[c-nsp] IPv6: Getting started

Gert Doering gert at greenie.muc.de
Wed Mar 17 17:31:43 EDT 2010 

Hi,

On Wed, Mar 17, 2010 at 09:58:09PM +0100, Peter Rathlev wrote:
> Now that the whole world knows we (my employer) don't do IPv6, there's
> no hiding anymore. :-)

Heh :-)

[..]
> Q: We use currently use FWSM 3.1 and ASA 7.2 on our firewalls. We're

No FWSM/ASA here.  I know that you can do IPv6 with them, but I don't
know the caveats (we use Netscreen and ScreenOS 6.2 is quite well-behaved
in that regard).

> Q: IPv6 auto-configuration on p-t-p core links: Good or bad idea? I
> guess the downside is comparable to using RFC1918 addresses on Internet
> core router's interfaces, where e.g. traces break.

We configure transfer networks, and we use /64s for that.

IPv6 can work perfectly well with only the link-local addresses, as OSPFv3
is not using the configured IPv6 addresses anyway (it only talks via
fe80:: link-local), and BGP goes to the loopback.

IPv6 implementations (normally) are smart enough to not use fe80:: 
addresses as traceroute responses, so you can run that way.

Still, we like to see the names of the interfaces in traceroutes - and
since we have 4 billion(!) /64s in our ISP-/32, we enjoy the freedom.

> Q: We run an MPLS VPN network, global routing only used for management.
> According to this document (which should also cover 12.2SX):
> 
> http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-ov_mpls_6vpe.html#wp1054029
> 
> > 6VPE supports an MPLS IPv4-signaled core. An MPLS IPv6-signaled core
> > is not supported.
> 
> We have to keep an IPv4 core then? I guess the important part is to
> enable IPv6 for the users and services, but (excuse my french) it seems
> a little half-assed to not support an IPv6 core. Especially MPLS being
> what it is.

As of today, LDP is only IPv4.  I'm not sure who is delaying this, but
yes, IPv4 is a must for the core.

We have not run 6PE/6VPE yet, but I have been told that at least 6PE
works quite well (Global Crossing is using it, and I haven't seen any
hickups in the last few months).

> Q: Should our initial "test phase" with IPv6 be accomplished using
> FE00::/7 local addresses (as per RFC 4193), or should we just aim at
> starting out with globally unique addresses? (I assume they're almost
> trivial to apply for and have allocated.)

They should be trivial to get - so I'd go for global space right away.

> Q: We currently use IPv4 PI address space. Any point(s) in not applying
> for IPv6 PI address space? We have ~25 larger geographic sites and ~150
> smaller. We're logically strictly hierarchical, so there isn't much need
> for a lot of prefixes. We currently use about 1/3rd of the /16s in
> 10.0.0.0/8 network wide, mostly /24 subnets. A single /48 would thus
> easily fit our needs.

If all your sites are interconnected "inside", and not "every site has
their individual ISP links", a /48 PI should do the job just fine.

You'll need a LIR to forward your request to the RIPE NCC, and there 
is some paperwork and a yearly fee (50 EUR per PI) involved.  This is
nuisance was installed on purpose, to sieve networks that have real
need for IPv6 PI and those that think "it's free, it's cool, wanna have!".
(Sorry for that, but I still think that we got that one right :))

> Q: We almost only use 6500/Sup720 (12.2(33)SXI) and 3560/3750
> (12.2(5n)SEn). According to Cisco's IPv6 technology white paper
> 
> http://www.cisco.com/en/US/technologies/collateral/tk648/tk872/tk373/technologies_white_paper_09186a00802219bc.html
> 
> we should be okay. Are all relevant management stuff IPv6-ready? TACACS
> +, NetFlow (C6k FTW!), SSH, syslog, SNMPv3 et cetera.

I must admit that I didn't test all of this in recent IOS versions.

Telnet + SSH have been v6 capable "since ever", NTP has been added
fairly recently, and I have no idea about the state of things on the
rest.

Packet-forwarding on the 6500 is mostly pain-free, and Netflow v9 
works well for us (exported over IPv4).

The 3560/3750 have some limitations regarding IPv6 dynamic routing (I
think they still have no BGP, but have not checked recently).


> Q: Many of our smaller sites are reached via a set of VRFs over our
> local carrier's (TDC AS3292) MPLS VPN network. Right now the contract
> doesn't say anything about them transporting IPv6. Their CPEs are 3560
> running IP Services. They do the L3 termination. We expect them to want
> some kind of money for delivering IPv6. Any advice in how to handle
> this?

Is that Layer 2 services, or Layer 3?  L2 should be transparent as far
as IPv6 goes.  L3 is going to be "interesting" - no experience there,
sorry.

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100317/55b543cd/attachment.bin>

More information about the cisco-nsp mailing list