IPv6 Planning and Deployment

Started by Dieselboy, March 05, 2016, 06:58:17 AM

Previous topic - Next topic

Dieselboy

Has anyone deployed IPv6 yet? As I'm going to be doing this soon, might keep writing back here on my deployment.

Today I've been reading deployment guides and configuration guides specifically for the Cisco WLC. As I already have IPv6 deployed at home from my ISP, I'm making use of this since SLAAC and DHCPv6 are already working :)

The WLC needs ipv6 multicast enabled so that Neighbour Discovery Protocol can work more efficiently, otherwise NDP packets are retransmitted back out to all wifi clients.

Quote
The NDP process initially uses multicast addresses to perform address resolution. This process consumes valuable wireless airtime because the multicast addresses are sent to all the clients in the network segment.
To increase the efficiency of the NDP process, neighbor discovery caching allows the controller to act as a proxy and responds back to the NS queries
Thought this was interesting enough to share :)

IPv6 is now working on my 1832 AP / WLC, although it's not configurable from the gui at all so it's a double learning process :)
IPv6 was already working on the switch port that the AP was connected into. But I could not ping any v6 addresses from my laptop, and internet was a bit slow from my phone and my laptop since they were able to resolve IPv6 addresses through DNS. To get it working I had to disable the WLAN on the WLC, Give the management interface an IPv6 address and enable multicast for IPv6. Finally reenable the WLAN.

Now IPv6 is working:

C:\Users\Tony>ping facebook.com

Pinging facebook.com [2a03:2880:2130:cf24:face:b00c:0:25de] with 32 bytes of data:
Reply from 2a03:2880:2130:cf24:face:b00c:0:25de: time=265ms
Reply from 2a03:2880:2130:cf24:face:b00c:0:25de: time=262ms
Reply from 2a03:2880:2130:cf24:face:b00c:0:25de: time=265ms

Dieselboy

Is it worth having an IPV6 forum section? I a few things to find out / write about. For example, IPv6 natively supports IPSEC. Would this negate the need for BOVPN or RA IPSEC VPNs like they are configured now with IPv4? There's quite a few improvements / advances in IPv6, as it's not just a swap over to gain more address space; I'd like to use it to its full capability if possible. :)

deanwebb

IPv6 section? It's called "Routing and Switching." :)
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

routerdork

I've deployed it in an all static environment. No DHCP. BGP and OSPF were nice and easy. We upgraded to Infoblox appliances to handle the extra DNS/IPAM pieces, DHCP would have been used if we needed it. It went nice and smooth though.
"The thing about quotes on the internet is that you cannot confirm their validity." -Abraham Lincoln

Otanx

Like a lot of people I have v6 deployed at home using HE. At work we started the deployment, but other things get in the way. Right now it isn't important to anyone but the network team. We want to get the infrastructure ready so when it becomes important, and we are given a one day deadline we can just through it over to the systems team to enable it on the servers.

We got a /48 PI, and have an addressing plan worked up, but no outside peering yet. One peer is configured, but they required paperwork updates to do v6. Now the paperwork is done we just have to submit a ticket to enable the v6 peering. Our other peers we verified they support v6, but have not started the process to turn it on. Once all that is done we will begin moving inwards.

Maybe by late 2016 we will have all the network gear speaking it, and just waiting for a use case from the business to start using it.

-Otanx

Dieselboy

Quote from: deanwebb on March 05, 2016, 08:13:56 PM
IPv6 section? It's called "Routing and Switching." :)

You're right I suppose :)

So with my deployment, I have one internet circuit (for the purpose of this deployment) and various vlans / subnets as you would expect. The eventual goal is to be able to speak on the internet with IPv6. Currently, we use IPv4 of course, with DHCP serving phones and computers as normal. Servers are statically assigned as are all other things that require static addressing like printers and security cameras. The cameras are on a legacy network so I may not be implementing IPv6 there for simplicity. At the moment, I don't see any benefit of implementing IPv6 on our storage network. This is layer 2 from the VMs to the storage anyway but there is a default gateway on the core switches.

Implementing v6 is not going to give me anything internally at one site, from hosts accessing servers on v6. If anything it will add a bit of complexity but at least will gain knowledge so that when I'm 50 and need to implement only IPv6 networks I'll be able to do it.

Today I have started to plan an addressing scheme. We have a /56 for this office. This gives lots of /64s (these are all technical terms here :) ). I've decided that since  the v6 address space has a nice rounding with ~xxxx:0700::/64 to ~xxxx:07ff::/64 I'll use hex on the last two digits to represent the VLAN ID since I'm using something similar with IPv4 anyway. Example, 192.168.7.0/24 being vlan 7. So v6 address space will be ~xxxx:707::/64

Also, at the moment I've had a thought to use the last hextet for static network devices (as this will then follow the existing IP plan, somewhat), and use the 2nd to last hextet for static servers. The v4 IP scheme I laid out has blocks for these already within a /24. So from 1-24 is network devices (some subnets only have the 2 core switches and a HSRP address). There's a block for DHCP, a block for Physical servers and a block for Virtual servers. I'm probably repeating things that you guys already do anyway.

One thing I have found is that HSRP with IPv6 is a little bit different. I originally (and foolishly) assumed that HSRP would follow the same for v6 as it did for v4. But while doing some tests, I recalled that default gateway addresses are link-local addresses. The reasoning is that the IP address might change but the link-local one wont. Ref: https://learningnetwork.cisco.com/thread/67929
However this confuses me as to statically assigning v6 addresses to servers and other things..

Basically, HSRP for IPv6, you can set a virtual IP or you can tell the devices to make up a link-local address. Here's my dummy test config on my nexus switches:

SW1

interface Vlan35
  no shutdown
  ipv6 address xxxx:xxxx:xxxx:735::2/64
  hsrp version 2
  hsrp 35 ipv6
    preempt delay minimum 60 reload 60
    priority 100 forwarding-threshold lower 1 upper 100
    timers  1  4
    ip autoconfig


SW2

interface Vlan35
  no shutdown
  ipv6 address xxxx:xxxx:xxxx:735::3/34
  hsrp version 2
  hsrp 35 ipv6
    preempt delay minimum 60 reload 60
    priority 90 forwarding-threshold lower 1 upper 90
    timers  1  4
    ip autoconfig


SW1

# show hsrp brief ipv6
                     P indicates configured to preempt.
                     |
Interface   Grp Prio P State    Active addr      Standby addr     Group addr
Vlan35      35  100  P Active   local            fe80::7ead:74ff:fec7:cc01  fe80::5:73ff:fea0:23 (conf auto EUI64)


# show hsrp ipv6
Vlan35 - Group 35 (HSRP-V2) (IPv6)
  Local state is Active, priority 100 (Cfged 100), may preempt
    Forwarding threshold(for vPC), lower: 1 upper: 100
  Preemption Delay (Seconds) Reload:60 Minimum:60
  Hellotime 1 sec, holdtime 4 sec
  Next hello sent in 0.692000 sec(s)
  Virtual IP address is fe80::5:73ff:fea0:23 (Auto)
  Active router is local
  Standby router is fe80::7ead:74ff:fec7:cc01 , priority 90 expires in 3.949000 sec(s)
  Authentication text "cisco"
  Virtual mac address is 0005.73a0.0023 (Default MAC)
  4 state changes, last state change 00:26:49
  IP redundancy name is hsrp-Vlan35-35-V6 (default)


SW2

# show hsrp ipv6
Vlan35 - Group 35 (HSRP-V2) (IPv6)
  Local state is Standby, priority 90 (Cfged 90), may preempt
    Forwarding threshold(for vPC), lower: 1 upper: 90
  Preemption Delay (Seconds) Reload:60 Minimum:60
  Hellotime 1 sec, holdtime 4 sec
  Next hello sent in 0.145000 sec(s)
  Virtual IP address is fe80::5:73ff:fea0:23 (Auto)
  Active router is fe80::6e41:6aff:fe33:cb3c, priority 100 expires in 1.225000 sec(s)
  Standby router is local
  Authentication text "cisco"
  Virtual mac address is 0005.73a0.0023 (Default MAC)
  4 state changes, last state change 00:27:42
  IP redundancy name is hsrp-Vlan35-35-V6 (default)


journey continues.

Dieselboy

I forgot to say, in my "testing", before I had configured HSRP, a Windows computer had auto discovered the link-local addresses of both Layer 3 VLAN interfaces of the nexus. I'm not sure what would happen if one of L3 VLAN interfaces had failed. I didn't check a route print so I don't know if would be doing round robin or preferred one.

SimonV

Your second switch has a /34 mask on the standby IP. Copypaste error? :)

Dieselboy


zarawatsonn

Please help me to know, what is the fundamental difference between IPV4 and IPV6.

Are we really need IPV6.

routerdork

Quote from: zarawatsonn on March 30, 2016, 12:44:33 AM
Please help me to know, what is the fundamental difference between IPV4 and IPV6.

Are we really need IPV6.
https://en.wikipedia.org/wiki/IPv4_address_exhaustion
"The thing about quotes on the internet is that you cannot confirm their validity." -Abraham Lincoln

deanwebb

Quote from: zarawatsonn on March 30, 2016, 12:44:33 AM
Please help me to know, what is the fundamental difference between IPV4 and IPV6.

Are we really need IPV6.
IPv6 offers a larger address space, that is the key difference.

I think that, yes, we do need IPv6 going to home markets, given the number of internet-enabled devices that everyone wants to connect.

In the corporate world, not so much. They can continue to use the limited IPv4 address space thanks to network address translation (NAT) and private address spaces.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

icecream-guy

IPV6 there is no such thing as network broadcast. nor is there any Address Resolution Protocol. among many other

Ip addresses are a bit different and the notation is new , ie dropping leading zero's in a hexette, or using multiples colons :: to drop successive zero value hexettes

IPv6 is more compatible to mobile networks than IPv4.

IPv6 allows for bigger payloads than what is allowed in IPv4.

IPv6 packetrs are built a bit different than IPv4

IPV6 benefit  No more NAT (Network Address Translation)
IPV6 benefit  Auto-configuration
IPV6 benefit  No more private address collisions
IPV6 benefit  Better multicast routing
IPV6 benefit  Simpler header format
IPV6 benefit  Simplified, more efficient routing
IPV6 benefit  True quality of service (QoS), also called "flow labeling"
IPV6 benefit  Built-in authentication and privacy support
IPV6 benefit  Flexible options and extensions
IPV6 benefit  Easier administration (say good-bye to DHCP)

:professorcat:

My Moral Fibers have been cut.