《具有思科IOS路由和Meraki访问的IPv6 - 实用指南.pdf》由会员分享,可�������在线阅读,更多相关《具有思科IOS路由和Meraki访问的IPv6 - 实用指南.pdf(72页珍藏版)》请在三个皮匠报告上搜索。
1、#Cis����coLive#CiscoLiveJeffry Handal,Principal Architectipv6pilotBRKI������PV-2751A Practical GuideIPv6 with Cisco IOS Routing and Meraki Access 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex App Questions?Use Cisco Webex App to chat with
2、the speaker after the sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces �����will be moderated by the speaker until Jun�����e 9,2023.12343https:/ 2023 Cisco and/or its
3、 affiliates.All rights reserved.Cisco PublicBRKIPV-27513 202�������3 Cisco and/or its affiliates.All r�������ights reserved.Cisco Public#CiscoLiveHusband/Father14yrs Customer/7yrs CiscoSelf-proclaimed IPv6 evangelistAerospace enthusiastA technologist for the betterment of humanityBRKIPV-27514The session is a dive
4、 into exploring some best practices operating IPv6 with Catalyst and Meraki infrastructure platform platforms.We will examine and demo how to plan,setup,and maintain dual-stack and IPv6-only networks,including �����practical tips and tricks.Why are We Here?Find the Easter egg 2023 Cisco and/or its affili
5、ates.All rights reserve�����d.Cisco Public#CiscoLiveDefinitionsDual stack:implementation with IPv4 and��� IPv6 protocol stacksIPv6-only:implementation with the IPv6 protocol stack onlyManagement plane:configuration and monitoring elementControl plane:space where protocols runData plane:forwarding of data pa
6、yloadTransition m�������echanism:method from moving from one IP family to another.Cisco Routing:part of the network where L3 operations take place Edge use case with ASR/�������ISR/MX Core use case with CatalystBRKIPV-27516 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePlatform Names
7、and AbbreviationsDashboard:cloud-management tool of the Cisco Meraki platform MX:Security an�������d SD-WAN applianceMS:cloud-managed access and aggregation switchMR:cloud-managed WLANMeraki access:used to reference both MS and MRFull stack:Cisco Meraki platform consisting at a minimum of MR,MS,MX,MGUmbrel
8�����、la DNS:DNS-layer security serviceBRKIPV-27517Agenda 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicThe Enterprise TodayCRMAv6IPv6-only Management AccessThe future of the EnterpriseBRKIPV-27518The Enter������prise Today 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Cis
9、coLiveThe v6 Enterprise UtopiaInternetClient OSEnterprise NetworkISPBRKIPV-275110 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveJeffry Handal(shameless plug)Circa 2009“IPv6 is a tool for simplification,innovation,and imagination.”BRK�������IPV-275111 2023 Cisco and/or its affil
10、iates.All rights reserved.Cisco Public#CiscoLiveIPv6 to Solve ProblemsEqualizerEqualizerAvailable to everyoneCo����sts lessSimpler operationsSimpler operationsLess moving parts(e.g.,no DHCP)More automation inherit of the proto�������colAvoid headaches caused by NAT and CGNsFutureFuture-ready,ready,improved exp
11、eriencesimproved experiencesGamification of the workplaceIndustry 4.05G solutionsBRKIPV-275112 2023 Cisco and/or its a������ffiliates.All rights reserved.Cisco Public#CiscoLiveHow do we make the enterprise take the leap?BRKIPV-275113CRMA 2023 Cisco and/or its affili������ates.All rights reserved.Cisco Public#Ci
12、scoLiveCRMAv6CRMAv6 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKIPV-275115 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveC Cisco isco R Routing outing MMeraki ������eraki A Access ccess with IPwith IPv6v6What does CRMAv6 stand for?BRKIPV-275116�������� 2023 Cis
13、co and/or its affiliates.All rights reserved.Cisco Publ�����ic#CiscoLiveAn architecture design that uses An architecture design t������hat uses Cisco platforms to solve problems Cisco platforms to solve problems with IPv6 as its core enabler.with IPv6 as its core enabler.What is CRMAv6?Source:IPv6 logo from ht
14、tps:/www.worldipv6launch.org/downloads/BRKIPV-275117Edge 2023 Ci�������sco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDesign Setup Assumptions “Edge”CaseNative ISP IPv6 availability with DHCPv6-PDClient support for all Operating SystemsDHCPv6 IA_NA,DNS RA optionsDual stack or IPv6-only
15、 for client segmentsDual stack or IPv6-only management networkNetwork services reachable over IPv6:RADIUS,SYSLOG,DHCP,SNMP,SSH,NETCONF,NETFLOW/IPFIXTransition mechanis��������m leveraged:NAT64/DNS64Aim for IPv6-only where possibleBRKIPV-275119 2023 Cisco and/or its affiliates.All rights reserved.Cisco Publi
16、c#CiscoLiveS/M/L Branch Site Dual SSyslogAccess layerSVIs live hereMS switchstackISR routerDual-stackISPMR APsClientsCisco ISERouting layerDual stack LANBRKIPV-275120 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDual S������tack VLAN Interface Cisc�����o IOSinterface Vlan10descrip
17、tion������ CLIENTSip address 10.10.10.1 255.255.255.0ip nat insideipv6 address FE80:C15:C0:10:1 link-localipv6 address ISP:2:0:0:0:1/64ipv6 enableipv6 nd reachable-time 1800000ipv6 nd autoconfig prefixipv6 nd������� autoconfig default-routeipv6 nd other-config-flagipv6 nd router-preference Highipv6 nd ra lifetim
18、e 9000ipv6 nd ra dns server 2620:119:35:35ipv6 nd ra dns server 2620:119:53:53ipv6 dhcp server CLIENTSv6Vanity IP AddressDHCPv6-PDUmbrella Recursive DNS ServersDHCPv6BRKIPV-275121 2023 Cisco������ and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDHCPv6 Optionsipv6 dhcp pool CLIENTSv6dns-ser
19、ver 2620:119:35:35dns-server 2620:119:53:53Vanity IP AddressDHCPv6 is supported by all clients exce�����pt Android.BRKIPV-275122 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveinterface Vlan115description DATAip address 10.10.115.1 255.255.255.0endIs an IPv6 Config More Compli
20、cated?interface Vlan115descripti�������on DATAipv6 address FE80:C15:C0:115:1 link-localipv6 address FD15:C15:C0:/64ipv6 enableipv6 nd reachable-time 1800000ipv6 nd autoconfig prefixipv6 nd autoconfig default-routeipv6 nd��������� other-config-flagipv6 nd router-preference Highipv6 nd ra lifetime 9000ipv6 nd ra dns
21、server 2620:119:35:35ipv6 nd ra dns server 2620:119:53:53ipv6 dhcp server MAINv6endVS.BRKIPV-275123 2023 Cisco and/or �������its affiliates.All rights reserved.Cisco Public#CiscoLiveIs an IPv6 Config More Complicated?Not reallyshsh run allrun allBRKIPV-275124 2023����� Cisco and/or its affiliates.All rights res
22、erved.C�������isco Public#CiscoLiveS/M/L Branch Site NAT64/DNS64IPv6-only LANSyslogSVIs live hereMS switchstackI�������SR routerMR APsClientsCisco ISEDNS64NAT64 routerDual-stackISPRouting layerAccess layerBRKIPV-275125 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveinterface Vlan500des
23、cription NAT64 v6 SIDEipv6 addr�������ess FE80:C15:C0:500:1 link-localipv6 address ISP:3:0:0:0:1/64ipv6 enableipv6 nd reachable-time 1800000ipv6 nd autoconfig prefixipv6 nd autoconfig default-routeipv6 nd other-config-flagipv6 nd router-preference Highipv6 nd ra lifetime 9000ipv6 nd ra dns server 2601:C15:
24、C0:6464:53ipv6 dhcp server NAT64Vanity IPAddressCustom DNS64Google DNS64:2001:4860:4860:64642001:48�����60:4860:64IPv6-Only VLAN Interface Cisco IOS NAT64 Example Cloudflare DNS64:2606:4700:4700:642606:4700:4700:6400BRKIPV-275126 2023 Cisco and/or its affiliates.All rights reserve������d.Cisco Public#CiscoLive
25、DNS64 Bind Exampledns64 64:ff9����b:/96 clients any;mapped !10/8;any;exclude 0:/3;4000:/2;8000:/1;2001:DB8:/32;break-dnssec yes;RFC6147/etc/bind/named.conf.optionsBRKIPV-275127 2023 Cisco and/or its affiliates.All rights r�������eserved.Cisco Public#CiscoLiveNAT64 Setupipv6 dhcp pool NAT64dns-server 2601:1234:
26、1234:ABCD:53nat64 prefix stateful 2601:2C2:1111:B6:/64nat64 v4 pool NAT64POOL 10.22.22.11 10.22.22.14nat64 v6v4 list NAT64 pool NAT64POOL overloadipv6 access-list NAT64sequence 30 permit ipv6 2601:/20 anyInterface XXXXnat64 enableThink:“Router on a stick setup”Issue���� command on an IPv6 and IPv4 inter
27、face.BRKIPV-275128Demo 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKIPV-275130Core 2023 Cisco and/or its affiliates.All rights reserved.Cisc������o Public#CiscoLiveDesign Setup Assumptions “Core”CaseNative ISP IPv6 availability up through edge deviceL3 routing is handled a
28、t the core/distribution levelClient suppo����rt for all Operating SystemsDHCPv6 IA_NA,DNS RA optionsDual stack or IPv6-only for client segmentsDual stack or IPv6-only management networkNetwork services reachable over IPv6:RADIUS,SYSLOG,SNMP,SSH,NETCONF,NETFLOW/IPFIXTransition mechanism leveraged:NAT64/D
29、NS64Aim for IPv6-only where possibleBRKIPV-275132 2������023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCampus Collapsed CAccess layerMS switchstacksBorder routerDual-stackISPMR APsClientsRouting layerCatalyst coreBorder firewallCisco ISE,DNS64,SyslogSVIs live hereClients�������Clients
30、BRKIPV-275133 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCampus Core/Distribution/ACisco ISE,DNS64,SyslogAccess layerMS switchstacksBorder routerDual-stackISPMR APsCl�������ientsClientsClientsRouting layerBorder firewallCatalyst ��������distributionswitchesCatalyst coreSVIs hereSVIs
31、 hereBRKIPV-275134 2023 Ci����������sco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCloud Monitoring for CatalystCatalystMeraki#1 in cloud managed networks#1 in networkingPro Tip:Run Multiple Spanning Tree(MST)BRKMER-2005BRKIPV-275135 2023 Cisco and/or its affiliates.All rights reserved.Ci
32、sco Public#Cisc�������oLiveDual Stack VLAN Interface Cisco IOS-XEinterface Vlan115description CLIENTSip addre�����ss 10.10.115.1 255.255.255.0ip nat insideipv6 address FE80:C15:C0:115:1 link-localipv6 address FD15:C15:C0:/64ipv6 enableipv6 nd reachable-time 1800000ipv6 nd autoconfig prefixipv6 nd autoconfig def
33、ault-routeipv6 nd other-config-flagipv6 nd router-preference Highipv6 nd ra lifetime 9000ipv6 nd ra dns server 2620:119:35:35ipv6 nd ra dns server 2620:119:53:53ipv6 dhcp server CLIENTSv6Vanity IP AddressULA with“vanity”Umbrella Recursive DNS ServersDHCPv6�����BRKIPV-275136 2023 Cisco and/or its affiliat
34、es.All rights reserved.Cisco Public#CiscoLiveBRKIPV-275137 2023 Cisco and/or its affiliates.All ri��������ghts reserved.Cisco Public#CiscoLiveCampus Lessons LearnedServiceRA originatio�������nPolicersIntended functionality to enable for end usersSVI location in the grand schemeBe aware of broadcast and multicast p
35、olicers on the network pathBRKIPV-������275138IPv6-only������ Management Access 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBeta in ProductionWorld IPv6 DayWorld IPv6 Launch DayTheoryIPv6 Certification:The IETF completes RFC 1883ExperimentDual stack experiments by ISPs,cellular ca
36、rriers,content providers,higher education,and others.Production StableIPv6-only becomes a topic of conversation at the North America������� IPv6 Summit.The IETF ratifies RFC 8200.IPv6-only conversationsIPv6 is born Dual stack strategy19961999 2005 2011 2�������012 2015 2023 The Journey to IPv6-OnlyStart with an e
37、ye on IPv6-onlyBRKIPV-275140 2������023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSimpler operationsSimpler operationsCost lessLess mistakesExtend lif������e of infrastructure*Why IPv6-only Management?Reduce attack surfaceReduce attack surfaceOne IP stack to supportBRKIPV-275141 2023
38、 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIs IPv6-only management with Cisco Meraki possible?BRKIPV-275142 2023 Cisco and/or its affiliates.Al������l rights reserved.Cisco Public#CiscoLiveIPv6 AddressingProduct Product FamilyFamilyIPv6 IPv6 AddressAddressSLAACSLAACRDNSSRDNSSSt
39、atic Static AssignmentAssignmentDHCPv6DHCPv6LSP*LSP*ReachabilityReachabilityLSP*LSP*AssignmentAssignmentMRYesYesYesYesNoYesYesMSYesYesYesYesNoYesYes*LSP:Local status pageOnly two IPv6 addresses expected:GUA/ULA and link-loca������lBRKIPV-275143 2023 Cisco and/or its affiliates.All rights reserved.Cisco P�����u
40、blic#CiscoLiveIPv6 Addressing Local Status Page(L�������SP)Address assignment via LSPLSP=GUI-based consoleBRKIPV-275144 2023 Cisco and/or its affiliates.All rights reserved�����.Cisco Public#CiscoLiveIPv6 Addressing Dashboard ViewMRMSBRKIPV-275145 2023 Cisco and/or its affiliates.All rights reserved.Cisco Publi
41、c#CiscoLiveIPv6 Monitoring and Troubleshooting(M&T)Product Product FamilyFamilyTraffic Traffic AnalyticsAnalyticsSyslogSyslogNetflowNetflowSNMPSNMPRADIUSRADIUSScanning Scanning APIAPIMRYesYesNoYesYesYesMSYesNoNo*Yes����YesN/A*MS390 will contain IPv6 records in netflow data.BRKIPV-275146 2023 Cisco and/o
42、r its af�����filiates.All rights reserved.Cisco Public#CiscoLiveIPv6 M&T-Traffic AnalyticsNetwork-wide-ClientsSpecific client page detailsVisibility for both IP protocols!BRKIPV-275147 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveNetwork-wide-Clients-specific clientIPv6 M&T
43、Address HistoryBRKIPV-275148 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveNetwork-wide-Clients-specific clientHybrid arc��������hitecture:ISR at the edge exampleIPv6 M&T Connection PathMeraki Management for Catalyst too!BRKIPV-275149 2023 Cisco and/or its affiliates.All rights
44、reserved.Cisco Public#CiscoLiveNetwork-wide-Generalsnmpwalk-v2c-t 10-c ������meraki12345 udp6:2601:2c3:c15c0:3656:feff:feb0:aaea:161SNMPv2-MIB:sysDescr.0=STRING:Meraki MS120-8FP Cloud Managed PoE SwitchSNMPv2-MIB:sysObjectID.0=OID:SNMPv2-SMI:enterprises.29671.2.340DISMAN-EVENT-MIB:sysUpTimeInstance=Timeti
45、cks:(10394196)1 day,4:52:21.96SNMPv2-MIB:sysName.0=STRING:KIAH-MS120-8FP-ASW-5S���NMPv2-MIB:sysLocation.0=STRING:UnknownSNMPv2-MIB:sysORID.1=OID:SNMPv2-MIB:snmpMIBSnippet Snippet OutputOutputIPv6 M&T SNMPBRKIPV-275150 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveNetwork-wi
46、de-GeneralDec 30 16:10:16 2601:2c3:8881:b5:e255:3dff:fec0:3c90 1 1609366217.028192575 KIAH_IPV6ONLY_MR52 airmarshal_ev�����ents type=rogue_ssid_detected ssid=bssid=DE:CB:AC:B9:73:1F src=DE:CB:AC:B9:73:1F dst=FF:FF:FF:FF:FF:FF wired_mac=E0:CB:BC:B9:73:1F vlan_id=25600 channel=161 rssi=23 fc_typ���������e=0 fc_subt
47、ype=8Sample Sample OutputOutput����Wireless network only option(for now)IPv6 M&T SyslogBRKIPV-275151 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSample Sample OutputOutputNetwork-wide-Generalsee�������nTime:2018-01-06T06:02:45Z,ssid:NAT64,os:null,clientMac:40:4e:36:89:fc:5b,seenE
48、poch:1515218565,rssi:48,ipv6:/2601:2c3:887f:5f73:c8b6:89c3:118c:d670,manufacturer:HTCIPv6 M&T MR Scanning APIBRKIPV-275152�������� 2023 Cis�������co and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIPv6 SecurityProduct Product FamilyFamilyAccess Access Control ListControl ListRA GuardRA GuardDHCPv6
49、DHCPv6 GuardGuard802.1x802.1xLSP LSP AccessAccessMRYesYes1YesYesYesMSYesEarly accessEarly a�����ccess2YesYes1RA guard on by default.2“DHCPv6 guard”via ACL for now.BRKENT-3002BRKIPV-275153 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIPv6 Security MS ACLs and FHSBlock DHCPv6“
50、Manual”First Hop Security(FHS)for DHCPv6 o������nly Centralized for all switches in networkSwitch-ACLBRKIPV-275154 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIPv6 Security MR ACLs and FHSWireless-Firewall&traffic shapingRA Guard on by default!BRKIPV-275155 2023 Cisco and/or
51、 its affiliates.All rights reserved.Cisco Public#CiscoLiveIPv6 Security������� 802.1xMRMSSwitch-Access policiesWireless-Access controlBRKIPV-275156 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIPv6 Dashboard ToolsProduct Product FamilyFamilyPingPingTracerouteTracerouteMTRMTRMR
52、YesYesN/AMSYesN/AYesBRKIPV-275157 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public��������#CiscoLiveIPv6 Dashboard Tools-PingDual-stackDue to the nature of N���AT64 when using the IPv4 literal instead of DNS nameBRKIPV-275158 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Ci
53、scoLiveYES!YES!Is IPv6-only management with Cisco Meraki possible?BRKIPV-275159Demo 2023 Cisco and/or its������ affiliates.All rights reserved.Cisco Public#CiscoLiveBRKIPV-275161 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIPv6-Only ManagementTo be corrected soon.Still seeks
54、 an IPv4 address,but it does not use it to communicate t�������o dashboard.MRMSBRKIPV-275162The �������Future of the Enterprise 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveA v6-Centric FutureCisco Routing Meraki Access delivers the ability to:Manage your network over IPv6-only.Allow
55、 client traffic to reach the entire Internet.With a touch of simpler operations.C������isco:Your Companion on the Journey to IPv6Cisco:Your Companion on������� the Journey to IPv6CampusBranchTeleworkerBRKIPV-275164 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhat will happen when w
56、e enable IPv6 at the enterprise?A new universe opens up!A new universe opens up!BRKI����PV-275165 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveResourcesMonitor IPv6 Adoption(Cisco)Umbrella IPv6 DNS ServersCisco Meraki Community on IPv6Cisco Press:IPv6 for Enterprise Network
57、sBRKIPV-275166 20�����23 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFill out your session surveys!Attendees who fill out a minimum of four session surveys and the������� overall event survey will get Cisco Live-branded socks(while supplies last)!These points help you get on the leader
58、board and increase your chances of winning daily and grand prizesAttendees will also earn 100 points in the Cisco Live Challenge f��������or every survey completed.BRKIPV�����-275167 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicContinue your educationVisit the Cisco Showcase for related demos
59、Book your one-on-oneMeet the Engineer meetingAttend the interactive education with DevNet,Capture the Flag,and Walk-in LabsVisit the On-Demand Library for more sessions at www.CiscoL ��������2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKIPV-275169Thank you#CiscoLive 2023 Cisc
60、o and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveGamify your Cisco Live experience!Get points Get points for attending this session!for attending this session!Open th�������e Cisco Events �����App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:123471 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKIPV-275171#CiscoLive
sgpjbg002
工作日 8:30 - 17:30
报告分类
