《验证系统是否过渡到 IPv6.pdf》由会员分享,可在线阅读,更多相关《验证系统是否过渡到 IPv6.pdf(73页珍藏版)》请在三个皮匠报告上搜索。
1、#CiscoLive#CiscoLiveMike Mikhail,Delivery ArchitectMikeMikhailBRKIPV-2000Winning the journey&the outcome!Verifying Your Systems Transition to IPv6 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex App 3Questions?Use Cisco Webex App t
2、o chat with the speaker after the sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the speaker until June 9,2023.12343https:/ 2023 Cisc
3、o and/or its affiliates.All rights reserved.Cisco PublicBRKIPV-2000Agenda 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicThe Transition JourneyPlanning for SuccessTest PlanThe Testing EnvironmentTest CasesBRKIPV-20004 2023 Cisco and/or its affiliates.All rights reserved.Cisco Publi
4、c#CiscoLive5BRKIPV-2000 2022 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIntroductionAbout meMike Mikhail,Architect,Available for“Meet the Engineer”1:1&team discussionsInterests:ML/AI,Telemetry,SP t
5、echnologiesIPv6 journey1st design&PoC 20051st global 2009Leading IPv6-Only Transition for critical environments6BRKIPV-2000Agenda 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicThe Transition JourneyPlanning for SuccessTest PlanThe Testing EnvironmentTest CasesBRKIPV-20007The Trans
6、ition Journey 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIPv6 Transition AreasBusiness/mission 1stIoT,Mission Partners,eCommerce,Data Lakes,Supply ChainInterconnected&interdependentBusiness AppsSecurityOpsEnterprise AppsInfraEngineeringClouds/aaSBRKIPV-20009 2023 Cisc
7、o and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveThe Transition JourneyRoadmapSecurity TransformationAssessmentsTesting env dual-stack IPv6-onlySystems Transition PlansTrainingAddressing mechanisms,securityTranslation mechanismsBRKIPV-200010 2023 Cisco and/or its affiliates.All righ
8、ts reserved.Cisco Public#CiscoLiveThe Transition Journey1.Roadmap:The plan for success throughout,and after transition2.Security transformation:Security is dynamic&evolving,plus dual stack and IPv6-only change the attack surface3.Assessment:Can the system work with IPv6?Is it suitable for IPv6-only
9、future?Dependencies?Lifecycle?4.Testing:for dual-stack operation,then for IPv6-only environment5.System transition plans:Eng and Ops changes,How and when.May:upgrades dual stacking co-existence next gen?Will likely include.11BRKIPV-2000 2023 Cisco and/or its affiliates.All rights reserved.Cisco Publ
10、ic#CiscoLiveThe Transition Journey6.Training:Engineering and Ops workforce need to be knowledgeable and capable7.IPv6 addressing:Address allocation plan,addressing and binding mechanisms,first hop and mobility security8.Transition mechanisms:NAT64,DNS64,ALGs,where,capacities,security,OpsWill likely
11、include.12BRKIPV-2000 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWell focus on:RoadmapSecurity TransformationAssessmentsTesting env dual-stack IPv6-onlySystems Transition PlansTrainingAddressing mechanisms,securityTranslation mechanismsHow toHow tobuild&governbuild&go
12、vernHow to verifyHow to verifyBRKIPV-200013Agenda 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicThe Transition JourneyPlanning for SuccessTest PlanThe Testing EnvironmentTest CasesBRKIPV-200014Planning for Success 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#C
13、iscoLiveSuccess Criteria1.Business purpose:List of have-to functions2.Performance metrics:SLA?Todays performance,QoE3.Security criteria:Access controls,confidentiality,traceability4.Ops controls&services:Tools,monitoring,security,provision,support5.In-flight,anticipated,planned:Approved changes,proj
14、ects,lifecycleYou should verify net gains,for duration of transition,and after!You should verify net gains,for duration of transition,and after!BRKIPV-200016 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTransition Timeline&MilestonesTwo phase Transition:for most systems
15、:1.From IPv4 everything,to dual/mixed environment2.Then gradually to diminished IPv4 clients/services/dependencies IPv4-freeDuring dual/mixed phase,each host can be:1.IPv4-only:still fully dependent on IPv4 services,and can serve only over IPv42.Dual-stacked:the host/app behavior and selection of IP
16、 communication based on several factors.Complexities vary!3.IPv6-only:host is unaware&incapable of IPv417BRKIPV-2000 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTransition Timeline&Milestones ContinuedSystems/services have different timelines during dual-stack phase,wi
17、th shifting behaviors:1.Preference for IPv6 or IPv4 may vary.Examples:Happy Eyeballs,and OS preferences2.Responses may vary.Example:DNS response3.Capabilities may vary.Example:signaling over IPv4 only4.Experience may vary.Examples:tracking/traceability over NAT64,multi-session restrictions5.Paths&co
18、mponents may vary:Ships in the night18BRKIPV-2000 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTiming is Everything!ServingIPv4-onlyServing:IPv6 single-stack Dual-Stack IPv4 single-stackServingIPv6-only19BRKIPV-2000System Under TestServed/Services(clients/consumers)Depe
19、ndencies(Servers:PKI,DNS,NTP,.)Security,Network,Ops(skills,tools,processes)2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBusiness,Users,Ops ViewsServingIPv4-onlyServing:IPv6 single-stack Dual_Stack IPv4 single-stackServingIPv6-only20BRKIPV-2000System Under TestServed/Ser
20、vices(clients/consumers)Dependencies(Servers:PKI,DNS,NTP,.)Security,Network,Ops(skills,tools,processes)Most problematicReference levelsMost important 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSystem Transition Methods1.Transition to next gen system.Dual systems to su
21、pport transition phase.Example:phase in new cloud-based architecture,then gradually phase out legacy systemLegacy may continue to serve IPv4-only.New to serve dual-stacked and IPv6-only2.Transition to next get system.Augment/upgrade existing to support transition phase.New system comes at end of tra
22、nsition phase,and is IPv6-onlyLegacy is upgraded or NAT augmented to support both IPv4 and IPv6 during transition phase3.Current system is future-proof,can serve&function both IPv4 and IPv621BRKIPV-2000 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTransition Under Test!
23、ServingIPv4-onlyServing:IPv6 single-stack Dual-Stack IPv4 single-stackServingIPv6-onlyServed/Services(clients/consumers)System A,existingSystem A,existingNext gen systemNext gen systemSystem B,existingSystem B,existingNext gen systemNext gen system+transitional mechanisms+transitional mechanismsBRKI
24、PV-200022 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTransitional NAT64,DNS64,ALGs23BRKIPV-2000 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveThe DNS64 Game!24BRKIPV-20002001:DB8:ACE:100 198.51.100.12001:DB8:ACE:100 198.51.100.1203.0.113.2
25、25 2001:DB8:CAFE:E225203.0.113.225 2001:DB8:CAFE:E225DNS:DNS:?2001:DB8:ACE:100 198.51.100.12001:DB8:ACE:100 198.51.100.12001:DB8:E:E129 203.0.113.1292001:DB8:E:E129 203.0.113.129DNS:DNS:A 203.0.113.225 AAAA 2001:DB8:CAFE:E225A 203.0.113.225 AAAA 2001:DB8:CAFE:E225198.51.100.129 2001:DB8:E:E129198.51
26、.100.129 2001:DB8:E:E129198.51.100.1 2001:DB8:ACE:100198.51.100.1 2001:DB8:ACE:100Web serverWeb server203.0.113.225203.0.113.225DNS serverDNS server198.51.100.129198.51.100.129198.51.100.1198.51.100.1outsideoutsideIPv4IPv4Inside clientInside client2001:DB8:ACE:1002001:DB8:ACE:100 2023 Cisco and/or i
27、ts affiliates.All rights reserved.Cisco Public#CiscoLiveNext gen systemNext gen system+transitional mechanisms+transitional mechanismsCheck GatesServingIPv4-onlyServing:IPv6 single-stack Dual_Stack IPv4 single-stackServingIPv6-onlyServed/Services(clients/consumers)System A,existingSystem A,existingN
28、ext gen systemNext gen systemSystem B,existingSystem B,existingBRKIPV-200025 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveVerification&Validation:You need both!VerificationVerificationTesting the system against requirements and specificationsUsing test cases in lab envi
29、ronmentExample:is ambulance reaching correct destination within time limit?ValidationValidationStakeholders sign on satisfactory fulfillment of the business goalsThrough user feedback and business metrics in production pilotsExample:has patient got reached best care location for the case?,alive and
30、in better/stable condition?26BRKIPV-2000 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSources of Trouble1.Behavioral differences between IPv6 and IPv4:a.A host may have several IPv6 addresses,dynamically bind,of different lifetimes,scopes&gateways.Each OS has preference
31、s and choice algorithmsb.Some protocols and mechanisms are different from IPv4,including address delegation,RA,ND,MTU,MLD2.IPv6 and IPv4 protocol co-existence:a.Ships in the night,mostly.b.Except at dual-stacked endpoints!c.Node performance may significantly vary.d.Resiliency may not be same nor equ
32、al.e.Resources might not be sufficient.Memory,control plane state tables,etc.27BRKIPV-2000 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSources of Trouble-Continued3.IPv6-only,IPv4-only,dual-stacked hosts co-existence:a.Using same applications?Probably not!Transitioning
33、 between applications based on transition status.b.Can they consume group services,equally and collectively?Such as collaboration,conferencing,IPTVc.How about 3rdparty,Mission Partners,and external services?Cloud/XaaS,real-time,productivity,Data Lakes?d.Is QoE improving?e.Can we monitor,track,suppor
34、t,lifecycle control?28BRKIPV-2000 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveThe Dual-Stack(Coexistence)ChecklistCan it work over IPv6?Which IPv6 address?Behavior,MTU,path,perf,auth,encryption,monitoring?Will it use IPv6 only or both?Consistently?What if,Resiliency,Ha
35、ppy Eyeballs/Fast Fallback apps?Control plane load?Ops on par with IPv4?Management?controlled and guest hostsSecurity:can be traced and dynamically evaluated as a single identity?29BRKIPV-2000 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhich Addresses?MAMIKHAI-M-D9HK:
36、mamikhai$ifconfig-a inet6lo0:flags=8049 mtu 16384options=1203inet6:1 prefixlen 128 inet6 fe80:1%lo0 prefixlen 64 scopeid 0 x1 nd6 options=201gif0:flags=8010 mtu 1280stf0:flags=0 mtu 1280anpi1:flags=8863 mtu 1500options=400inet6 fe80:7c23:99ff:febe:dcdf%anpi1 prefixlen 64 scopeid 0 x4 nd6 options=201
37、anpi2:flags=8863 mtu 1500options=400inet6 fe80:7c23:99ff:febe:dce0%anpi2 prefixlen 64 scopeid 0 x5 nd6 options=201anpi0:flags=8863 mtu 1500options=400inet6 fe80:7c23:99ff:febe:dcde%anpi0 prefixlen 64 scopeid 0 x6 nd6 options=201.The host may have choices,at different times and transports!30BRKIPV-20
38、00 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhich Global Addresses?MAMIKHAI-M-D9HK:mamikhai$ifconfig-a inet6|grep mtu|inet6.2lo0:flags=8049 mtu 16384gif0:flags=8010 mtu 1280stf0:flags=0 mtu 1280anpi1:flags=8863 mtu 1500anpi2:flags=8863 mtu 1500anpi0:flags=8863 mtu 1
39、500en4:flags=8863 mtu 1500en5:flags=8863 mtu 1500en6:flags=8863 mtu 1500en1:flags=8963 mtu 1500en2:flags=8963 mtu 1500en3:flags=8963 mtu 1500ap1:flags=8843 mtu 1500en0:flags=8863 mtu 1500inet6 2600:4040:28b5:9a00:1ce6:1080:361f:3dd3 prefixlen 64 autoconf secured inet6 2600:4040:28b5:9a00:bd73:a3fd:3
40、cdc:308f prefixlen 64 autoconf temporary bridge0:flags=8863 mtu 1500awdl0:flags=8943 mtu 1500.The host may use to communicate.31BRKIPV-2000 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhich Global Addresses?.llw0:flags=8863 mtu 1500utun0:flags=8051 mtu 1380utun1:flags=
41、8051 mtu 2000utun2:flags=8051 mtu 1000utun3:flags=80d1 mtu 1390inet6 2001:420:c0c4:1002:485 prefixlen 128 MAMIKHAI-M-D9HK:mamikhai$-continued32BRKIPV-2000 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhich Route/Interface/Tunnel?MAMIKHAI-M-D9HK:mamikhai$netstat-nr-f ine
42、t6Routing tables.Internet6:Destination Gateway Flags Netif Expiredefault link#21 UGCSg utun3default fe80:485c:53ff:fe34:5ed8%en0 UGcIg en0default fe80:%utun0UGcIg utun0default fe80:%utun1UGcIg utun1default fe80:%utun2UGcIg utun2:1:1 UHL lo02001:420:c0c4:1002:485 link#21 UHL lo02001:4860:4860:8888lin
43、k#21 UGHW3Ig utun382001:4998:14:800:1000link#21 UGHWIig utun32001:4998:14:800:1001link#21 UGHW3Ig utun3!2001:4998:58:207:6000link#21 UGHWIig utun32600:1402:800:1700:af91/128fe80:485c:53ff:fe34:5ed8%en0 UGScen02600:1402:800:1700:afa0/128fe80:485c:53ff:fe34:5ed8%en0 UGScen02600:1402:6800:284:4b36/128f
44、e80:485c:53ff:fe34:5ed8%en0 UGScen02600:1402:6800:286:753/128 fe80:485c:53ff:fe34:5ed8%en0 UGScen02600:1402:6800:286:4b36/128fe80:485c:53ff:fe34:5ed8%en0 UGScen02600:1402:6800:288:d42/128 fe80:485c:53ff:fe34:5ed8%en0 UGScen02600:1402:6800:291:753/128 fe80:485c:53ff:fe34:5ed8%en0 UGScen0.The hosts ch
45、oice.33BRKIPV-2000 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhich Route/Interface/Tunnel?.2600:4040:28b5:9a00:/64link#21 UCS utun32600:4040:28b5:9a00:1ce6:1080:361f:3dd3 98:dd:60:34:f6:0UHL lo02600:4040:28b5:9a00:bd73:a3fd:3cdc:308f 98:dd:60:34:f6:0UHL lo02600:9000:
46、2009:600:1e:9124:6080:93a1/128 fe80:485c:53ff:fe34:5ed8%en0 UGScen0.2603:1030:20e:3:4/128fe80:485c:53ff:fe34:5ed8%en0 UGScen02603:1036:206:14:2/128 fe80:485c:53ff:fe34:5ed8%en0 UGScen0.2603:10e1:100:2:34bc:8a98/128fe80:485c:53ff:fe34:5ed8%en0 UGScen02606:2800:11f:17a5:191a:18d5:537:22f9/128 fe80:485
47、c:53ff:fe34:5ed8%en0 UGScen02606:4700:4400:ac40:9159 link#21 UGHWIigutun3.2620:149:a42:905:c/128 fe80:485c:53ff:fe34:5ed8%en0 UGScen02620:149:a42:905:10/128fe80:485c:53ff:fe34:5ed8%en0 UGScen02620:1ec:21:11/128 fe80:485c:53ff:fe34:5ed8%en0 UGScen02620:1ec:21:14 link#21 UGHWIigutun32620:1ec:40:41/128
48、 fe80:485c:53ff:fe34:5ed8%en0 UGScen0.2620:1ec:bdf:57/128fe80:485c:53ff:fe34:5ed8%en0 UGScen02a03:2880:f003:112:face:b00c:0:2link#21 UGHWIig utun3fe80:%lo0/64 fe80:1%lo0 UcI lo0fe80:1%lo0 link#1UHLIlo0.-continued34BRKIPV-2000en0 MAC 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#C
49、iscoLiveConnections Over IPv6,IPv4,Mix?MAMIKHAI-M-D9HK:mamikhai$netstat-nActive Internet connectionsProto Recv-Q Send-QLocal AddressForeign Address(state)tcp4 0010.82.241.32.64750 54.146.179.252.443 ESTABLISHEDtcp60 702001:420:c0c4:10.64748 2607:f8b0:4004:c.443 ESTABLISHEDtcp6 0 0 2001:420:c0c4:10.6
50、4747 2607:f8b0:4004:c.443 ESTABLISHED.tcp6 0 0 2001:420:c0c4:10.64735 2607:f8b0:4004:c.5228 ESTABLISHEDtcp4 0 0 10.82.241.32.64733 172.253.63.188.443 FIN_WAIT_2 tcp4 0 0 10.82.241.32.64695 192.111.4.110.443 ESTABLISHEDtcp6 0 0 2600:4040:28b5:9.64694 2603:1036:2404:1.443 ESTABLISHEDtcp6 0 0 2001:420:
51、c0c4:10.64690 2607:f8b0:4004:c.5228 FIN_WAIT_2.tcp4 0 0 172.24.12.169.64318 64.207.197.226.4287 ESTABLISHED.tcp4 0010.82.241.32.50411 1.0.0.1.53 CLOSE_WAITtcp4 5610172.24.12.169.500978.8.8.8.53 ESTABLISHED.udp4 576 0 172.24.12.169.58716 23.89.56.135.5004 udp4 576 0 172.24.12.169.56831 170.72.220.135
52、.5004 udp40 0 172.24.12.169.64188 8.8.8.8.53udp4 0 0 10.82.241.32.55801 1.0.0.1.53.Verify for app,dependencies,services,signaling35BRKIPV-2000DNS over IPv4 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhats the Server is Listening on?MAMIKHAI-M-D9HK:mamikhai$netstat-an|
53、grep LISTENtcp4 0 0 127.0.0.1.53 *.*LISTEN tcp4 0 0 127.0.0.1.15310 *.*LISTEN tcp4 0 0 127.0.0.1.631 *.*LISTEN tcp6 0 0 :1.631 *.*LISTEN tcp4 0 0 127.0.0.1.62722 *.*LISTEN tcp4 0 0 127.0.0.1.60012 *.*LISTEN.tcp4 0 0 127.0.0.1.29754 *.*LISTEN tcp6 0 0 :1.17223 *.*LISTEN tcp4 0 0 127.0.0.1.17223 *.*LI
54、STEN tcp4 0 0 127.0.0.1.4244 *.*LISTEN .tcp60 0 *.5000*.*LISTEN tcp40 0 *.5000*.*LISTEN tcp6 0 0 *.7000 *.*LISTEN tcp4 0 0 *.7000 *.*LISTEN tcp460 0 *.49152*.*LISTEN tcp4 0 0 *.22 *.*LISTEN tcp6 0 0 *.22 *.*LISTEN MAMIKHAI-M-D9HK:mamikhai$Is it serving/signaled over IPv4,IPv6,or both?36BRKIPV-2000 2
55、023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMix of Host OS,Including BYODCheck for different behaviors,preferences.Android example37BRKIPV-2000Server listening servicesHost addresses on connectionsOngoing stream performanceUsing IPv6 initial performanceUsing IPv4 perfor
56、mance 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveHost Interfaces and AddressesDynamically changing38BRKIPV-2000Active interfaceCarrier-side IPv4 addressWifi IPv4 addressCarrier-side IPv6 addressIPv6 global addressesIPv6 DNSInterface link local address 2023 Cisco and/o
57、r its affiliates.All rights reserved.Cisco Public#CiscoLiveCheck the Paths and PerformanceUse app-specific metrics&tools39BRKIPV-2000 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveServer Listening PortsScan all IP addressesCheck listening ports for IPv4&IPv6Check against
58、 security policy&filtersCheck listening ports Check listening ports for functionality and performanceCheck listening processes for load&resource consumptionWhich ports,which IP version?40BRKIPV-2000 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTranslation Issues1.NAT64:
59、Stateless usually IPv4-only server-side or stateful?Impact:scale,performance,traceability2.Server load balancers?3.Wheres NAT64 placed?Impact:path/performance4.DNS64:DNS responses,client interactions5.ALGs:Necessary complexity,working deep on protocol specifics41BRKIPV-2000Agenda 2023 Cisco and/or i
60、ts affiliates.All rights reserved.Cisco PublicThe Transition JourneyPlanning for SuccessTest PlanThe Testing EnvironmentTest CasesBRKIPV-200042Test Plan 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveVerification Areas1.Functional:Services,interop,service interfaces.2.Com
61、pliance:Regulatory,certification,constraints.3.Security:Equivalent or better!4.Performance:Service rates,user experience,control resources.5.Operation:Visibility,tools,processes.Behavioral differences Behavioral differences 2 sets of protocols 2 sets of protocols 3 classes of hosts3 classes of hosts
62、44BRKIPV-2000 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSources of Metrics&Pass Criteria1.Standards and regulationsApplicable per country,industry,stakeholders.Examples:OMB,HIPAA,NIST,GDPR2.Quality of experienceLab:SLA gains at every stagePilots:user feedback and eva
63、luation3.CompetitionHow the industry measures performance?Examples:rate of transactions,session duration4.Ops metricsSuch as rate of case open/resolution.5.Performance&Ops trendsWatch for unexpected negativesMetrics to cover every user,business,security,compliance requirement!For Verification Testin
64、g and deployment Pilots45BRKIPV-2000 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIn all Areas,Account for:Behavioral differences:IPv6&IPv4 have different:structures,protocols,mechanisms,security,mobility,preferences,etc.2 sets of:protocols,perimeters,interfaces,threats
65、,etc.3 classes of hosts:Dual stacked,IPv6-only,IPv4-only,with OS-specific behaviors.46BRKIPV-2000Agenda 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicThe Transition JourneyPlanning for SuccessTest PlanThe Testing EnvironmentTest CasesBRKIPV-200047The Testing Environment 2023 Cisco
66、 and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEffective&Efficient for All AppsBRKIPV-200049 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveThe IPv6 Transition Lab Should.1.Mimic production environment2.Include common infrastructure component,network ser
67、vices,and external interfaces3.Sanitized replicas of databases4.Facilities for traffic,session,transaction,load,fault simulation5.Archiving and documentation means6.Clean up,entry/exit criteria,and procedures7.Safe from production access,contamination,mix upBRKIPV-200050 2023 Cisco and/or its affili
68、ates.All rights reserved.Cisco Public#CiscoLiveLab Microscopes1.Firewalls see(and permit/block/reset)every conversation2.Traffic generator profiles performance3.Controllers(responsible for signaling)4.Host communication stacks5.Sensors and sniffersRule:A device cannot be the judge for its own operat
69、ion!Preference:multiple reading points.Example:close to headend&tailend.51BRKIPV-2000v4 v6 6+4 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLab Microscopes:Firewallsfirepower(config)#show conn all17 in use,4005 most usedCluster:fwd connections:0 in use,914 most useddir
70、connections:0 in use,5151 most usedcentralized connections:5 in use,2402 most usedVPN redirect connections:0 in use,0 most usedInspect Snort:preserve-connection:2 enabled,0 in effect,1341 most enabled,0 most in effectTCP outside 2001:db8:20:4:6781 NP Identity Ifc2001:db8:30:4:80,idle 0:00:12,bytes 0
71、,flags aAcTCP outside 2001:db8:20:a:1257 NP Identity Ifc2001:db8:30:a:80,idle 0:00:16,bytes 0,flags aAcTCP outside 2001:db8:20:2:44004 NP Identity Ifc2001:db8:30:2:80,idle 0:00:12,bytes 0,flags aAcTCP outside 2001:db8:20:a:1258 NP Identity Ifc2001:db8:30:a:80,idle 0:00:03,bytes 0,flags aAcOSPF outsi
72、de ff02:5 inside fe80:250:56ff:fea3:542d,idle 0:00:06,bytes 34704,flags cN1OSPF outside 224.0.0.5 inside 112.10.0.1,idle 0:00:03,bytes 73188,flags N1UDP cluster 10.10.10.3:49495 NP Identity Ifc255.255.255.255:49495,idle 0:00:09,bytes 6272630,flags-TCP cluster 10.10.10.3:57606 NP Identity Ifc10.10.10
73、.2:10851,idle 0:00:00,bytes 960,flags UOTCP cluster 10.10.10.3:56908 NP Identity Ifc10.10.10.2:10843,idle 0:00:49,bytes 7960,flags UOUDP cluster 10.10.10.3:49495 NP Identity Ifc10.10.10.2:49495,idle 0:00:11,bytes 2629772,flags-TCP cluster 10.10.10.3:9670 NP Identity Ifc10.10.10.2:49498,idle 0:00:55,
74、bytes 640,flags UOUDP nlp_int_tap169.254.1.3:123 NP Identity Ifc169.254.1.1:65535,idle 0:00:47,bytes 13728,flags-.Packet inspection:see,track,count,and sometimes spoof or reset!52BRKIPV-2000 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveGovernance&Controls1.Scheduling,ch
75、eck-in/out controls2.The“clean”state,clean up routines,reset3.Entry criteria:Test plan:topology,resources,production replicas,test cases;Transition plan:phases,timeline4.Exit criteria:Report,archive,logs,re-create capabilities5.Data handling&safety:Lab data is sanitized,secured;inaccessible&unusable
76、 outside53BRKIPV-2000CleanCleanAgenda 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicThe Transition JourneyPlanning for SuccessTest PlanThe Testing EnvironmentTest CasesBRKIPV-200054Test Cases 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFunctional:Pur
77、pose,Services,Outcomes56BRKIPV-2000 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFunctional Test Cases1.1.Service availability Service availability to every authorized consumer2.2.Session capacitySession capacity:Concurrent session capacity.Example:number of session end
78、points,with mix of endpoints in session,to maximum number of concurrent sessions.3.3.System capacitySystem capacity:Maximum number of,per location,resource utilization,under different IPv4+IPv6 mixes4.4.DependenciesDependencies:DNS,NTP,PKI,external interfaces.At their transition points on the transi
79、tion timeline.57BRKIPV-2000 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePerformance:Combinations to Test58BRKIPV-2000Host controls:Who,how?OS:preferences,behaviors,policiesTransport modes:Perf,mobility,network&security services 2023 Cisco and/or its affiliates.All righ
80、ts reserved.Cisco Public#CiscoLivePerformance:User Experience59BRKIPV-2000 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePerformance Test Cases1.1.Quality of ExperienceQuality of Experience:substantial improvement along timeline2.2.Engines performance Engines performance
81、 with protocol mix/coexistence.Response,error handling,capacity,latency,might be different.3.3.MobilityMobility,teleworking,mode of Transport,can cause performance issues/differences between IPv6 and IPv4 sessions4.4.Encryption/tunnelingEncryption/tunneling:MTU?Translations?Can be performance differ
82、entiators!60BRKIPV-2000 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePerformance:Optimum&Consistent?61BRKIPV-2000 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCompliance&Security1.1.RegulatoryRegulatory:Does the system satisfy/comply with r
83、egulatory controls?Examples:HIPAA,GDPR2.2.Certification/testing Certification/testing required/verified?Examples:NIST FIPS,JITC APL,USGv6,CJIS3.3.Security servicesSecurity services:PKI,IDAM,traceability,non-repudiation4.4.ThreatThreat exposureexposure,&attack surfaces5.5.Anomaly detectionAnomaly det
84、ection6.6.Incident handlingIncident handling62BRKIPV-2000 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecurity:Segmented Paths&Controls63BRKIPV-2000 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveControl&Signaling Test Cases1.1.SignalingSign
85、aling:Is all signaling possible in IPv6-only?2.2.Control planeControl plane:Can control planes,state tables,handle coexistence loads up to capacity?3.3.ProtectionProtection:Control protections/exposures in dual-stack environment64BRKIPV-2000 2023 Cisco and/or its affiliates.All rights reserved.Cisco
86、 Public#CiscoLiveOps Test Cases1.1.VisibilityVisibility:Do we effectively monitor dual protocol environment?2.2.Provision,changeProvision,change,for IPv6 on par with IPv43.3.ProcessesProcesses:Reporting and handling of IPv6 and dual-stack cases4.4.Self serviceSelf service:Improved user self serve an
87、d lifecycle experience5.5.SupportSupport:Can we troubleshoot effectively and efficiently?65BRKIPV-2000Agenda 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicThe Transition JourneyPlanning for SuccessTest PlanThe Testing EnvironmentTest CasesBRKIPV-200066Conclusion 2023 Cisco and/or
88、its affiliates.All rights reserved.Cisco Public#CiscoLiveConclusion1.Prove the benefits.It is an upgrade!2.Test thoroughly before any and every change!3.Coexistence phase is expensive and risky!4.Transition is a path to next gen systems.5.It is a journey into the future,so keep up to date.6.Testing=
89、Plan+Test env+Test casesBRKIPV-200068 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFill out your session surveys!Attendees who fill out a minimum of four session surveys and the overall event survey will get Cisco Live-branded socks(while supplies last)!69These points h
90、elp you get on the leaderboard and increase your chances of winning daily and grand prizesAttendees will also earn 100 points in the Cisco Live Challenge for every survey completed.BRKIPV-2000 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicContinue your educationVisit the Cisco Sho
91、wcase for related demosBook your one-on-oneMeet the Engineer meetingAttend the interactive education with DevNet,Capture the Flag,and Walk-in LabsVisit the On-Demand Library for more sessions at www.CiscoL you#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive72Gam
92、ify your Cisco Live experience!Get points Get points for attending this session!for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:123472 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKIPV-2000#CiscoLive