×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

New IPv6 deployment design

Unanswered Question
Mar 31st, 2012
User Badges:

Hello everyone,


I'm going to implement IPv6 and for the past few weeks I've been looking for designs, documentation and tips to make the best of it and take full advantage of IPv6. However, even Cisco's documentation is based mostly on IPv4 and IPv6 is mentioned just as additional option. Also my experiences are mostly with IPv4 and therefore I would greatly appreciate advice, tips and recommendation specifically on design and best practices.


Though I need to keep some IPv4 in place just to have interoperability with those who don't have IPv6, I could use IPv6 only as I'm fully IPv6 'ready'.


The requirements are very simple and straightforward - all is based on ASA 5520 with two external and two internal interfaces and good 90% of traffic is VPN. On the external interfaces I need some 200 site-to-site VPN connections mostly with Cisco 800 series, around 400 remote-access VPN connections and access to DMZ with email server. On the internal interfaces I've got all the servers, all internet/web traffic should go through proxy.


external/VPN <---->  \

external/VPN <---->   - ASA 5520 = SG300 - internal servers

management <---->  /                        |

                                          DMZ / external servers


All internal servers and communication can use IPv6 only, the management IP address is IPv4, the external server can have IPv4 as well as IPv6 because not everyone is on IPv6, backup IPv4 VPN in case someone will have to connect through ISP without IPv6 support.


In IPv4 world I would keep the ASA 5520 routed mode, all internal traffic with private address ranges and NAT/proxy if external access required. However, not sure if that is the best for IPv6 as well, therefore I would appreciate any suggestions, recommendations and configuration tips.


Many thanks,

Dan

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
sean_evershed Sat, 03/31/2012 - 05:44
User Badges:
  • Gold, 750 points or more

Hi,

See below an excellent White Paper on what Enterprises should do about IPv6

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6553/whitepaper_c11-586154.html


As recommended in this document I suggest that you purchase a global Internet routeable IPv6 address block from your ISP. Assign these addresses to your internal network.


If you still need to support legacy IPv4 then configure your devices for dual stack. See below

http://www.cisco.com/web/strategy/docs/gov/IPV6at_a_glance_c45-625859.pdf


See below a quick guide for configuring IPv6 on your ASA firewall.

https://supportforums.cisco.com/docs/DOC-15973


Don't forget to rate all posts that are helpful.

kevihuan Sun, 04/01/2012 - 08:57
User Badges:

hi Dan,


I highly recommend this IPv6 Internet edge design guide:

http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Internet_Edge/InternetEdgeIPv6.html


Keep in mind that there's currently no NAT66, so for now there's no NAT to translate between public & private IPv6 addresses like how most are used to.


Whether you use provider assigned, or provider independent IPv6 blocks, you'll need to carefully design the ACL's to protect your network.


HTH

KH

Actions

This Discussion

Related Content