告別傳統向純 IPv6 企業的轉變.pdf

1、#CiscoLive#CiscoLiveDavid Prall Systems ArchitectpralldcBRKENT-2008the move to an IPv6-Only EnterpriseGoodbye Legacy,2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex App 3Questions?Use Cisco Webex App to chat with the speaker after

2、the sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the speaker until June 9,2023.12343https:/ 2023 Cisco and/or its affiliates.All ri

3、ghts reserved.Cisco PublicBRKENT-2008Agenda 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicIntroductionOur Dual Stacked NetworkIPv4 vs IPv6NAT64/DNS64IPv6-OnlyAdditional LearningConclusionBRKENT-20084Introduction5BRKE 2023 Cisco and/or its affiliates.All rights reserved.Cisco Publi

4、c#CiscoLive6Your speakerDavid PrallSystems ArchitectUS Federal NSD OCCIE 6508(R&S/SP/Security)22 Years at CiscoWashington,DCHouse Dual-Stacked since September 2007BRKENT-2008 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIPv6-Only is the FutureRFC1883-December 1995Update

5、d RFC8200(STD86)-July 2017US Government Memorandum M-21-07,Completing the Transition to Internet Protocol Version 6(IPv6)November 2020September 2025 for 80%IPv6-Only completionUS Government Memorandum M-05-22,Transition Planning for Internet Protocol Version 6(IPv6)August 2005Transition to IPv6 Sept

6、ember 2010Germany Defense,China,and others have released 2030 dates for IPv6-Only completion7BRKENT-2008Our Dual Stacked Network8BRKE 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOur Dual Stacked NetworkIPv4 and IPv6 are both available for useHow did my Web Browser Conn

7、ectNetFlow shows us what is being utilizedBRKENT-20089 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIPv4 and IPv6 are both available for use10BRKENT-2008C:ipconfigWindows IP ConfigurationEthernet adapter Ethernet0:Connection-specific DNS Suffix .:IPv6 Address.:2001db8:8

8、000:103:190Link-local IPv6 Address.:fe80:12a8:6d5:b492:dd26%12IPv4 Address.:192.168.124.190Subnet Mask.:255.255.255.192Default Gateway.:2001:db8:8000:103:1fe80:272:78ff:fe55:15d%12192.168.124.129$ifconfig en0en0:flags=8863 mtu 1500options=400ether 88:66:5a:4b:a2:38inet6 fe80:c5:d6d9:3a53:5bb3%en0 pr

9、efixlen 64 secured scopeid 0 x6inet 192.168.141.108 netmask 0 xfffffe00 broadcast 192.168.141.255inet6 2001:db8:8000:140:58d:6787:27f2:9aab prefixlen 64 dynamicnd6 options=201media:autoselectstatus:active 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAre you sure both ar

10、e available?Android doesnt support DHCPv6For Android we must leave SLAAC enabled and provide DNS11BRKENT-2008show run interface vlan 150ipv6 nd prefix default 2592000 604800 no-autoconfigipv6 nd managed-config-flagipv6 nd other-config-flagipv6 dhcp relay destination 2001:DB8:100Clears A bitdisables

11、SLAACconf tint vlan 150no ipv6 nd prefix defaultipv6 nd ra dns server 2001:DB8:111ipv6 nd ra dns server 2001:DB8:112end 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveHow did my Web Browser ConnectIPvFooExtension for Firefox and ChromeCan be added to Edge enabling“Allow e

12、xtensions from other stores.”12BRKENT-2008 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveNetFlow shows us what is being utilizedNetFlow allows the network operator to see what is flowing on the network.Secure Network Analytics/StealthWatchDNA Center AssuranceOther Third

13、PartyWhat is using IPv4 still?Internal or External?Why is it using IPv4 still?Focus on Internal.13BRKENT-2008IPv4 vs IPv6 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIPv4 vs IPv6Address SelectionHappy Eyeballs RFC6555/8305 Users are happyIPv6 is FasterBRKENT-200815 202

14、3 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAddress SelectionRFC6724 Default Address Selection for IPv6Globally Unique Addresses(GUA)are the only optionUnique Local Addresses(ULA)are of limited useNot the same as RFC1918There is no NATv6NPTv6 as defined changes only the p

15、refixAs of RFC6724 IPv4 is preferred over IPv6 ULAUnless IPv6 ULA to IPv6 ULA16BRKENT-2008 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveHappy Eyeballs RFC6555/8305On a dual-stacked system give IPv6 the edge but start an IPv4 session and see which is fastest.Before Happy

16、 Eyeballs dual-stacked systems would start an IPv6 session and if it didnt work after several attempts.Possibly fallback to IPv4.Typically,only needed when a site is advertising an IPv6 AAAA but not functioning.Or when Cogent(AS174)and Hurricane Electric(AS6939)are involved.17BRKENT-2008 2023 Cisco

17、and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIPv6 is Faster“Several years ago,Facebook decided to move early and migrate to IPv6.Weve observed that accessing Facebook can be 10-15 percent faster over IPv6.We believe other developers will see similar advantages from migrating.”IPv6

18、:Its time to get on board“Akamais customer AbemaTV did a case study in 2019,which showed that IPv6 improved the throughput by 38%on average when compared with connections via IPv4.”10 Years Since World IPv6 Launch18BRKENT-2008NAT64/DNS641BRKE 2023 Cisco and/or its affiliates.All rights reserved.Cisc

19、o Public#CiscoLiveNAT64/DNS64RFC6052 IPv6 Addressing of IPv4/IPv6 TranslatorsWell Known Prefix for NAT64 64:ff9b:/96RFC6145 Stateless IP/ICMP Translation AlgorithmRFC6146 Stateful NAT64:Network Address and Protocol Translation from IPv6 Clients to IPv4 ServersRFC6147 DNS64:DNS Extensions for Network

20、 Address Translation from IPv6 Clients to IPv4 Servers20BRKENT-2008 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIPv6 AAAA DNS Request21BRKENT-2008IPv6-Only UserDNS64ServerDNSServerNAT64RouterIPv4 Server192.0.2.50IPv6 Server2001:db8:50InternetWho is IPv6 Server?1Who is

21、IPv6 Server?2Who is IPv6 Server?3IPv6 Server is 2001:db8:506IPv6 Server is 2001:db8:505IPv6 Server is 2001:db8:504 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIPv6 AAAA DNS64 Request22BRKENT-2008IPv6-Only UserDNS64ServerDNSServerNAT64RouterIPv4 Server192.0.2.50IPv6 Ser

22、ver2001:db8:50InternetWho is IPv4 Server?1Who is IPv4 Server?2Who is IPv4 Server?3IPv4 Server doesnt have IPv64IPv4 Server doesnt have IPv65Who is IPv4 Server IPv4?6Who is IPv4 Server IPv4?7IPv4 Server is 192.0.2.508IPv4 Server is 192.0.2.509IPv4 Server is 64:ff9b:192.0.2.5010IPv4 Server is 64:ff9b:

23、C000:023211IPv4 Server is 64:ff9b:C000:023212 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivecat8k-nat64#sh nat64 translations Proto Original IPv4 Translated IPv4Translated IPv6 Original IPv6-tcp192.0.2.50:443 64:ff9b:c000:0232:443 192.0.2.252:52362 2001:db8:8000:150:2:52

24、362 NAT64 Traffic Flow23BRKENT-2008IPv6-Only UserDNS64ServerDNSServerNAT64RouterIPv4 Server192.0.2.50IPv6 Server2001:db8:50Internethttps:/64:ff9b:c000:02321https:/64:ff9b:c000:02322https:/192.0.2.503https:/192.0.2.504 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIOS-XE

25、Router ConfigurationWhen using Well-Known Prefix 64:ff9b:/96interface GigabitEthernet1ip address 192.168.67.2 255.255.255.0nat64 enableinterface GigabitEthernet2no ip addressnat64 enableipv6 address 2001:DB8:8000:666:5/64ipv6 access-list nat64-aclsequence 10 permit ipv6 2001:DB8:/32 anynat64 v4 pool

26、 nat64-pool 192.0.2.252 192.0.2.252nat64 v6v4 list nat64-acl pool nat64-pool overloadMust be Publicper RFC6052BRKENT-200824IP NAT and NAT64 cannot be together 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIOS-XE Router ConfigurationLets use an Internal PrefixMust utilize

27、 own DNS64 serverinterface GigabitEthernet1ip address 192.168.67.2 255.255.255.0nat64 enableinterface GigabitEthernet2no ip addressnat64 enableipv6 address 2001:DB8:8000:666:5/64ipv6 access-list nat64-aclsequence 10 permit ipv6 2001:DB8:/32 anynat64 prefix stateful 2001:DB8:FFFF:/96nat64 v4 pool nat

28、64-pool 192.168.255.254 192.168.255.254nat64 v6v4 list nat64-acl pool nat64-pool overloadBRKENT-200825 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePublic Recursive DNS64 Servershttps:/ Public DNS64 https:/ DNS642606:4700:4700:642606:4700:4700:640027BRKENT-2008 2023 Cis

29、co and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBind 9 https:/ https:/ Configuration28BRKENT-2008dns64 64:ff9b:/96 clients 2001:db8:8000:150:/64;mapped !10/8;!172.16/12;!192.168/16;!100.64/10;!169.254/16;!127/8;!192.0.0/24;!192.0.2/24;!192.88.99/24;!198.18/15;!198.51.100/24;!203.0

30、.113/24;!224/4;!240/4;any;exclude 64:ff9b:/96;recursive-only yes;Well-Known or Chosen PrefixDeny(!)PrivateAllow any;any;othersLimit DNS64to specific clients 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePlacement NAT64/DNS64Service BlockPlaced near IPv6-Only UsersCan rea

31、ch internal IPv4 resourcesIntegratedDNS64 can be limited to specific IPv6 addressesTranslation prefix can be advertised to networkEdgeIPv6 is fully functional internally for everything(?)everything(?)IPv6-Only Users can reach internal IPv6-Only and Dual Stack ResourcesOnly required for external site

32、s that havent Dual Stacked29BRKENT-2008NAT64RouterDNS64ServerNetworkIPv6-Only3BRKE 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIPv6-OnlyWhere do we start?Do I need to disable IPv4 in OS?Stop IPv4 on the NetworkHow did my Web Browser ConnectNetFlow shows us what is bein

33、g utilizedNetwork Equipment31BRKENT-2008 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhere do we start?Outside InNetwork EngineersHelp DeskSelect user VLANsVLAN by VLANSite by SiteData CenterNetwork Infrastructure32BRKENT-2008 2023 Cisco and/or its affiliates.All right

34、s reserved.Cisco Public#CiscoLiveDo I need to disable IPv4 in OS?On an IPv6-Only VLANWhat happens while travelling?33BRKENT-2008C:ipconfigWindows IP ConfigurationEthernet adapter Ethernet0:Connection-specific DNS Suffix .:IPv6 Address.:2001:db8:8000:150:2Link-local IPv6 Address.:fe80:9c73:7c11:8a59:

35、3f3d%13Autoconfiguration IPv4 Address.:169.254.42.133Subnet Mask.:255.255.0.0Default Gateway.:2001:db8:8000:150:1fe80:272:78ff:fe55:17d%13 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveStop IPv4 at Layer 2VLAN Map,example for limited address space34BRKENT-2008vlan access

36、-map vlan-map-ipv4-link-local 10match ip address ipv4-link-local-denyaction forwardvlan access-map vlan-map-ipv4-link-local 20match ip address ipv4-link-local-permitaction dropvlan filter vlan-map-ipv4-link-local vlan-list 150ip access-list extended ipv4-link-local-deny10 deny ip 169.254.0.0 0.0.255

37、.255 any20 permit ip any anyip access-list extended ipv4-link-local-permit10 permit ip 169.254.0.0 0.0.255.255 any 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveStop IPv4 at Layer 3Unicast Reverse Path ForwardingAccess List35BRKENT-2008interface Vlan150no ip addressip ve

38、rify unicast source reachable-via rxinterface Vlan150no ip addressip access-group no-ipv4 inip access-group no-ipv4 outip access-list extended no-ipv410 deny ip any any 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveHow did my Web Browser ConnectIPvFooExtension for Firefo

39、x and ChromeCan be added to Edge enabling“Allow extensions from other stores.”By using the Well-Known Prefix,we still know what is only IPv436BRKENT-2008 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveNetFlow shows us what is being utilizedWhy do we still see IPv4?NetFlow

40、 on L2 interfaces happens before L3 processing.169.254.0.0/16 link-local IPv4UPnP/SSDP 239.255.255.250:UDP/1900Multicast DNS 224.0.0.251:UDP/5353Static Configuration?IPv6 is all that is active!37BRKENT-2008 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveNetwork EquipmentS

41、ervices converted to IPv6?All services support IPv6?NTP-ntp peer ipv6 NetFlowflow exporter FLOWEXPORTERdestination 2001:DB8:2055Logging-logging host fqdn ipv6 DNS-ip name-server 2001:DB8:53:111 2001:DB8:53:11238BRKENT-2008FQDN convertedIPv6 PreferredBut do the servicessupport IPv6?2023 Cisco and/or

42、its affiliates.All rights reserved.Cisco Public#CiscoLiveNetwork EquipmentServices converted to IPv6?All services support IPv6?SNMPsnmp-server group v3 auth|noauth|priv access ipv6 snmp-server community private RW ipv6 snmp-server community public RO ipv6 snmp-server host 192.0.2.162 VTY Access-List

43、sline vty 0 4ipv6 access-class inaccess-class inAuthenticationtacacs server TACACSaddress fqdn radius server RADIUSaddress fqdn 39BRKENT-2008But do the servicessupport IPv6?FQDN convertedIPv4 PreferredAdding IPv6 requires restating IPv4 2023 Cisco and/or its affiliates.All rights reserved.Cisco Publ

44、ic#CiscoLiveRouting ProtocolsRouter IDs are 32-bit valuesCommonly represented as 4 dotted octetsCisco Routers are nice enough to utilize an interface IPv4 addressIPv6-Only must manually configure router-idMajority will not workDont be surprised with the first router reload40BRKENT-2008 2023 Cisco an

45、d/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRouting ProtocolsBGP%BGP-4-NORTRID:BGP could not pick a router-id.Please configure manually.bgp router-id x.x.x.xOSPFv3%OSPFv3-4-NORTRID:Process OSPFv3-IPv6 could not pick a router-id,please configure manuallyrouter-id x.x.x.xEIGRPNOTHING

46、NOTHINGeigrp router-id x.x.x.xRIPng and ISIS could care less41BRKENT-2008 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRemove IP Routingno ip routingBGP goes down immediatelyCant be configured,current configuration removed%BGP-5-ADJCHANGE:neighbor 2001:DB8:2 Down Unknow

47、n path error%BGP_SESSION-5-ADJCHANGE:neighbor 2001:DB8:2 IPv6 Unicast topology base removed from session Unknown path errorEIGRP goes down after hold timeBoth Numbered and Named%DUAL-5-NBRCHANGE:EIGRP-IPv6 1:Neighbor FE80:5054:FF:FE1B:C299(GigabitEthernet1)is down:holding time expiredOSPFv3 goes dow

48、n after dead time%OSPFv3-5-ADJCHG:Process 1,Nbr 192.168.0.1 on GigabitEthernet1 from FULL to DOWN,Neighbor Down:Dead timer expiredRIPng goes down after holddown time ISIS could care less42BRKENT-2008DO NOT DO NOT DO THISDO THISAdditional Learning 2023 Cisco and/or its affiliates.All rights reserved.

49、Cisco Public#CiscoLiveFurther ReadingValidated Solution:IPv6 Integration with Cisco SD-Access,SD-WAN,and Firepowerhttps:/ IPv6 Campus of the FutureAn IPv6 Campus of the Futurehttps:/ from an IPv6-Only Network April 201244BRKENT-2008 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#C

50、iscoLive45BRKENT-2008Conclusion 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveGet to it,IPv6 is approaching 30NetFlow is required to see what is happening on the network.IPv6-Only User VLANs are ready to be deployedIf your applications are readyCogent and Hurricane Elect

51、ric are both reachable directlyIPng Working Group proposed October 1994https:/datatracker.ietf.org/wg/ipngwg/history/RFC1883-December 1995Updated RFC8200(STD 86)-July 2017RFC6586-Experiences from an IPv6-Only Network April 2012BRKENT-200847 2023 Cisco and/or its affiliates.All rights reserved.Cisco

52、Public#CiscoLiveFill out your session surveys!Attendees who fill out a minimum of four session surveys and the overall event survey will get Cisco Live-branded socks(while supplies last)!48BRKENT-2008These points help you get on the leaderboard and increase your chances of winning daily and grand pr

53、izesAttendees will also earn 100 points in the Cisco Live Game for every survey completed.2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicContinue your educationVisit the Cisco Showcase for related demosBook your one-on-oneMeet the Engineer meetingAttend the interactive education wi

54、th DevNet,Capture the Flag,and Walk-in LabsVisit the On-Demand Library for more sessions at www.CiscoL you#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive51Gamify your Cisco Live experience!Get points Get points for attending this session!for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:123451 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKENT-2008#CiscoLive