Approach to running an IPv6 Pilot

How to start an IPv6 Pilot – kind of puzzling question, because everything we know about Networking must be enabled with IPv6. You can start from any side, but some sides are less steep and can let you walk up step by step instead of climbing overhanging walls.

Let’s look at deployment scenarios first. For majority of organizations, it would be one of the two following choices:

  1. Start on external perimeter (public DMZ) and expand to the inside.
  2. Start on internal core network and expand to the outside.

I believe that IPv6 pilot on external test DMZ is the most efficient way to learn IPv6, as with minimum investments the organization can obtain the wealth of knowledge.

What is needed for that?

  • Obtain public IPv6 space (if you didn’t do it already).
  • Confirm with your internet provider that they have IPv6 support. Ask to activate it for you at your test site.
  • Create new DMZ segment dedicated to IPv6 pilot.
  • Create new (virtual) servers as web front-end.
  • Think about DNS. Do not create AAAA records for your public names; instead, use temporary names created for test purposes only.

Sounds simple? Yes it is. By now your test servers are live and reachable from internet. However that was not the pilot yet; just preparations. We need to think a level deeper.

  • Check if you have decent IP Address Management tool to keep track of IPv6 allocations. Check if it is integrated with DNS. IPv6 addresses are so long that you don’t want to do them manually. As must as possible must be automated.
  • If you don’t have the proper IP address allocation strategy company-wide, this is the time to create it. IPv6 is a greenfield deployment after all. Come up with best IP summarization policy that you can think of.
  • Check how many ISP attachments you have, also on different continents. Although PI address ranges are not supposed to be bound to a particular region, you will still need to obtain PI IPv6 ranges in all regions.
  • Check if your monitoring systems – for Network and for Servers – can operate via IPv6 and provide you all required reporting about IPv6.
  • Check what ISP redundancy do you currently have. If it does not use BGP but relies on NAT, you may have a trouble. IPv6 ISP resiliency requires BGP.
  • Check if your IPv6-enabled front-end can talk to IPv4 back-end servers and databases.
  • Check if your public front-end servers would usually be reachable via Load Balancers. If so, assess LB capabilities and consider including them in IPv6 pilot setup.
  • Enable both v4 and v6 for your test servers and evaluate the fail-over time from one protocol family to another.
  • Assess the IPv6 security policy on your firewalls. Number of protocols have changed from v4 to v6; the expanded scope of ICMPv6 is the example.
  • Assess first hop security on your test server segment. Create the model for the future deployment.

With all these little things put together, this pilot will give a good feeling of IPv6.


Alex Mavrin, CCIE #7846

Visit http://www.apteriks.com and use FREE ONLINE tools for network professionals.

Advertisements

2 comments

  1. paul snoep · · Reply

    Hi Alex,

    You’ve omitted a few items in the test setup, at least imho.

    To be able to run pv6, you will need devices supporting this. So when you prepare your test dmz, the devices interconnecting this testdmz should ipv6 capable. Secondly, I prefer to run internet connectivity directly to ams-ix or an interconnecting party, like nl-ix. Besides your own range, you will need the as numbers as wel. Ripe – registry is needed.

    Any suggestions on running an ip-plan tool?

    Thanks
    Paul

    1. Thanks, Paul,

      Indeed, I have made few assumptions in order to keep the article short. IPv6 support as well as BGP arrangements are “by default” in the scope too, that’s right.

      On IPAM tool, last time I did the comparison was nearly a year ago; I guess I need to re-do it.

      Thanks,
      Alex

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: