I Pv 6 in the Enterprise Using EX Series Switches

yummypineappleΛογισμικό & κατασκευή λογ/κού

30 Ιουν 2012 (πριν από 5 χρόνια και 1 μήνα)

392 εμφανίσεις

White Paper
Copyright © 2012, Juniper Networks, Inc.
1
IPv6 IN the eNterPrIse
UsINg eX serIes swItChes
eX series ethernet switches enable simultaneous
IPv4 and IPv6 Network Deployments, easing the
transition to IPv6
2
Copyright © 2012, Juniper Networks, Inc.
White Paper - IPv6 in the Enterprise Using EX Series Switches
Table of Contents
executive summary ..............................................................................................3
Introduction ......................................................................................................3
IPv6 in the enterprise ............................................................................................3
Deploying IPv6 Using eX series switches .........................................................................4
IPv6 Infrastructure ............................................................................................4
IPv6 Unicast routing ..........................................................................................4
IPv6 Multicast routing ........................................................................................4
IPv6 Firewall Filters and Filter-Based Forwarding ................................................................4
vrrP for IPv6 .................................................................................................5
virtual Chassis technology ....................................................................................5
high Availability ...............................................................................................5
DhCPv6 server/relay .........................................................................................5
Port security ..................................................................................................6
6Pe and 6vPe ................................................................................................6
Management and OAM ........................................................................................6
Licensing .....................................................................................................6
Certification ..................................................................................................6
Conclusion .......................................................................................................7
Appendix A: supported rFCs .....................................................................................8
About Juniper Networks ..........................................................................................9
Copyright © 2012, Juniper Networks, Inc.
3
White Paper - IPv6 in the Enterprise Using EX Series Switches
Executive Summary
today, the pool of available IPv4 addresses is close to being exhausted. As a result, enterprises need to move to
an IPv6 infrastructure in order to maintain and scale their operations. the increased deployment of IPv6-based
applications and services such as windows server is helping speed up this adoption. while it is imperative for
enterprises to migrate to an IPv6 network infrastructure, it is important that the network also simultaneously support
IPv4 to ensure a smooth transition and minimize capital expenditures and business disruption. In addition, the services
available in an IPv6 network should be equivalent to or better than those available in an IPv4 network.
Juniper Networks
®
eX series ethernet switches enable enterprises to build their next-generation IPv6 networks in a
cost-effective manner, while ensuring minimal impact to their ongoing business operations. the IPv6 infrastructure
available on the eX series switches is derived from the same carrier-class Juniper Networks Junos
®
operating system
that runs on other Juniper routing, switching, and security platforms.
Introduction
IPv4 was designed to provide 232 (~4.3B) addresses. this addressing structure makes it difficult to distinctly identify
every Internet device or service. Classless Interdomain routing (CIDr) and Network Address translation (NAt) were
developed to delay the exhaustion of IPv4 addresses. But several factors have driven up the demand for addresses,
exacerbating the problem and accelerating the move to IPv6. these include:
• An exponential increase in the number of mobile phones, personal digital assistants (PDAs), and other wireless devices
that require a unique IP address
• A rapid increase in the number of people with persistent Internet access in emerging markets such as Brazil, russia, India,
and China
• the emergence of applications such as virtualization that allow the instantiation of multiple operating systems on a
single device, with each virtual system requiring its own IP address
In February 2011, the Internet Assigned Numbers Authority (IANA) assigned the last five class A IPv4 address blocks to
the regional Internet registries (rIrs), officially depleting the global pool of fresh blocks of addresses. In April 2011,
the Asia Pacific Network Information Center (APNIC) was the first rIr to completely run out of IPv4 addresses.
IPv6 is the next version of IP, developed by the Internet engineering task Force (IetF) to deal with the problem posed
by the exhaustion of IPv4 addresses. Its benefits include:
• A large address space—2128 vs. 232 addresses for IPv4
• A stateless address auto configuration that simplifies deployment, maintenance, and operations, leading to significant
cost savings
• Optimized bandwidth usage with efficient multicasting capabilities
• Improved support for mobility and quality of service
• Mandatory, built-in security
IPv6 in the Enterprise
enterprises are migrating to IPv6 not just to deal with the IPv4 address exhaustion problem, but also to deploy IPv6-
based applications and services. In order to migrate to IPv6, enterprise customers must provide the following:
• An IPv6 network infrastructure that is equivalent to or better than the IPv4 network infrastructure
• simultaneous support for IPv4 and IPv6 deployments in the network
• A highly available IPv6 network infrastructure
• Management of network devices over IPv6
• IPv6 port security to prevent loss of information and productivity
• scale and performance to support next-generation IPv6 networks
4
Copyright © 2012, Juniper Networks, Inc.
White Paper - IPv6 in the Enterprise Using EX Series Switches
Deploying IPv6 Using EX Series Switches
the eX series ethernet switch product family supports a dual-stack implementation that allows for the concurrent
deployment of IPv4 and IPv6 networks. eX series switches provide wire-speed IPv6 forwarding performance using their
AsIC-based Packet Forwarding engines (PFes).
IPv6 Infrastructure
IPv6 Neighbor Discovery is a protocol that replaces and enhances the Address resolution Protocol (ArP) function in
IPv4. It is responsible for determining the link-layer addresses of other nodes, address prefix discovery, and discovery of
other nodes on the link.
IPv6 stateless address auto configuration allows a node to automatically configure its addresses based on router
advertisements. when first connected to a network, a host sends a router solicitation request for its configuration
parameters. routers respond to such requests with a router advertisement message that contains the network
parameters. replacing manual configuration with auto configuration not only makes the network easier to manage, but
also significantly reduces operating expenses.
Path maximum transmission unit (MtU) discovery allows a node to discover and take advantage of paths with an MtU
greater than the IPv6 minimum link MtU. when transmitting data, it is preferable to send the largest packets that can
successfully traverse the entire path from source to destination. sending packets smaller than the path MtU wastes
network resources and provides suboptimal throughput for the enterprise network.
eX series switches support Neighbor Discovery Protocol (NDP), path MtU discovery, and stateless address auto
configuration (sLAAC).
IPv6 Unicast Routing
the eX series switches support IPv6 unicast routing in both global and virtual router environments. Interior gateway
protocol (IgP) for IPv6, including rIPng, OsPFv3, Is-Is, and multiprotocol Border gateway Protocol (MBgP) for IPv6,
are also supported.
IPv6 Multicast Routing
Multicast is used in the enterprise to support applications such as audio/video streaming, desktop conferencing, and
collaborative communication. Multicast Listener Discovery (MLD), a component of the IPv6 protocol suite that is
included as part of Internet Control Message Protocol (ICMPv6), is used by IPv6 nodes to discover multicast hosts
connected to it. It is equivalent to Internet group Management Protocol (IgMP) in IPv4. MLDv1 is similar to IgMPv2, and
MLDv2 is similar to IgMPv3.
MLD snooping is a subset of the MLD protocol that helps conserve network bandwidth by reducing the flooding of multicast
IPv6 packets. when a node receives a packet with a multicast destination address, it floods the packet to all ports in the
same vLAN. with MLD snooping, the packet will only be sent to ports that have listeners/hosts for that address.
Protocol Independent Multicast (PIM) for IPv6 is a multicast routing protocol that allows IPv6 nodes to discover other
nodes that can receive multicast packets.
the eX series switches support MLDv1/2 and PIM for IPv6, along with IPv6 multicast routing in both global and virtual
router environments. MLDv1/2 snooping is also supported.
IPv6 Firewall Filters and Filter-Based Forwarding
eX series switches support both behavior aggregate (BA) and multifield classifiers. the BA classifier maps the Diffserv
code point (DsCP) bits to a forwarding class and loss priority. while the forwarding class determines the output queue,
the loss priority is used by a scheduler to control packet discards during periods of congestion. Multifield classifiers
examine multiple fields in a packet such as source and destination IPv6 address. the forwarding class and loss priority
of a packet are determined through firewall filter rules.
Copyright © 2012, Juniper Networks, Inc.
5
White Paper - IPv6 in the Enterprise Using EX Series Switches
rewrite rules map the forwarding class and loss priority to the DsCP bits in the IPv6 packet before sending the packet
to the next hop. Firewall filters subject packets to filtering, classification, and traffic policing. the eX series switches
support filters for IPv6 traffic that can match on several fields including IPv6 source, destination address, prefix list,
IPv6 version, and so on.
the eX series switches also support filter-based forwarding (FBF), which uses firewall filters to forward packets to
virtual routing instances. this allows for packets to follow different paths in the network.
VRRP for IPv6
virtual router redundancy Protocol (vrrP) increases the availability of the default gateway servicing hosts on the
same subnet. A logical device consisting of a master and backup is advertised as the default gateway instead of
one physical node. vrrPv3 introduces support for IPv6 in addition to IPv4. even though IPv6 includes robust router
discovery as part of its Neighbor Discovery Protocol, vrrP is able to failover much more quickly with its sub-second
timers.
eX series switches support vrrPv3, increasing the availability of IPv6 networks.
Virtual Chassis Technology
Juniper Networks eX4200, eX4500, and eX8200 lines of ethernet switches support virtual Chassis technology, which
allows two or more interconnected devices to operate as a single logical device with a single management plane,
configuration file, and operating system. the IPv6 functionality that can be deployed on a standalone switch can also
be deployed in a virtual Chassis configuration. virtual Chassis technology also eliminates the need for protocols such
as vrrP, since the logical device is managed through a single IPv6 address.
eX4200, eX4500, and eX8200 switches support IPv6 within a virtual Chassis configuration.
High Availability
Nonstop active routing (Nsr) enhances the resiliency characteristics of network protocols by preventing service
interruptions during the brief period when a backup routing engine (re) takes over for a failed primary re. without
Nsr, routing protocols would begin the process of reconverging network paths. Nsr prevents such a reconvergence
from occurring, thus maintaining service continuity and minimizing business disruption for the enterprise.
eX series switches support Nsr for IPv6 routing protocols that include rIPng, OsPFv3, Is-Is, and IPv6 PIM.
DHCPv6 Server/Relay
Dynamic host Configuration Protocol (DhCPv6) can automatically provide a host (DhCP client) with IPv6 addresses
assigned by a DhCPv6 server without the need for manual intervention. Although the stateless address auto
configuration protocol removes the need for DhCP in IPv6, DhCPv6 can still be used to assign addresses if the network
administrator desires more control over addressing. DhCPv6 is the “stateful” address auto configuration protocol. the
DhCPv6 server manages a pool of IPv6 addresses and information about client configuration parameters such as
default gateway, domain name server, and others.
In small networks where only one subnet is being managed, DhCPv6 clients communicate directly with DhCPv6
servers. however, if the DhCPv6 client and server are not on the same subnet, relay agents are required. A DhCPv6
relay agent exchanges unicast messages with the DhCPv6 server to relay messages between clients and servers. the
relay agent stores its own address in the messages sent to the server. the server uses the address to determine the
subnet on which the relay agent received the broadcast from the host (client) and allocates an IPv6 address on that
subnet.
eX series switches will be able to be configured to act as both a DhCPv6 server and relay agent in future releases.
6
Copyright © 2012, Juniper Networks, Inc.
White Paper - IPv6 in the Enterprise Using EX Series Switches
Port Security
Port security features protect the network against malicious attacks, minimizing loss of information and productivity
for the enterprise. these include features like router Advertisement (rA) guard, DhCPv6 snooping, and IPv6 source
guard. the eX series switches will support port security features in future releases.
• RA guard: IPv6 rAs are used to determine node configuration information during address auto configuration, whether it
is through “stateless” or “stateful” (via DhCPv6) means. If rogue rAs appear on the network, they can cause partial or
complete failure of IPv6 hosts. For example, rogue rAs can cause hosts to assume wrong prefixes during stateless auto
configuration. rogue rAs can appear on the network either because of administrator, user, or malicious misconfiguration.
rA guard provides a solution to the rogue rA problem.
stateless rA guard examines incoming rAs and decides whether to forward or block them based on the configuration
in the network device. Once the rA frame is validated; it is either forwarded to the destination or it is dropped. stateful
rA guard, on the other hand, learns dynamically about legitimate rA senders and stores this information for allowing
subsequent rAs.
• DHCPv6 snooping: DhCPv6 snooping monitors and blocks DhCPv6 server messages received from untrusted devices
connected to the switch. It is analogous to DhCP snooping for IPv4; it builds and maintains an IPv6 media access control
(MAC) address binding database called the DhCPv6 snooping database.
• IPv6 source guard: IPv6 source guard mitigates the effects of spoofed source IPv6 or MAC addresses in a switched
environment. It is analogous to IP source guard for IPv4; it uses the DhCPv6 snooping database to determine if the
packet received from a host has a valid IPv6 and MAC source address.
6PE and 6VPE
IPv6 provider edge (6Pe) is useful for tunneling IPv6 packets over an MPLs cloud to a remote location in the enterprise.
Note that the MPLs backbone itself can be built on IPv4. this allows for a smooth transition for enterprises that have
an existing IPv4-based MPLs backbone. the MPLs backbone is totally unaware of the packets it is transporting;
therefore, it can be shared for tunneling both IPv4 and IPv6 packets. 6vPe provides the same functionality in a
virtualized environment.
the eX8200 line of ethernet switches supports both 6Pe and 6vPe configurations.
Management and OAM
the eX series switches can be managed using IPv6 addressing. syslog, telnet, ssh, Juniper Networks Junos web, and
simple Network Management Protocol (sNMP) services are supported over IPv6. In addition, services such as Network
time Protocol (NtP) and Domain Name system (DNs) are also supported over IPv6. the eX series switches also
support essential IPv6 Operation, Administration, and Maintenance (OAM) tools such as ping and traceroute.
Licensing
An advanced feature license (AFL) is required to deploy IPv6 routing protocols such as rIPng, OsPFv3, Is-Is, MBgP,
PIM, and MLDv1/2 on eX series switches. An AFL is also required for deploying 6Pe and 6vPe functionality on the
eX8200 line. All other functionality, including IPv6 infrastructure (sLAAC, NDP, and path MtU discovery), IPv6 quality
of service (Qos), firewall filters, FBF, vrrP for IPv6, DhCPv6 server/relay, port security, management and OAM, is
available in the base image.
Certification
Juniper is committed to providing its customers—including government agencies across the globe—with certified
products that are standards compliant. Certifications that demonstrate IPv6 capability and conformance include:
1. the Installation Information Infrastructure Modernization Program (I3MP), a collection of efforts (voice/data/cable/
long-haul gateway/enterprise management) that modernizes the core enterprise information infrastructure at
Army installations (CONUs/Pacific/europe/swA) worldwide. I3MP certification testing is performed by the Army
technology Integration Center (tIC), and IPv6 is an integral part of this testing.
2. Joint Interoperability test Command (JItC), which tests and certifies It products for IPv6 compatibility according to
the rFCs outlined in the Department of Defense IPv6 standards profiles for IPv6-capable products. Once products
are certified for special interoperability, they are added to the DoD’s Unified Capabilities Approved Products List (UC
APL) for IPv6. this list is used by procurement offices in the DoD and by U.s. Federal agencies for ongoing purchases
and acquisitions of It equipment.
Copyright © 2012, Juniper Networks, Inc.
7
White Paper - IPv6 in the Enterprise Using EX Series Switches
3. the IPv6 Forum “IPv6 ready” logo program is a conformance and interoperability testing program intended to
increase user confidence by demonstrating that IPv6 is ready and available now. the Phase 1 logo focuses on core
IPv6 protocols.
4. Usgv6 is a test program designated by National Institute of standards and technology (NIst) that provides a
proof of compliance to IPv6 specifications outlined in current industry standards for common network products.
It is meant as a strategic planning guide for Usg (United states government) It acquisitions to help ensure the
completeness, correctness, interoperability, and security of early IPv6 product offerings so as to protect early Usg
investments in the technology.
eX series switches have achieved I3MP (tIC) and UC APL (JItC) certifications, and are currently in the process of
achieving IPv6 ready Logo (Phase 1) and Usgv6 certifications.
Conclusion
Juniper Networks eX series ethernet switches provide a highly available IPv6 network infrastructure together with the
features required to build the next-generation IPv6 networks. with features like IPv6 unicast and multicast routing,
Qos, IPv6 over virtual Chassis configurations, port security, 6Pe, 6vPe, and management, the eX series switches can
provide the enterprise with a complete IPv6 solution. the eX series switches also enable simultaneous IPv4 and IPv6
network deployments to ease the transition to IPv6. In addition, the certification programs underway for the eX series
platforms demonstrate commitment, completeness, and compliance.
Please contact your sales representative for current and future support of IPv6 features on all eX series platforms.
8
Copyright © 2012, Juniper Networks, Inc.
White Paper - IPv6 in the Enterprise Using EX Series Switches
Appendix A: Supported RFCs
the table below summarizes the list of rFCs supported on the eX series switches.
RFC#Synopsis
rFC1157 sNMP
rFC1213 MIB for network management
rFC1215 A convention for defining traps for use with sNMP
rFC1771 Border gateway Protocol 4 (BgP-4)
rFC1772 Application of BgP on the Internet
rFC1901 Introduction to community-based sNMPv2
rFC1902 structure of management information for sNMPv2
rFC1905 Protocol operations for sNMPv2
rFC1981 Path MtU discovery for IPv6 (eX 8200, eX4200, and eX3200)
rFC2080 rIPng for IPv6
rFC2081 rIPng protocol applicability statement
rFC2283 Multiprotocol extensions for BgP-4
rFC2373 IPv6 addressing architecture
rFC2375 Multicast address assignments
rFC2460 IP
rFC2461 Neighbor Discovery for IPv6
rFC2462 IPv6 stateless address auto configuration
rFC2463 ICMPv6 for the IPv6 specification
rFC2464 transmission of IPv6 packets over ethernet networks
rFC2465 MIB for IPv6
rFC2474 Definition of the differentiated services field (Ds field) in the IPv4 and IPv6 headers
rFC2545 Use of BgP-4 multiprotocol extensions for IPv6 interdomain routing
rFC2578 structure of management information version 2 (sMIv2)
rFC2711 IPv6 router alert option
rFC2740 OsPF for IPv6
rFC3306 Unicast prefix-based IPv6 multicast addresses
rFC3484 Default address selection for IPv6
rFC3513 IPv6 addressing architecture
rFC3587 global unicast address format
rFC3587 IPv6 global unicast address format
rFC3768 vrrP
rFC3810 MLDv2 for IP
rFC4291 Addressing architecture
rFC4552 Authentication/confidentiality for OsPFv3
rFC4604 Using IgMPv3
rFC4659 BgP-MPLs IP virtual Private Network (vPN) extension (partial support on eX8200)
rFC4798 Connecting IPv6 islands over IPv4 MPLs using IPv6 Provider edge routers (6Pe—available
only on eX8200)
rFC4890 recommendations for filtering ICMPv6 messages in firewalls (except eX8200)
rFC5095 Deprecation of type 0 routing headers in IPv6
rFC5308 routing IPv6 with Is-Is
rFC5340 OsPF for IPv6
draft-ietf-isis-ipv6-06.txt routing IPv6 with Is-Is
draft-kato-bgp-ipv6-link-local-00.
txt
BgP4+ peering using IPv6 link-local address
Note: For more information on IPv6, please visit www.juniper.net/ipv6.
Copyright © 2012, Juniper Networks, Inc.
9
White Paper - IPv6 in the Enterprise Using EX Series Switches
2000418-002-eN Mar 2012
Copyright 2012 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos,
Netscreen, and screenOs are registered trademarks of Juniper Networks, Inc. in the United states and other
countries. All other trademarks, service marks, registered marks, or registered service marks are the property of
their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper
Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
EMEA Headquarters
Juniper Networks Ireland
Airside Business Park
swords, County Dublin, Ireland
Phone: 35.31.8903.600
eMeA sales: 00800.4586.4737
Fax: 35.31.8903.601
APAC Headquarters
Juniper Networks (hong Kong)
26/F, Cityplaza One
1111 King’s road
taikoo shing, hong Kong
Phone: 852.2332.3636
Fax: 852.2574.7803
Corporate and Sales Headquarters
Juniper Networks, Inc.
1194 North Mathilda Avenue
sunnyvale, CA 94089 UsA
Phone: 888.JUNIPer (888.586.4737)
or 408.745.2000
Fax: 408.745.2100
www.juniper.net
to purchase Juniper Networks solutions,
please contact your Juniper Networks
representative at 1-866-298-6428 or
authorized reseller.

Printed on recycled paper
About Juniper Networks
Juniper Networks is in the business of network innovation. From devices to data centers, from consumers to cloud
providers, Juniper Networks delivers the software, silicon and systems that transform the experience and economics
of networking. the company serves customers and partners worldwide. Additional information can be found at
www.juniper.net.