Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3488
Views
4
Helpful
2
Replies

New IPv6 deployment design

Dan Jagor
Level 1
Level 1

‎03-31-2012 02:55 AM - edited ‎03-01-2019 05:34 PM

Hello everyone,

I'm going to implement IPv6 and for the past few weeks I've been looking for designs, documentation and tips to make the best of it and take full advantage of IPv6. However, even Cisco's documentation is based mostly on IPv4 and IPv6 is mentioned just as additional option. Also my experiences are mostly with IPv4 and therefore I would greatly appreciate advice, tips and recommendation specifically on design and best practices.

Though I need to keep some IPv4 in place just to have interoperability with those who don't have IPv6, I could use IPv6 only as I'm fully IPv6 'ready'.

The requirements are very simple and straightforward - all is based on ASA 5520 with two external and two internal interfaces and good 90% of traffic is VPN. On the external interfaces I need some 200 site-to-site VPN connections mostly with Cisco 800 series, around 400 remote-access VPN connections and access to DMZ with email server. On the internal interfaces I've got all the servers, all internet/web traffic should go through proxy.

external/VPN <---->  \

external/VPN <---->   - ASA 5520 = SG300 - internal servers

management <---->  /                        |

                                          DMZ / external servers

All internal servers and communication can use IPv6 only, the management IP address is IPv4, the external server can have IPv4 as well as IPv6 because not everyone is on IPv6, backup IPv4 VPN in case someone will have to connect through ISP without IPv6 support.

In IPv4 world I would keep the ASA 5520 routed mode, all internal traffic with private address ranges and NAT/proxy if external access required. However, not sure if that is the best for IPv6 as well, therefore I would appreciate any suggestions, recommendations and configuration tips.

Many thanks,

Dan

Labels:
0 Helpful
2 Replies 2

sean_evershed
Level 7
Level 7

‎03-31-2012 05:44 AM

Hi,

See below an excellent White Paper on what Enterprises should do about IPv6

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6553/whitepaper_c11-586154.html

As recommended in this document I suggest that you purchase a global Internet routeable IPv6 address block from your ISP. Assign these addresses to your internal network.

If you still need to support legacy IPv4 then configure your devices for dual stack. See below

http://www.cisco.com/web/strategy/docs/gov/IPV6at_a_glance_c45-625859.pdf

See below a quick guide for configuring IPv6 on your ASA firewall.

https://supportforums.cisco.com/docs/DOC-15973

Don't forget to rate all posts that are helpful.

kevihuan
Level 1
Level 1

‎04-01-2012 08:57 AM

hi Dan,

I highly recommend this IPv6 Internet edge design guide:

http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Internet_Edge/InternetEdgeIPv6.html

Keep in mind that there's currently no NAT66, so for now there's no NAT to translate between public & private IPv6 addresses like how most are used to.

Whether you use provider assigned, or provider independent IPv6 blocks, you'll need to carefully design the ACL's to protect your network.

HTH

KH

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents