim Bailey, Solution Architect

jimbaile@cisco.com
Source - https://imgur.com/HyCwObF
BRKRST-2619 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda
• Introduction
• Why are we doing this?
• What is an IPv6 Address?
• How do you break it down?
• How do I integrate IPv6?
• Conclusion
Why are we doing this?
IPv4 Address Exhaustion
http://www.potaroo.net/tools/ipv4/
% of IPv6 users as seen by Google
https://www.google.com/intl/en/ipv6/statistics.html#tab=ipv6-adoption&tab=ipv6-adoption
Why Bother?
• Continuity of Business
• To ensure services are available to customers
and partners
• New products and enhanced service delivery
• Government/Partner/Corporate mandates or
regulations
• Cost Today
IPv4 Free Pool
• Avoid the risk and cost associated with
unplanned and uncontrolled implementation of
IPv6
• Avoid the increased cost of moving to IPv6 when
Size of the Internet
the industry and suppliers are driving the market ?
IPv6 Deployment
Time
Cisco VNI IPv6 Traffic Forecast
https://www.cisco.com/c/en/us/solutions/collateral/service-provider/visual-networking-index-vni/white-paper-c11-741490.pdf
What is an IPv6
Address?
IPv6 Addresses
• IPv6 addresses are 128 bits long
• Segmented into 8 groups of four HEX characters (called HEXtets)
• Separated by a colon (:)
• Default is 50% for network ID, 50% for interface ID
Global Unicast Identifier Example
Network Portion Interface ID
gggg:gggg:gggg ssss xxxx:xxxx:xxxx:xxxx

: :
Global Routing Prefix Subnet ID Host
n <= 48 bits 64 – n bits
2001:0000:0000: 00A10000:0000:0000:1E2A Full Format

:
Abbreviated Format
2001:0:0: A1::1E2A
Types of Unicast IPv6 Addresses
• RFC 4291 IP Version 6 Addressing Architecture
• Link-Local Address (LLA)
• Unique Local Address (ULA) (RFC 4193)

• Site-Local Address has been deprecated by IETF (RFC 3879, September 2004)
• Global Unicast Address
Link-Local
Address
Unique Local
Global Address Address
13
How Do We Build an
IPv6 Address Plan?
Addressing Plan Requirements and Considerations
Requirements Considerations
• Clear addressing for different parts of • Length of prefix and bits to work with
the network • Enterprises usually multiple /48 (≥ 16
• WAN/Core, Campus, branch, DC, bits)
Internet Edge etc. • SPs should get /29 (≥ 35 bits)
• Different Locations • Avoid breaking the nibble boundary
• Different services • Think of # of prefixes at each level
• Encoding of information • Templates will be your friends
• Ease of aggregation • Internal policy for using the
• Leaving space for growth
Addressing Plan
• Involvement of other teams

• E.g. Information Security
IPv6 Address Considerations
• Many ways of building an IPv6 Address Plan
• Regional Breakdown, Purpose built or Generic buckets, Separate per business function
• Hierarchy is key
• Don’t worry too much about potential inefficiencies
• Prefix length selection
• Network Infrastructure links, Host/End System LAN
• Addressing hosts
• SLAAC, DHCP (stateful), DHCP (stateless), Manually assigned
• Building the IPv6 Address Plan
• Cisco IPv6 Addressing White Paper
http://www.cisco.com/en/US/docs/solutions/SBA/February2013/Cisco_SBA_BN_IPv6AddressingGuide-
Feb2013.pdf
IPv6 Address Space - PI vs PA
• Do I Get PI or PA?
• PI space is great for organizations who want to
multihome to different SPs
• PA if you are single homed or you plan to NAT/Proxy
everything with IPv6 (not likely)
• Possible Options for PI
• Get one large global block from local RIR and subnet out
per region
• Get a separate block from each of the RIR you have
presence in
• Most organizations are going down the PI path
• Getting assignments across regional registries provides
“insurance” against changing policies
• Traffic Engineering
Addressing Recommendations
• Link Local Address • Unique Local Address
• First 64 bits are fixed • Not recommended for end-point
• Interface Identifier can be modified addressing
• Encoding external identifiers for Unless in a closed system
troubleshooting • Needs Translation (NPTv6 or
• VLAN number NAT66) on Internet Edge
• Router IDs
• IPv4 address
• Vast number of prefixes
• Possible to leverage for IGP routing
• Manage just one address space
Link-Local Address
Unique Local Address

Global Address
What about NAT?
A couple of versions of address Where should NAT be applied?
translation related to IPv6 NAT66
NAT-PT Address hiding ???
Original IPv6-to-IPv4 specification That’s the way we do IPv4???
Deprecated It provides security???
Multi-homing
NPTv6
Stateless translation method
Only manipulate the prefix NAT64
NAT66 Boundaries between IPv4 only and IPv6
Stateful translation Highly successful in getting quick IPv6 access
Not specified in RFC Cannot be the final state
Must move towards full IPv6 integration
NAT64
Translation between IPv6 and IPv4
address families http://www.potaroo.net/ispcol/2017-09/natdefence.html
Stateless and stateful methods
available
Methodology for writing
an IPv6 Addressing Plan
The 4 Rules
1. Simple
Remember Rule #1
• You don’t want to spend weeks explaining it!
2. Embed Information
• To help troubleshooting and operation of the network
• Examples: location, country, PIN, VLAN, IPv4 addresses in Link Local and/or Global Addresses
3. Build-in Reserve
• Cater for future growth, mergers & acquisitions, new locations
• Reserved vs. assigned
4. Aggregatable
• Good aggregation is essential, just one address block (per location), we can take advantage of
this (unlike in IPv4!)
• Ensures scalability and stability
Methodology – Structure
• Analyze, where will IPv6 be deployed?
• Addressing plan needs to be designed globally
• Identify the structure of the addressing plan
• Based on requirements and considerations discussed earlier
• Top-down approach
This might be different from the IPv4 days when # of hosts per subnet was important
• Where and how many locations

• Countries, regions, locations, buildings, etc…
• Needs to map onto the physical / logical network topology
• Which services, applications and systems connected in each location
• E.g. Fixed networks, mobile networks, end-users, ERP, CRM, R&D, etc…
Methodology – # Prefixes per Level
• How many prefixes will you need at each level of the addressing plan
• Example: a BNG can handle 64000 subscribers = 64000 IPv6 prefixes
• Example: the number of interconnects (P2P) in your network
• As always, put aside a reserve
• How many /64 prefixes (subnets) you need to deploy at a location
• Example: desktops, WIFI, guestnet, sensors, CCTV, network infrastructure, etc…
• As always, put aside a reserve!
• Don’t worry about the number of hosts
• We have 264 of IPv6 addresses for hosts!
Methodology – Information Encoding
• Remember transition mechanisms – these will have specific
address format requirements
• ISATAP, NAT64 (/96), 6rd, MAP
• Possible encoding of information in particular portions of the

IPv6 prefix
• VLANs in the prefix
• VLAN 4096  2001:db8:1234:4096::/64 (alternatively in hex )
• The whole IPv4 address or just a portion – consider this carefully

– trade-off between linkage vs. independence
• IPv4 address 10.0.13.1  2001:db8:1234:100::10:0:13:1
• Router IDs in the Interface Identifier / IPv4 in Link-Local
• Consider security implications!
Methodology – Infrastructure Addressing
• How about router interconnects / point-to-point links?
• First recommendations: configured /64, /112 or /126,
• RFC 3627 (Sept. 2003 - /127 considered harmful) – moved to historic by RFC 6547 (Feb. 2012)
• Since April 2011, RFC 6164 recommends /127 on inter-router links
• Current recommendation /64, /126 or /127 – (/127 mitigates ND exhaustion attacks)
• Allocate /64 from a block (e.g. /54) for infrastructure links but configure /127
• Example: 2001:420:1234:1:1::0/127 and 2001:420:1234:1:1::1/127
• Loopbacks
• E.g. Dedicate /64 for Loopback addresses
• Allocate /64 per Loopback but configure /128
• Example: 2001:420:1234:100:1::1/128 and 2001:420:1234:101:1::1/128
• Avoid a potential overlap with reserved address space (e.g. Embedded RP address)
Prefix Length Considerations
Hosts
/64 Core
• Anywhere a host exists /64 /64 or /127
• Point to Point /127

Pt 2 Pt
• Loopback or Anycast /128 /127
• RFC 7421 /64 is here Servers

/64 Loopback WAN
• RFC 6164 /127 cache exhaust /128
Link Local Only?
Exclusively use Link Local Addresses on R111#sh run int eth0/0
network infrastructure !
interface Ethernet0/0
ip address 10.112.0.111 255.255.255.0
Prefix Lengths don’t matter anymore ipv6 address FE80::111 link-local
ipv6 enable
Network Infrastructure is un-reachable

ospfv3 1 ipv6 area 0
end
R101
from outside of the network
Smaller routing tables
R111
Will impact your network management
system R111#sh ipv6 route
IPv6 Routing Table - default - 2 entries
Ping, traceroute, SNMP, TACACS, O 1::1/128 [110/10]

via FE80::101, Ethernet0/0
RADIUS L FF00::/8 [0/0]
via Null0, receive
See RFC 7404 R111#sh ospfv3 neigh
Using Only Link-Local Addressing inside OSPFv3 1 address-family ipv6 (router-id 1.1.1.111)
an IPv6 Network Neighbor ID

77.1.1.1
Pri
1
State
FULL/DR
Dead Time
00:00:36
Interface ID
3
Interface
Ethernet0/0
For Your
Example - How Many Subnets in a Location? Reference
22 = 4
/54s
24 = 16
/52s 1024 /127 p-t-p links
210 = 1024 /64s
Allocated 1024 /128 loopbacks
212 = 4096 /64 subnets
212 = 4096 /64 subnets • Follow the logical flow

• How many subnets in each location?
• What does sit under infrastructure?
• How many point-to-point links?
• Where is the reserve?
Example of an IPv6 Prefix Break-down (ISP) For Your
Reference
Tools for Managing IPv6 Addressing Plan
• Not just a spreadsheet, please!
Prone to error 
• There are many IP Address Management tools on the market
Cisco Prime Network Registrar
http://www.cisco.com/en/US/products/ps11808/index.html
Other IPAM tools include Infoblox, BlueCat, BT Diamond
• Work with an IPv6 prefix calculator
Example: http://www.gestioip.net/cgi-bin/subnet_calculator.cgi
Recommendations
• Link-Local Address
• Interface Identifier can be modified
Stay on the 64 bit boundary!!!
• Encoding e.g. VLAN number, router IDs, IPv4 address, may make the troubleshooting easier
Keep it simple
Restrict it to Network Infrastructure
• Default is EUI-64
Example 1: EUI-64 FE80::ABDC:12FF:FE34:5678
Example 2: Router ID 1.1.1.1 => FE80::1:1:1:1

Identifies the device rather than a link, all interfaces on one device have the same LLA
Example 3: VLAN number 1006 => FE80::1006

VLAN to which a server is connected to
Recommendations
• Unique Local Address
• Don’t deploy
Not for end-point addressing
Unless in a closed system
Needs translation for outside of domain communication

• Take advantage of the vast number of prefixes
• Manage just one address space
• Remember: an Interface has multiple IPv6 addresses
For Your
IPv6 Addresses per Interface Reference
• Link-local
• Global unicast and/or Anycast
• All nodes multicast
• Multicast address of all groups it subscribes to
• Its own solicited-node multicast address
• Loopback (::1)
• Per node
For Your
IPv6 Addresses per Interface Reference
• Router output
Cat3750-X#show ipv6 int GigabitEthernet1/1/1
GigabitEthernet1/1/1 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::523D:E5FF:FE1D:4142
Global unicast address(es):
2001:428:E204:FD00::23,
subnet is 2001:428:E204:FD00::22/127
Joined group address(es):
FF02::1
FF02::2
FF02::5
FF02::1:FF00:23
FF02::1:FF1D:4142
MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds (using 30000)
ND RAs are suppressed (all)
Hosts use stateless autoconfig for addresses.
IPv6 Addresses don’t work well with Text messaging and
Instant Messaging clients! 
Source: Cisco Jabber – output of “show ipv6 cef”

command
IPv6 Address
Assignment
Host Address Assignment
Manual Stateless Stateful DHCPv6
Pros Address is stable Scales well Well understood process

Controlled assignment Time to deploy Controlled assignment
Well understood process Widely implemented Time to deploy
Cons Does not scale No control on assignment process Implementation in OS

Time to deploy Not well understood Must design for HA
Lack of management
• The choice of assignment depends on the existing processes and the

adaptability of that process
• Remember that the methods are not mutually exclusive - all three can be
used
• Regardless of choice must still control the stateless address assignment of
addresses
Managing IPv6 Address Assignment
• Likely to use combination of at least 2 methods
• Usage depends on the place in the network (PIN) & end-devices
• P2P/Infrastructure links/devices & “heavily” managed environment (e.g. public servers)

• Manual assignment
• Link-Local addresses only?
• Using Only Link-Local Addressing Inside an IPv6 Network
 End-user VLAN
• Stateful DHCPv6
 Non-managed environment (e.g. Public Hotspots)
• SLAAC + stateless DHCPv4
• Remember: EUI-64 => MAC exposed in the address on the Internet
IPv6 Addressing Pop
Quiz!!!!!
Questions
• Is fe80:1bd:8a71:145::1 a legitimate IPv6 address?
• How many addresses can you assign to an interface?
• Is 2001:db8:1234::/128 usable as a loopback address?
• Are 2001:db8:567:43ab::9 and 2001:db8:567:43ab::10 on the same /127 subnet?
• What is the air speed velocity of an unladen swallow?
IPv6 Planning
The Scope of IPv6 Deployment
Planning and coordination is
required from many across the
organization, including …
Network engineers & operators

Security engineers
Application developers
Desktop / Server engineers
Web hosting / content
developers
Business development
managers
…
Moreover, training will be required

for all involved in supporting the
various IPv6 based network
services
Where do I start?
• Core-to-Access – Gain experience with IPv6 Access
Layer
• Turn up your servers – Enable the experience
• Access-to-Core – Securing and monitoring
Internet
Internet Edge – Business continuity Edge
• Core
ISP ISP
WAN
Servers
Branch Access
Common Deployment Models for Internet Edge
Internet, Partner, Branch
Pure Dual Stack Conditional Dual Stack Translation as a Service
IPv4/IPv6 IPv4/IPv6
Host Host
SLB64 / NAT64 Boundary

Multi-
Enterprise Enterprise
Tenant
Edge Edge Core
Agg + Agg +
AFT
Agg +
Services Services Services
Phy/Virt. Phy/Virt. Phy/Virt.
Access Access Access
Storage Storage Storage
Compute Compute Compute
IPv4-only
Dual Stack Mixed Hosts Hosts
Hosts IPv6 IPv4
IPv6 Readiness
Assessment
Readiness Assessment
• A key and mandatory step to evaluate the impact of IPv6 integration
Evaluate costs and define timelines

Define the scope of integration
• Should be split in several components
Network Infrastructure
Service Providers
End Systems
Applications
Operations
Addressing
Network Assessment
• Break the project down into phases
• Avoids false positives and cuts back on
upgrade costs
• Determine place in the network (PIN),

platforms, features that are needed in
each phase
• RIPE-554
• IPv6 Ready Logo Program
• Work with your vendor to address the

gaps
• Applies to all of your vendors
Commonly Deployed IPv6-enabled OS/Apps
Operating Systems Virtualization & Applications
Most commercial applications won’t be your problem

– it will be the custom/home-grown apps that are difficult
What Defines an Application?
What about these? Are These Applications
HTTP 80
Are these
FTP 20/21
applications?
POP3 110
IMAP 143
Or just ports?
HTTPS 443
SMTP 25
IPv4/IPv6 transport
Services Assessment
 Evaluate the organizations that are going to provide services to support your deployment
 Internet Service
 Application
 Cloud Services
 Content Management . DNS
 Deployment Type
 Dual Stack,
 Native or Overlay
 What kind of services are offered

Are they “IPv6 Capable”?
If not, when will IPv6 be integrated?
Questions to ask your Internet Service Provider

http://docwiki.cisco.com/wiki/What_To_Ask_From_Your_Service_Provider_About_IPv6
Operational Assessment
• Evaluate the tools in the NMS for IPv6 capability
• All tools across the FCAPS model
• Define what is critical and what can wait
• Is it critical to support netflow or anycast DNS?
• Custom scripts
• Updated to accommodate dual transports
Override default behavior to prefer one over the other
• Are there new scripts needed?
Are both transports available?
# addresses per host, DNS queries/response, validating summarization
IPv4 Address Assessment
Better visibility into
• Assess how the existing IPv4 how the existing Can better answer
address space is used when IPv6 is critical
Address space is
• Useful information for used
• IPv6 integration
• IPv4 address consolidation
• Reclaiming unused address space
• Use existing tools

• IPAM
• ARP tables
• Routing tables
• DHCP logs
Integration Mechanisms
Transition Solution Universe!
Connecting IPv6 Sites Together
Customer Customer Subscriber
Network Network Network
6VPE
IPv4 Dual Stack
MPLS IPv4 Core
WAN WAN
6VPE
Customer Customer Subscriber

Network Network Network
Using Tunnels Dual Stack IPv4/IPv6 6VPE Service

Manually configured tunnels Dual Stack
CE CPEs CE
Dual Stack IPv4 / IPv6
IPv6 over GRE Dual Stack Headquarters 6VPE VPN Service
LISP Dual Stack WAN
IPSec Tunnels
Carrier Grade NAT
Dynamic Multipoint VPN (DMVPN)
FlexVPN
SP IP Network Transition options
IPv4 IPv6
Internet Internet
IPv4 Core Dual Stack Core Dual Stack Dual Stack Core Dual Stack Core
Core
6rd BR LNS AFTR 4rd BR
NAT v6 + NAT 6↔4
v4
4rd or DS-Lite
Access IPv6 Access
6rd or L2TP
IPv4 over over
(ex: DOCSIS 3.0) Network
v4 v6
PE
PE
NAT
Subscriber CE CE CE CE
Subscriber Subscriber Subscriber Subscriber
Network
Network Network Network Network
IPv6 RapidDeployment
Deployment IPv4 via IPv6 IPv6-Only
IPv4 Carrier
NAT444Grade NAT 6 Rapid Connectivity IPv6-Only
Native
(6rd Broad Band Access Network AFT64Subscriber
L2TP Dual Dual
StackStack
Core Using DS-Lite (w/NAT44)
DOCSIS Access MAP-E – Encap All
Softwires
MAP-T - L3 and L4 in
header
Lw4over6
For more info see: http://www.cisco.com/go/cgv6 4rd
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
464Xlat
Coexistence
Considerations
Scalability and Performance
• IPv6 Neighbor Cache = ARP for IPv4
• In dual-stack networks the first hop routers/switches will now have more memory
consumption due to IPv6 neighbor entries (can be multiple per host) + ARP entries
ARP entry for host in the campus distribution layer:

Internet 10.120.2.200 2 000d.6084.2c7a ARPA Vlan2
IPv6 Neighbor Cache entry:
2001:DB8:CAFE:2:2891:1C0C:F52A:9DF1 4 000d.6084.2c7a STALE Vl2
2001:DB8:CAFE:2:7DE5:E2B0:D4DF:97EC 16 000d.6084.2c7a STALE Vl2
FE80::7DE5:E2B0:D4DF:97EC 16 000d.6084.2c7a STALE Vl2
• There are some implications to managing the IPv6 neighbor cache when concentrating large
numbers of end systems
Neighbor Unreachability Detection (NUD)
• The neighbor cache maintains mapping information
Neighbor’s reachability state is also maintained
• Neighbors can be in one of 5 possible states

INCOMPLETE – Address resolution is in progress and link-layer address is not yet known.
REACHABLE – Neighbor is known to be reachable within last reachable time interval.
STALE – Neighbor requires re-resolution, traffic may flow to neighbor.
DELAY – Neighbor pending re-resolution, traffic might flow to neighbor.
PROBE – Neighbor re-resolution in progress, traffic might flow to neighbor.
• Every entry that is marked STALE in the neighbor cache will need to have it’s state verified
Traffic will be forwarded using the STALE entry
NUD will use NS/NA to detect reachability
• How often NUD runs depends on the value of AdvReachableTime that is set in RA messages
Cisco default is 30 seconds
• Consider CPU load for maintaining state for thousands to tens of thousands of entries!
Neighbor Unreachability Detection (NUD)
Implications
• What to do?
• Don’t Panic!
• Unless you forgot your towel
• New features to manage the neighbor cache
• Extend the reachable time advertised in RA’s(max value is 1 hour)
• Unsolicited NA glean (more to avoid traffic disruption)
• ND cache timers (control how long an entry is maintained in STALE state; default is
4 hours)
• ND cache refresh (run NUD before purging STALE neighbors)
• NUD exponential retransmit (spread out the NS packets)
Understanding Co-Existence Implications
 Resources considerations
450000
Memory (storing the same amount of IPv6 routes

400000
‒ 350000
Memory (bytes)
requires less memory than might be expected)
300000 IPv4
250000 IPv6
200000
Linear
‒ CPU (insignificant increase in the case of HW
150000
(IPv6)
100000 Linear
platforms, additive in the case of SW platforms) 50000

0
(IPv4)
0 500 1000 1500 2000 2500 3000
 Control plane considerations Number of Routes
‒ Balance between IPv4/IPv6 control plane separation 0.5

and scalability of the number of sessions 0.45
0.4
0.35 IPv4 OSPF
 Performance considerations 0.3
Time
0.25
IPv4 OSPF
0.2
IPv6 OSPF
0.15
‒ Forwarding in the presence of advanced features 0.1 Linear (IPv4
OSPF IPv6
0.05
0 OSPF)
Convergence of IPv4 routing protocols when IPv6 is

Linear (IPv4
‒ 0 500 1000 1500
Number of Perfixes
2000 2500 3000 OSPF)
enabled
QoS Considerations
IPv4
DSCP
• IPv4 and IPv6 QoS features are mostly compatible (RFC
Type of
2460/3697) Version IHL
Service
Total Length
Fragment
Identification Flags
• Both Transport uses DSCP (aka Traffic Class) Offset
Time to Live Protocol Header Checksum

• Control plane Queues need to now take into account IPv6 Source Address
overhead too Destination Address
Options Padding
• IPv6 classification can follow the same IP Precedence,
Service Class, DSCP and EXP values already defined for IPv6
DSCP
IPv4.
• IPv6 will utilize the same Network Control, Voice,, Gold,
Bronze, Silver, Best Effort classes
QoS CLI
class-map match-any Critical_Data
match dscp af21
class-map match-any Voice
• Class maps can match both IPv4 and IPv6 match dscp ef
traffic class-map match-all Scavenger

match dscp cs1
• Can be broken into “ip” and “ipv6” matching class-map match-any Bulk_Data
match dscp af11
• Design principles still the same !
policy-map DISTRIBUTION
• Mark at the edge class Voice
• Trust boundaries still apply

priority percent 10
class Critical_Data
• Queue sizing bandwidth percent 25
random-detect dscp-based
class Bulk_Data
Data
bandwidth percent 4
Voice
random-detect dscp-based
class Scavenger
bandwidth percent 1
Video
class class-default
Internet bandwidth percent 25
random-detect
Management and Operations
Don’t Forget About Network Management
• Management and design strategies for IPv6 addressing policies and operation
• Introduction of extended IP services: DHCPv6, DNSv6, IPAM
• Managing security infrastructures: Firewall, IDS, AAA
• Tool visibility, insight and analysis of IPv6 traffic Netflowv9, IPv6 SLA
• Dual Stack Interfaces and tools

• Reporting combined v4 and V6 traffic statistics.
• Requires support in
• Instrumentation (MIB , Netflow records, etc.)
• NMS tools and systems
IPv6 Instrumentation
IPv6/IPv4 Dual Stack Hosts
IPv6 FHS
Port ACL
IPv6 MIBs
L2
Campus
IPv6 Traffic Metering with Flexible Netflow L3
IPv6 over IPv4

Response measurement with IP SLA tunnel
IPv6
Tunnel detection with NBAR2 Internet
Tunnel Filtering with ASA
IDS/IPS signatures
Prefix
Propagation
Troubleshooting IPv6 Issues
• IPv4 or IPv6 is transparent to a user since
names are used to connect to web sites or
other hosts
• http://www.google.com will take us to Google
TCP UDP
• Typically an end user will notice issues if all
of the following are true:
• IPv6 is enabled on the desktop
• The DNS query returns an IPv6 AAAA record IPv4 IPv6
• IPv6 is preferred over IPv4
• There are connectivity problems over IPv6 0x0800 0x86dd
Data Link (Ethernet)
Diagnosing IPv6 Issues
• When a desktop needs to connect to a web site, the
first thing it does is resolve the DNS name to an IP
address.
• If the address returned contains an AAAA record
and IPv6 is enabled and preferred on the host, it will
use IPv6 to reach that website.
• If there are issues with IPv6 connectivity further in
the network, the host may not be able to connect (or
load the page in a browser)
• The host will wait for IPv6 to time out before falling
back to IPv4 (this is ~30 sec for windows) and leads
to bad user experience.
• Basic troubleshooting using ping, tracert, ipconfig
should help isolate the issue
Troubleshooting
Troubleshooting
IPv6 Testing Considerations
• How do hosts react to auto-configuration?
• Are devices taking both a static and auto-configuration?
• Should IPv6 RA’s be disabled? How do devices re-act to that?
• Does application being used implement SAS (Source address selection)
algorithm correctly?
• How do devices react with A and AAAA DNS records?
A record
• What happens if IPv4 is disabled?
AAAA record
• What happens if IPv6 is impaired? ARP request
RA
DHCP reply
DNS reply
IPV6 Testing Considerations
• Create base line template that should be run as part of all IPv6 solution testing
• Hosts/Servers/End Systems
• Routers/Switches
• Firewalls/IPS
• Operating Systems
• Applications
• Template should consist of basic IPv6 RFC 2460 functionality.

• IPv6 Ready Logo - http://www.ipv6ready.org
• USGv6 - http://www-x.antd.nist.gov/usgv6/index.html
• RIPE-554 - http://www.ripe.net/ripe/docs/current-ripe-documents/ripe-554
IPv6 Tools
 Different ways to check on what is happening
 Where’s my prefix?
‒ Route servers and looking glasses - http://www.bgp4.as/looking-glasses
‒ Look at your network from the outside in
 Pings, traceroutes, SSLcert and DNS queries

‒ https://atlas.ripe.net/results/
 IPv6 troubleshooting tools for mobile devices (iOS & Android)

IPv6 toolkit HE.net Netalyzr LanDroid Netstat
IPv6 and DNS
IPv6 and DNS
IPv4 IPv6
Hostname to A Record: AAAA Record:

IP Address www.abc.test. A 192.168.30.1 www.abc.test AAAA 2001:db8:C18:1::2
PTR Record: PTR Record:

IP Address to 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.8.1.c.0.
1.30.168.192.in-addr.arpa. PTR
Hostname 8.b.d.0.1.0.0.2.ip6.arpa PTR www.abc.test.
www.abc.test.
AAAA Records on the Wire
DNS as an Integration Tool www.ipv6.cisco.com is DNS server
Who is www.ipv6.cisco.com?
AAAA 2001:420:1101:1::a
How IPv6
End System Remote

Internet Corporate www.ipv6.cisco.com
Internet consumers
End System
www.cisco.com is
Who is www.cisco.com? www.cisco.com
A 173.37.145.84
DNS server
www.cisco.com is
Who A 173.37.145.84
AAAA 2001:420:1101:1::a
Who is www.cisco.com?
End System
Internet Corporate
www.cisco.com
End System www.cisco.com is
Who is www.cisco.com? A 173.37.145.84 Business Partners
www.cisco.com is Government Agencies

DNS server
When A 173.37.145.84
AAAA 2001:420:1101:1::a
Internet Corporate
www.cisco.com
End System
Who is www.cisco.com?
IPv6 Security
IPv6 Security
• In 5 slides or less…
• Can’t be done
• Please see the following session for a much more detailed
treatment
BRKSEC-3200 Advanced IPv6 Security Threats and Mitigation
Security Considerations
Dual Stack increases the

types and size of your
attack vectors
Dual Stack Host Considerations
• Host security on a dual-stack device
• Applications can be subject to attack on both IPv6 and IPv4
• Fate sharing: as secure as the least secure stack...
• Host security controls should block and inspect traffic from both stacks
• Host intrusion prevention, personal firewalls, VPN clients, etc.
IPv4 IPSec VPN with No Split Tunneling
Clear IPv6 Transport
IPv6 HDR IPv6 Exploit
Dual Stack
Client Does the IPSec Client Stop an Inbound IPv6 Exploit?
Securing the Edge, FW, Perimeter Router
• Address Range
• Source of 2000::/3 at minimum vs. “any”, permit assigned space
• ICMPv6
• RFC 4890 “Recommendations for Filtering ICMPv6 Messages in Firewalls”
• Extension Headers
• Allow Fragmentation, others as needed. Block HBH & RH type 0
• IPv6 ACL’s
• IPv6 traffic-filter – to apply ACL to an interface permit icmp any any nd-na
permit icmp any any nd-ns
deny ipv6 any any log
Infrastructure Security - Management Plane
• SSH, syslog, SNMP, NetFlow all work over IPv6
• Dual-stack management plane
• More resilient: works even if one stack is down
• More exposed: can be attacked over IPv4 and IPv6
• RADIUS over IPv6 is recent but IPv6 RADIUS attributes can be transported over IPv4
• As usual, infrastructure ACL is your friend as well as out-of-band management
ipv6 access-list VTY In IOS-XR: The command is

permit ipv6 2001:db8:0:1::/64 any ‘access-class VTY ingress’,
And
line vty 0 4 The IPv4 and IPv6 ACL must have the same name
ipv6 access-class VTY in
Control Plane Policing
policy-map COPPr
class ICMP6_CLASS
• Control Plane Policing can be applied to IPv6 police 8000
class OSPF_CLASS
• Adapt what’s in place today to accommodate IPv6 police 200000
• Routing protocols class class-default
police 8000
• Management protocols !
• Remember the extended functionality of ICMP control-plane cef-exception
service-policy input COPPr
• Monitor carefully to see what shows up in the logs
• Remember the default rules at the end of all IPv6 ACLs

• permit ipv6 any any nd-na
• permit ipv6 any any nd-ns
• deny ipv6 any any
• They apply to any CoPP policy that uses ACLs to match
IPv6 First Hop Security (FHS)
IPv6 FHS
RA DHCPv6 Source/Prefix Destination RA ND
Guard Guard Guard Guard Throttler Multicast
Suppress
Protection: Protection: Protection: Protection: Facilitates: Reduces:

• Rouge or • Invalid DHCP • Invalid source • DoS attacks • Scale • Control traffic
malicious RA Offers address • Scanning converting necessary for
• MiM attacks • DoS attacks • Invalid prefix • Invalid multicast proper link
• MiM attacks • Source address destination traffic to operations to
spoofing address unicast improve
performance
Core Features Advance Features Scalability & Performance
IPv6 Snooping
What Next?
State of IPv6 Deployment Today
• IPv4 addresses have been exhausted
• Adoption of IPv6 on the Internet is

increasing
• IPv6 integration has a lengthy deployment
cycle
• IPv6 integration involves all aspects of IT
http://6lab.cisco.com/stats/
Call to Arms
• Take a systematic wide approach to IPv6

planning and execution
• Take opportunities to be IPv6 ready in
technology refresh cycles
• Learn from others who have undertaken the
journey
• Make the leap!
• Be the IPv6 “Nut”
Recommended Reading
• Preparing an IPv6 Addressing Plan
• SurfNet white paper
• www.ripe.net/lir-services/training/material/IPv6-for-LIRs-Training-Course/IPv6_addr_plan4.pdf
• RFC 6177 IPv6 Address Assignment to End Sites
• Cisco IPv6 Addressing white paper
• http://www.cisco.com/en/US/docs/solutions/SBA/August2012/Cisco_SBA_BN_IPv6Addressing
Guide-Aug2012.pdf
• ULA voluntary registry

• https://www.sixxs.net/tools/grh/ula/list/
Recommended Reading
More IPv6 Sessions
When Session Title
29 Jan 2019 / 11:00 BRKIP6-2191 IPv6: The Protocol
29 Jan 2019 / 14:15 LABSPG-3122 Advanced IPv6 Routing and services lab
29 Jan 2019 / 14:30 BRKIP6-2616 Beyond Dual-Stack: Using IPv6 like you’ve never imagined
30 Jan 2019 / 11:00 BRKSPG-2602 IPv4 Exhaustion: NAT and Transition to IPv6 for Service Providers
30 Jan 2019 / 14:30 BRKIP6-2301 Intermediate - Enterprise IPv6 Deployment
31 Jan 2019 / 08:30 BRKRST-3304 Hitchhiker's Guide to Troubleshooting IPv6 - Advanced
31 Jan 2019 / 11:00 BRKRST-2619 IPv6 Deployment: Developing an IPv6 Addressing Plan and Deploying IPv6
31 Jan 2019 / 11:00 BRKSEC-3200 Advanced IPv6 Security Threats and Mitigation
31 Jan 2019 / 14:00 LTRIPV-2494 IPv6 Transformation Lab
31 Jan 2019 / 14:00 LABSPG-3122 Advanced IPv6 Routing and services lab
LABIPV-2261 IPv6 planning, deployment and transition

LABCRS-1000 Intro IPv6 Addressing and Routing Lab
Useful Resources
• Infoblox IPv6 CoE blog
https://community.infoblox.com/t5/IPv6-CoE-Blog/bg-p/IPv6
• Facebook IPv6 Group
https://www.facebook.com/groups/2234775539/?ref=bookmarks
• ARIN IPv6 Info Center
https://www.arin.net/knowledge/ipv6_info_center.html
• RIPE IPv6 Info Center
https://www.ripe.net/publications/ipv6-info-centre
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
cs.co/ciscolivebot#BRKRST-2619
Complete your online
session survey
• Please complete your Online Session
Survey after each session
• Complete 4 Session Surveys & the Overall
Conference Survey (available from
Thursday) to receive your Cisco Live T-
shirt
• All surveys can be completed via the Cisco
Events Mobile App or the Communication
Stations
Don’t forget: Cisco Live sessions will be available for viewing

on demand after the event at ciscolive.cisco.com
Continue
your Demos in
the Cisco
Walk-in
self-paced
Meet the
engineer
Related
sessions
education campus labs 1:1
meetings
Thank you

BRKRST 2619

Uploaded by

Copyright:

Available Formats

BRKRST 2619

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BRKRST 2619

Uploaded by

Copyright:

Available Formats

BRKRST-2619

Jim Bailey, Solution Architect

Global Unicast Identifier Example

Network Portion Interface ID

gggg:gggg:gggg ssss xxxx:xxxx:xxxx:xxxx

2001:0000:0000: 00A10000:0000:0000:1E2A Full Format

• Link-Local Address (LLA)

• Unique Local Address (ULA) (RFC 4193)

• Involvement of other teams

Unique Local Address

• Where and how many locations

• Possible encoding of information in particular portions of the

• The whole IPv4 address or just a portion – consider this carefully

• Router IDs in the Interface Identifier / IPv4 in Link-Local

• Consider security implications!

• Point to Point /127

• RFC 7421 /64 is here Servers

Network Infrastructure is un-reachable

Ping, traceroute, SNMP, TACACS, O 1::1/128 [110/10]

See RFC 7404 R111#sh ospfv3 neigh

an IPv6 Network Neighbor ID

212 = 4096 /64 subnets

212 = 4096 /64 subnets • Follow the logical flow

Example 2: Router ID 1.1.1.1 => FE80::1:1:1:1

Example 3: VLAN number 1006 => FE80::1006

• Global Unicast Address

• Remember: an Interface has multiple IPv6 addresses

IPv6 Addresses per Interface Reference

• Global unicast and/or Anycast

• All nodes multicast

• Multicast address of all groups it subscribes to

• Its own solicited-node multicast address

Source: Cisco Jabber – output of “show ipv6 cef”

Pros Address is stable Scales well Well understood process

Cons Does not scale No control on assignment process Implementation in OS

• The choice of assignment depends on the existing processes and the

• Usage depends on the place in the network (PIN) & end-devices

• P2P/Infrastructure links/devices & “heavily” managed environment (e.g. public servers)

• Is fe80:1bd:8a71:145::1 a legitimate IPv6 address?

• How many addresses can you assign to an interface?

• Is 2001:db8:1234::/128 usable as a loopback address?

• Are 2001:db8:567:43ab::9 and 2001:db8:567:43ab::10 on the same /127 subnet?

• What is the air speed velocity of an unladen swallow?

Network engineers & operators

Moreover, training will be required

SLB64 / NAT64 Boundary

Edge Edge Core

Evaluate costs and define timelines

• Should be split in several components

• Determine place in the network (PIN),

• Work with your vendor to address the

Most commercial applications won’t be your problem

 Content Management . DNS

 What kind of services are offered

If not, when will IPv6 be integrated?

Questions to ask your Internet Service Provider

• Use existing tools

Customer Customer Subscriber

Using Tunnels Dual Stack IPv4/IPv6 6VPE Service