Inside Cisco IT: Making the Leap to IPv6

Transcription

1 Inside Cisco IT: Making the Leap to IPv6 Alain Fiocco, Sr. Director, Cisco IPv6 Program COCRST-2355, Jon Woolwine

2 2

3 Agenda Our Journey to IPv6 A Look Back Planning, Preparation, and Execution Lessons Learned Along the Way Our Journey to IPv6 A Look Forward COCRST Cisco and/or its affiliates. All rights reserved. Cisco Public 3

4 Cisco IT Network - Technology and People More Than 180,000 People Worldwide in the Extended Cisco Family 369 locations in 90 countries 450+ buildings 51 data centers and server rooms labs worldwide (500+ in San Jose) 66,000+ employees 30,000 contractors 20,000 channel partners 110+ application service providers 210+ business and support development partners 4

5 Agenda Our Journey to IPv6 A Look Back Planning, Preparation, and Execution Lessons Learned Along the Way Our Journey to IPv6 A Look Forward COCRST Cisco and/or its affiliates. All rights reserved. Cisco Public 5

6 Making the Case for IPv6 in Cisco IT Business Drivers Internet Evolution Leadership and Mindshare Product Readiness IT Drivers Continuity and Growth Cisco On Cisco Product Development and Testing IPv6 Goals IPv6 Internet Presence Ubiquitous IPv6 Access Constraints Maintain Operational Excellence Maintain Security Posture Funding & Resourcing Product & Service Gaps 6

7 Cisco IT s IPv6 Target State IPv6 Internet Presence Internet Evolution Business Continuity and Growth Customers, partners, employees IPv6 Internet Ubiquitous IPv6 Access Technology Leadership Product Readiness Support our IPv6 Internet Presence Dual-Stack Enterprise 7

8 The IPv6 Journey A Look Back IPv4-only IPv4 and IPv6 co-exist IPv6-only IPv6 Internet Presence (Outside-In) accessible over IPv6 Entire cisco.com platform accessible over IPv6 On-demand tunnel services Dual stack alpha networks Ubiquitous IPv6 Access (Inside-Out) Dual stack global core Resilient tunnel services Dual stack user access (pilot) Dual stack user access (prod) Dual stack data centers 8

9 Cisco IT IPv6 Program Security Inspection and Monitoring Application Environments Pervasive IPv6 adoption Application Platforms, Middleware, Data Services with IPv4 co-existence Infrastructure Devices and Services IPv6 Program Steering Committee Network-Embedded Services Exec Representation At Every Layer Basic Network Infrastructure Staff Training and Operations 9

10 Preparation Cross Functional Collaboration Assessment Architect & Design Address Planning Implementation Strategy & Plan World IPv6 Launch required participation from every layer of our IT stack 10

11 Preparation Assessment Infrastructure Network* Security Compute and Storage Management Tools Fault and Performance Security Monitoring Configuration Service Providers ISP s Content Delivery WAN Applications Application platforms Middleware Code 11

12 Preparation Architect and Design Architectural decisions Which Routing protocol? SLAAC vs DHCPv6? Which IPv6 transition technologies? Code selection and qualification Documentation Any new documentation required? Assess which existing designs are impacted and assign owners Extra review board resources 12

13 Preparation IPv6 Address Planning /34 Global Level (50% spares) /52 per PIN (4096 Subnets / PIN) /48 per Building/Branch (16 PINs per Building/Branch) /40 per Campus (256 Buildings) /37 - /39 per Sub-Region /35 - /36 per Region PIN = Place In the Network A framework to classify functional areas of the network eg, Lab, Desktop, DC, DMZ etc 13

14 Preparation IPv6 Address Planning Building /48 PIN /52 Subnets / PIN /64 0 = Infra 1 = Desktop / Wireless 2 = Lab 3 = Guest 4 = Voice D = Building DC... etc 2001:0420:028C:1000::/52 - Desktop PIN 2001:0420:028C:1300::/64 Desktop VLAN :0420:028C:1301::/64 Desktop VLAN :0420:028C:2000::/52 - Lab PIN 2001:0420:028C:2001::/64 Lab Subnet :0420:028C:2002::/64 Lab Subnet 2 14

15 Preparation IPv6 Address Planning 15

16 Preparation Implementation Strategy and Plan Dual stack where you can, tunnel where you can t and NAT only when you have no choice Absorb the cost of IPv6 enablement in established network lifecycle process Management via IPv4 with IPv6 service monitoring Ongoing training and exposure for implementation and operations teams 16

17 The IPv6 Journey A Look Back IPv4-only IPv4 and IPv6 co-exist IPv6-only IPv6 Internet Presence (Outside-In) accessible over IPv6 Entire cisco.com platform accessible over IPv6 On-demand tunnel services Dual stack alpha networks Ubiquitous IPv6 Access (Inside-Out) Dual stack global core Resilient tunnel services Dual stack user access (pilot) Dual stack user access Dual stack data centers 17

18 Cisco s IPv6 Web Presence Design for IPS 4260 IPv4 IPv6 Internet Akamai ASR N7000 ACE 30 origin :420:1101:1::a ASA 5585 IPv4 IPv6 18

19 Cisco s IPv6 Web Presence Security NetFlow v9 - forensic records - Arbor (anomaly detection) IPv4 IPS 4260 V6-only signatures V4+V6 signatures BGP Blackhole BGP Sinkhole (Arbor) ACE20 IPv6 Internet ASR N7000 ACE30 ACL s Anti-Spoofing ASA 5585 Logging Firewall Policy 19

20 Cisco s IPv6 Web Presence Metrics tools.cisco.com: 5% ipv6 traffic represents $2B in IPv6-enabled run rate represents received traffic in 1 of 3 enabled sites cisco.com as measured by Akamai edge proxy 20

21 The IPv6 Journey A Look Back IPv4-only IPv4 and IPv6 co-exist IPv6-only What is IPv6 enabled as of today? % Core/WAN DC : 100% IPv6 Internet Presence (Outside-In) DNS: 90%, DHCP: 100% Entire cisco.com platform Users VLANS: 84% accessible complete over IPv6 (304 of 361 accessible offices/bldg) over IPv6 Voice VLAN: 38% complete (138 of 362) Labs: Ubiquitous 91% IPv6 complete Access (634 (Inside-Out) of 693) On-demand tunnel services Dual stack alpha networks Dual stack global core Resilient tunnel services Dual-Stack Core Dual stack user access (pilot) Dual stack user access Dual stack data centers 21

22 Ubiquitous IPv6 Core Dual Stack the Network Core to edge rollout Multi-year plan absorbed into existing lifecycle management Simultaneous projects across Desktop, DC, Remote Access, ipops Accelerated deployment for select remote sites / services Dual-Stack Core, Routing protocol same as IPv4 EIGRP LISP for non-ipv6 SP WAN (EMEA) Dual stacked services DNS, Statefull DHCPv6, IP address management (CNR) SLA same as IPv4 22

23 Ubiquitous IPv6 Access Solution LISP as Overlay Transition DC London Cisco Enterprise Backbone Network DC Internet Amsterdam Dual Stack Mapping System + Proxy Tunnel Router ASR1006 Geographically diverse Standalone / Self-managed Primary / Backup PxTR LISP IPv6 in IPv4 Carrier Managed L3VPN MPLS Internet IPv4 Only DS3 DS3 DS3 E1 E1 BB Load Sharing Primary/Backup Primary/Backup Dual Stack Tunnel Router ASR 1006 & ISR 3945 Default Route / HSRPv6 to attract traffic Load sharing defined by WAN topology Cisco Remote Offices Current European WAN provider doesn t support IPv6 23 Requirements Scalable tunnel overlay solution Configuration simplicity Any-to-any traffic flows

24 Ubiquitous IPv6 Access Adoption Metrics Source: Gives your AS# to ISOC, they will measure the % of IPv6 enabled users coming from your network (data fm Google, Facebook, Yahoo, Akamai) 24

25 Agenda Our Journey to IPv6 A Look Back Planning, Preparation, and Execution Lessons Learned Along the Way Our Journey to IPv6 A Look Forward COCRST Cisco and/or its affiliates. All rights reserved. Cisco Public 25

26 Lessons Learned Product Support Network hardware, software, functionality Routers, server load balancers Wireless, switches Network management and service assurance External and internal availability and performance monitoring Security Firewalls, IDS/IPS, security event management and forensics logging Inventory Assessment Redefine IT Standard 26

27 Lessons Learned Security The goal is security parity with IPv4 User attribution (IPv6-to-MAC binding), custom Internal tools, third party vendors, incident response playbook, firewalls, anomaly detection, netflow, IDS, log data, pen testing, transparent proxy with anti-malware Opportunities to improve security as IPv6 is introduced First hop security in our access networks Unique security considerations with IPv6 ICMPv6 Privacy extensions for SLAAC Hop by hop extension header CPP must be able to cope with these 27

28 Lessons Learned Product Support - Netflow IPv6 requires NetFlow v9 Some collectors cannot receive/process NetFlow v9 Some routing platforms don t support for both NetFlow v5 and NetFlow v9 Some routing platforms are constrained to two export destinations We had to shift NetFlow collection in our DMZ devices to deal with the constraints above Use of NetFlow reflectors can bring some relief 28

29 Lessons Learned Service Provider Support ISPs IP WAN providers External content monitoring providers Content distribution providers 29

30 Lessons Learned IPv6 Implications for Applications Geo-location and web analytics Client_IpAddress := X-forwarded-for address first address; If null then Client_IpAddress := remoteaddress end if; use Client_IpAddress for IPCheck Development, testing, and QA teams require IPv6 access How will they get IPv6 access from within the corporate network? Supports the business case for an internal corporate network IPv6 deployment Developing IP version agnostic code Use getaddrinfo and get getnameinfo (standard POSIX API) This set of function is fully netqork protocol agnostic and support both IPv4 and IPv6 This is the recommended interface for name resolution in building protocol independent application and for transitioning legacy IPv4 code to IPv6 30

31 Lessons Learned IPv6 Path MTU Issues Allow PMTUD across the network PMTUD allows devices to negotiate the MTU size between hosts PTB (Packet Too Big) messages must be permitted PTB for hosts behind Tunnels (IPSec/GRE) with reduced MTU PMTUD works between hosts for end-to-end communication. If this is broken, hosts may not be able to communicate over IPv6 RFC 4890 provides recommendations for IPv6 filtering 31

32 Lessons Learned End Devices Many of our end devices are already IPv6 enabled From Microsoft Vista and Server 2008 From OS X Lion (10.7) From ios 6 and Android 4.1 Happy Eyeballs can mask IPv6 connectivity issues Cisco traffic to Facebook, Yahoo! and Google: Source: 32

33 The IPv6 Journey A Look Forward IPv6 Internet Presence (Outside-In) Internally hosted cisco.com platform Externally hosted cisco.com platforms Inbound via IPv6 Cisco.com API connectivity Ubiquitous IPv6 Access (Inside-Out) Dual stack user access (prod) Dual stack data centers Application Delivery (QoS, multicast, WAN acceleration) All data center infrastructure dual stacked (compute, storage) Widespread Enterprise Application Adoption DNS using IPv6 transport Extranet Partners 33

34 KEY TAKEAWAYS Making the Leap to IPv6 Uptake of IPv6 on the Internet has increased significantly Maintain control of end-user experience over IPv6 Take a systematic IT-wide approach to IPv6 planning and execution Iterate towards your goal, learn along the way Learn from others who have undertaken the journey 34

35 Cisco IT IPv6 Case Study 35

36

37