Ipv6 deployment at the university of warwick - networkshop44
Download as PPTX, PDF2 likes2,412 views
This document summarizes IPv6 deployment plans at Warwick University. It discusses: 1) Upgrading core, distribution, and access layer switches to support IPv6 addressing and routing protocols like OSPFv3. 2) Creating a test lab with virtual and physical equipment to test IPv6 configurations before deploying them. 3) Anticipating challenges like needing to reboot access switches when upgrading software and having to manually reconfigure distribution switches when adding IPv6 support and VRFs.
![Routeing tables like this…
CORE-SWITCH# sh ipv6 route vrf CAMPUS-VRF
IPv6 Routing Table for VRF "CAMPUS-VRF"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
2001:630:1c3:5577::/64, ubest/mbest: 2/0
*via fe80::4255:39ff:fe04:d041, Po268.1381, [110/41], 7w0d, ospfv3-601, intra
*via fe80::4255:39ff:fe26:aa41, Po266.1371, [110/41], 7w0d, ospfv3-601, intra
2001:630:1c3:6363::/64, ubest/mbest: 1/0
*via fe80::208:e3ff:feff:fd94, Po200.1101, [110/3], 2w2d, ospfv3-601, intra](https://image.slidesharecdn.com/ipv6deploymentattheuniversityofwarwick-networkshop44-160323122229/85/Ipv6-deployment-at-the-university-of-warwick-networkshop44-26-320.jpg)
Ipv6 deployment at the university of warwick - networkshop44
- 1. IPv6 deployment at Warwick Mark Charlton
- 2. IPv6 deployment at Warwick Mark Charlton
- 3. A quick recap from Leeds (1) Core – Nexus 7018 – NX-OS 6.2.12 Data centres – Nexus 7010 – NX-OS 6.2.12 & Nexus 5k/2k – NX-OS 5.1(3) / 7.1(1) Distribution – 6500 VSS pairs – IOS 15.1(2) Service layer – 6513 – IOS 15.1(2) Access – 3750 (15.0(2)) & 3850 (03.06.03)
- 4. A quick recap from Leeds (2) JANET routers – Cisco 7604 – 15.2(4) Firewalls – Fortinet Currently running VRFs with OSPFv2 & BGP on IPv4
- 5. The grand plan (1) Dual stack Add IPv6 addressing to JANET routers Upgrade / prepare – Access switches – Distribution switches – Core switches
- 6. The grand plan (2) Create test vlans Check connectivity DNS /DHCPv6 testing Firewall rules “sign off” IPv6 connectivity Everyone takes advantage!
- 7. What have we done? The nuts and bolts
- 8. The test lab (1) As luck would have it: – 7018 – 6506 – 6513 – Access switches – 3750 / 3850
- 9. The virtual test lab – GNS3 www.gns3.com
- 10. The virtual test lab - Cisco VIRL virl.cisco.com
- 11. The test lab (2) If humanly possible, get one Beg, borrow, steal it If all else fails, buy it! Apart from the obvious reasons, see later…
- 12. Be prepared for
- 13. Audience participation (1) A small detour
- 14. Audience participation (1) Does anyone use IS-IS? Suggested by Cisco Tested in the lab – straightforward to implement (and I hate OSPF ) But…
- 15. It doesn’t work At least, the combination of – IS-IS – VRF – IPv6 So, back to OSPFv3
- 16. perl is your friend Or your favourite scripting language Ideal for munging configuration files Map existing IPv4 addresses to IPv6 Automate to avoid errors Useful to have a test lab
- 17. Access layer pain Reboot for new code (annual event) Reboot for sdm memory profile – Can be bundled with software update if timings allow Reboot for jumbo frames And we have 350 access stacks!
- 18. Distribution layer pain Good news – no reboot necessary Bad news – config changes for IPv6: – from ip vrf <VRF> to vrf definition <VRF> – Delete & re-add VRFs (six) loses ALL IPv4 config – Re-add IPv4 addresses to every interface – Re-add all OSPF info, static routes, pim, mroute
- 19. Distribution layer pain relief Cisco have the vrf upgrade-cli command – Deletes all IPv6 addresses configured on interfaces Only done when IPv6 is required in that area Script: collect all relevant info to be re-instated But it is service impacting (06:00 start, anyone?) Test lab was (almost) invaluable to ensure config changes were correct
- 20. Core and data centre (NX-OS) More good news: – NX-OS is IPv6 ready – Very little reconfiguration – Just add IPv6 addressing and routeing
- 21. Addressing plan 35 Distribution sites Maximum currently ~100 vlans (140 in DC) 256 contiguous /64s per site(~55% allocated) 16384 /64s for wireless Still only 50% allocated (not used!)
- 22. Addressing plan 31 /64s for infrastructure Nothing smaller than /64 except /126 & /128 Converted IPv4 to IPv6 where necessary, e.g. – 172.31.4.55 2001:630:1c3:ss:172:31:4:55
- 23. Addressing plan Only using public and link-local addressing Infrastructure addresses blocked on firewall and by inter-VRF routeing Gateway address always bottom of range: – 2001:630:1c3:ssss::1 rather than 2001:630:1c3:ssss:ffff:ffff:ffff:ffff
- 24. Summary so far We do have a clearer understanding Not as bad as feared Needn’t be disruptive apart from access switch reboots Concentrating on just the network But what about those pesky servers?
- 25. RFC1925 – The twelve networking truths … (9) For all resources, whatever it is, you need more. (9a) (corollary) Every networking problem always takes longer to solve than it seems like it should. …
- 26. Routeing tables like this… CORE-SWITCH# sh ipv6 route vrf CAMPUS-VRF IPv6 Routing Table for VRF "CAMPUS-VRF" '*' denotes best ucast next-hop '**' denotes best mcast next-hop '[x/y]' denotes [preference/metric] 2001:630:1c3:5577::/64, ubest/mbest: 2/0 *via fe80::4255:39ff:fe04:d041, Po268.1381, [110/41], 7w0d, ospfv3-601, intra *via fe80::4255:39ff:fe26:aa41, Po266.1371, [110/41], 7w0d, ospfv3-601, intra 2001:630:1c3:6363::/64, ubest/mbest: 1/0 *via fe80::208:e3ff:feff:fd94, Po200.1101, [110/3], 2w2d, ospfv3-601, intra
- 27. Other issues to investigate DHCPv6 – Would like it everywhere – Can’t for wireless / residences / Android – Ongoing investigation – Stateless? Traffic shaping
- 28. Other issues to investigate Jumbo frames – Wanted / needed? (reboot access switches) – Just needs enabling on cores / distribution Security / logging – Update existing logging scripts? Inter-VRF routeing
- 29. The rest of the university Still no demand to speak of – One genuine enquiry – really! Some areas migrating to RFC1918 space Need to get server teams started – Windows / UNIX / VMWare / deskside Trying to be prepared
Editor's Notes
- #4: A quick reminder (for me) of our network hardware We are almost entirely a Cisco site running NX-OS and IOS
- #5: And over the top of all this hardware, we are running: VRF – virtual routeing and forwarding OSPFv2 internally BGP internally for inter-vrf routeing and DNS anycast
- #6: Nothing world-shattering here We’ve had IPv6 addressing on our JANET routers for a while now, just peering with JANET We went through cycles of discovering which code versions had which features, upgrading (rebooting) and/or preparing config changes At this point we had no IPv6 internally, we were preparing the ground Everything was done under change management, and you’d be amazed what can be covered under a “non service impacting configuration change”!
- #7: We have created our test vlans and tested connectivity; of course that also involves configuring and running OSPFv3 across all of our VRFs (6) In conjunction with a colleague who is extensively revamping our DNS & DHCP, we have a test DNS/DHCP server on an IPv6 vlan in a data centre. There are a few problems under investigation… The firewall has IPv6 enabled and addressing is configured externally, but no traffic is flowing yet – ought to be straightforward! Well, so much for the plan, now for a look at rolling out
- #8: As we’re dual stacking, we’re bolting all things IPv6 on top of our existing, live, network. No pressure there. PIC1 – we were hoping for something along these lines, but it seems to resemble PIC2 more
- #9: As luck, or foresight, or budget, or some combination of the three would have it, we do have a test lab, containing one of most of our bits of hardware. It has been pillaged from time to time (campus wide power outage anyone?) for replacement parts, but most of the time it’s been there for us. In addition to the test lab, I’ve done varying amounts of testing with
- #10: If you haven’t encountered GNS3, it’s free Great for some things like testing BGP Has hardware and software limitations It hasn’t been as useful as I would have liked in this project, but this was anticipated We have also recently acquired
- #11: Virtual Internet Routeing Lab Annual cost $80 per license Supports IOS and NX-OS Only recently acquired, must investigate further
- #12: Enough said… SO, moving on to my first warning:
- #13: Well, not quite all, fortunately but when you have change management who are worried that every change might involve / cause a reboot
- #14: no sliding down in your seats or pretending to be asleep, unless of course you are asleep
- #15: We use OSPFv2 internally, as I suspect do most of you, but can I have a quick show of hands from anyone who uses IS-IS? Cisco seem to like it, so I took a look And I really really don’t like OSPF (it hurts when I have to debug it)
- #16: After some experimentation in the test lab, some reboots, quite a bit of cursing and a few emails to Cisco…
- #17: As we’re adding IPv6 on top of IPv4, scripting is definitely on the agenda Processing existing configuration files / mapping addresses Trying to avoid silly config / typing mistakes Process config -> try on test lab -> repeat…
- #18: We already do an annual code refresh with timed reboots overnight Add to that the sdm (switch database management) memory profile change to allocate memory for IPv6 address tables etc. This enables the feature, then needs a reboot to activate it And a reboot is also needed to activate jumbo frames How many stacks?
- #19: We have 35 VSS distribution pairs and we have enough trouble with software upgrades / failing hardware, so “no reboot” is most welcome Loopbacks, interfaces, port channels, VLANs, Do this from the console as all IP addressing disappears I have tried it this way (with the aid of some perl scripting) and it does work. But…
- #20: Fortunately, Cisco provide the vrf upgrade-cli command, run once per VRF, but it does delete all the IPv6 addresses configured on interfaces. This sounds a much better option, as long as you haven’t configured IPv6 addresses, or as long as you’ve saved them if they are configured! Aside. There comes a moment, probably around the long dark tea-time of the soul (4pm on a Thursday?) , when you’ve copied a live config to the test lab and made some changes. You type “reload”, look down at the CLI prompt and hope earnestly that you haven’t just done that on the live switch! Moral: change the prompts on the test network
- #21: Significantly easier to configure than on IOS Just needed to enable OSPFv3 Straightforward apart from the natural nervousness of interfering with a working network
- #22: Keeping it as simple as reasonable Biggest distribution site has around 100 vlans, most have significantly fewer. The data centres are the exception, with around 140 vlans currently 256 * 35 = 8900 allocated out of 16384 Could always request more space!
- #23: Lots of space for infrastructure addressing – all in one block so easy to block on the firewall As recommended, no small bitty subnets Conversion – tie IPv4 and IPv6 addresses together - just makes things simpler
- #24: Infrastructure addresses => public addresses but shouldn’t be generally accessible Gateway address at the bottom for simplicity and ease of typing
- #26: As mentioned before, RFC1925 comes to mind Don’t forget, resources include people!
- #27: This is just a very small portion of the IPv6 routeing table on one of our core switches – only showing the initial test vlans Note the link local addresses for next hop
- #29: We want to resolve one or two issues with our IPv4 inter-VRF routeing, then we’ll add the IPv6 Could be the scariest part of it!