with Salman Asadullah
Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get an update on how to enable your network to run IPv6 with Cisco expert Salman Asadullah. Salman is a Distinguished Engineer at Cisco and a Fellow of the IPv6 forum. Salman represents Cisco in industry panel discussions and technical platforms such as APRICOT, IETF, BBF, SCTE, Worldwide IPv6 Technical Forums and Network Operators Groups, and Cisco Live. He influences technology directions and decisions with Cisco business units and customers and Internet community at large and is a coauthor and contributor of RFCs and drafts produced by IETF. Salman has produced three internetworking books: Cisco CCIE Fundamentals: Network Design & Case Study, PDIO of the IPT Networks, and Deploying IPv6 in Broadband Access Networks. He has been working with large-scale IP and multiservice networks and technologies for over 15 years.
Remember to use the rating system to let Salman know if you have received an adequate response.
Salman might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security discussion forums shortly after the event. This event lasts through February 25, 2011. Visit this forum often to view responses to your questions and the questions of other community members.
are there any tech. docs available about the IPv6 " TCAM exhaustion" ?
IPv6 will consume more TCAM memory than an equivalent IPv4 route because it is four times larger in binary.
You are correct. IPv6 will require more space in the TCAM for lookup purposes. The extra space is needed to accommodate the expanded 128 bit address space. As an example the data sheet for the 6500/7600 Supervisor 720 shows some information regarding the number of routes that can be stored on the Supervisor - http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/product_data_sheet09186a0080159856.html. On the Sup720-3BXL, it shows that the TCAM for routing information can hold up to 1 M IPv4 routes or 500K IPv6 routes which gives you a 2:1 ratio. You can also split the TCAM between the two protocols (eg 512K IPv4 routes and 256K IPv6 routes) but you cannot exceed the 1M entries capacity.
As mentioned in the article, how the TCAM is programmed is going to be very specific to the implementation on the platform one is analyzing, so please follow up with your Cisco Account or Services team for the specifics.
about IPv6 addressing scheme in enterprise networks please can you tell me the best RECENT approach, if are there any RECENT cisco docs. or a REAL IMPLEMENTED example ?
In particular taking into account:
- keep the internal IPv6 addresses STABLE even if internet providers are changed "Avoiding Renumbering"
- using PA and dont'using PI (Provider Indipended) IP address
P.S.: I've read the
Procedures for Renumbering an IPv6 Network without a Flag Day (RFC 4192)
A solution with end sites using non-globally-routable addresses within the site and translate them to globally routable addresses somewhere in the network will be the best approach ?
For example following a solution from the nanog.org and the cluenet.de newsgroup:
My suspicion is that using the ULA [Unique-Local Addressing (RFC4193)] and a IPv6 NAT mechanism (http://trac.tools.ietf.org/html/rfc5902) like the NAT66 (currently in the state of a rew. draft) to translate "private" /48 ULAs to their site's "public" /48 assignment from their ISP will be the future (in
particular for renumbering with public DMZ's services).
ULA Space FD9C:58ED:7D73::/48
Global address NAT
Everything internal runs the ULA space
* A NAT supporting IPv6 or a proxy is required to access IPv6 hosts on the
Internet – must run filters to prevent any SA/DA in ULA range from being
* Works as it does today with IPv4 except that today, there are no scalable
NAT/Proxies for IPv6
* Removes the advantages of not having a NAT (i.e. application interoperability,
global multicast, end-to-end connectivity)
As you note there are a couple of options available when your organization goes to get their initial IPv6 address block. Provider Assigned (PA) and Provider Independent (PI) are the two methods that most organizations will have to decide between. With PA space, the ISP you are connecting to will assign a block of address from their assignment for your use. With PI space, your organization is assigned a block independent of the ISP that you connect to – similar to how IPv4 address blocks are assigned.
Since you specifically asked about sharing some first hand experience, most organizations we are working with prefer PI space. They feel that this approach gives them the most flexibility especially when connecting to multiple ISPs. On the same note, the organizations that we have talked to are currently avoiding the ULA option that you discuss below (and few other ideas/options under discussions in standard bodies which you have not mentioned). The reason for that being is features to implement ULA and other similar solutions are currently not mature enough to run their services on from an organizational prospective.
Recentely i'm handling a project about transition between IPv4&IPv6. Fistly, i decided to choose NAT-PT as plan to achieve it,we have upgraded our cisco router 2801 in labo to version 12.4(25d), but it doesn't work, because it always shows us 'invalide input ...' as i typed the commands concerning nat, for example: ipv6 nat, ipv6 nat v4v6 source 192.168.100.10 2001::10. We had no idea to solve it except providing the contrat stuff to Cisco service technology, because my prof don't want to do that.Therefore, we decide to change a plan to realize it. As i know, NAT64 is able to realize the transition between IPv4 and IPv6, but i also know it is on the way of discussing even the commands are not published, right? So i would like to ask you what methodes else that i could try?
Glad to see you are trying to stay away from NAT-PT. You might know that NAT-PT has been deprecated and placed in historical state by IETF. IETF and industry is focusing on newer translation techniques such as NAT64 and others.
Please take a look at http://www.cisco.com/en/US/docs/ios/ios_xe/ipaddr/configuration/guide/iad_stateless_nat64_xe.html#wp1063180 for NAT64 configuration examples and other details. If you are not able to configure NAT64 commands then it could be due to lack of required hw/sw capibilities. If you run into this issue then check the feature navigator on CCO to meet the NAT64 requirements.
If you still have issues then open a TAC SR and work towards resolution. You can also contact your Cisco Account/Services teams for assistance.
are there any docs. about the performance with IPv6 for the VPN IPSec and SSL VPN with the following Cisco products:
- CISCO firewall ASA series
- CISCO routers 8xx/19xx/29xx/39xx
Routers and Layer 3 switches are often seen as performing functions at different levels of the OSI model (Layer 2, Layer 3, Layer 4 or Layers 5-7). However, when discussing performance, it is more appropriate to differentiate these functions in the following three categories:
1. Control plane running routing protocols, network management, etc. This is the more versatile part of the router functions.
2. Data plane as basic or enhanced (including services) packet forwarding from one physical or logical interface to another. Different switching mechanisms may exist on a given router (e.g. CEF).
3. Enhanced Services, which are really the Layer 2 thru 7 features that may apply when forwarding data (i.e. Packet filtering, QoS, Encryption, Translation, Accounting).
Rightly asked; performance caveats are common in # 3 (i.e. advanced services) which could be
CPU demanding at times and special hardware assistance may be needed to sustain the same performances as the other services. Couple of example which I have seen first hand (1) IPv6 over IPv4 support in DMVPN on IOS, performances numbers should be similar to IPv4 performances number (minus header overhead) (2) ASA IPv6 performance numbers should be within 5-10% as compared to IPv4.
Unfortunately no document is currently available which lists the IPv6 performance figures for requested features and multiple products. If you are about to deploy requested features/products, I would recommend you to please follow up with your Account or Services team to get per feature/product IPv6 performance figures and statistics specifics.
Appreciate your understanding!
Could you look at my discussion: https://supportforums.cisco.com/message/3295826#3295826
Unfortunately I haven't receive any answers to my question. I hope that you can help me.
I've reviewed you question. What you are experiencing is the expected behavior!
One could argue that specifying a /128 IPv6 group address to select an RP may be valid, after analyzing this in the past we did not see much value offering this support and we don't intend to change this behavior. I also found an internal id (CSCsi07509) for this issue/error message which was reported, reviewed and closed in the past.
If you have any real application and like to follow-up then please contact your Cisco Account/Services team or open Cisco TAC case and use the above id for reference.
Hope this helps!
what are the requirements for the Dual Stack Model to be successfully implemented on Lan enviroment?
(we have about 130 Catalyst 2950T switches)
Is mandatory to support MLD snooping? without that IPv6 can`t ever be deploy?
This is a common question which comes quite often – What should I do with my old Layer2 switches (e.g. Catalyst 2900, 3900, 5000, etc.)? The simple answer is; IPv6 is transparent on L2 switches so no need to worry about it. However; there are couple cases where you would need to take a closer look.
Rightly asked; one is MLD snooping. Yes, if you are planning to have real IPv6 Multicast deployment then you would need to have products which support MLD snooping at Layer2. If you are not deploying IPv6 Multicast then I would not worry about it much.
Another one is when you have intelligent services on WLAN; may be it’s not Catalyst switch but it’s a AP where you are running intelligent services such as QoS, or ingress ACLs on AP or maybe actual controller based environment where you have thin APs and fat controllers in the back-end, but you have a distributed policy at the edge, if you are doing this and using IPv4 based protocols then you have to make sure that those products supports equivalent configurations for IPv6 capabilities or you would have serious road blocks.
Simple “2 rules of thumb” which I always tell customers:
Please take a look at http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6553/at_a_glance_c45-625859.pdf and lot of good information regarding Enterprise dual-stack case studies and recommendations at www.cisco.com/go/ipv6.
I would recommend you to also work with your Cisco Account and Services teams for smooth Dual-Stack deployment.
hI, Salman, I need an opinion, I am currently updating the IPv6 platform, and Cisco 6509, and 4507R-E, I provide support SNMP over IPv6, and HSRP for IPv6, which team do you recommend the Nexus category for the replacement of equipment listed? IOS version and model. Thanks.
Always hard to recommend a specfic platform when you have several on the portfolio. However in Cisco Nexus family, Cisco Nexus 7000 Series Switches would be great. Cisco Nexus 7000 Switches Series have industry leading IPv6 features and capibilities.
Please have a look at following for details: http://www.cisco.com/en/US/products/ps9402/index.html
I would also recommend you to work with your Cisco Account/Services team for further dialouge on the topic.