IPv6 in the enterprise

Matthew Huff mhuff at ox.com
Tue Apr 19 01:22:49 CEST 2011 

If every monitoring tool didn't use a name cache, then you might get away with dynamic/SLAAC/managed nodes for servers. However, since most monitoring tools only do name resolution at limited intervals, a reboot of a server might require a restart off all monitoring tools. Not practical. Once you commit to static numbering of servers in a ipv6 world, ip renumbering is a fairy tale. 

Too much of ipv6 is based on an ivory tower design developed by people at universities and service providers, with little thought to a corporate environment. For example, every time I mention NAT to a ipv6 evangelist, I get treated to a lecture on how NAT is only used by clueless netadmins who think it's required for firewalling. They won't take the time to understand in corporate b2b environments that it is used heavily for many reasons the least of which is information hiding/firewalling. Providers like Saavis, Radianz and TNS for financial b2b are heavy users of ipv4 nat for good reasons.

For example, we have two routers at the NYSE Mahwah colo facility. Each router has a 1 gb uplink the SFTI LCN network. We receive market data (which is heavy one-way traffic with high burst rate) and send/receive latency sensitive FIX traffic. With careful twice-NAT configuration and BGP engineering, we can receive market data traffic via one interface, and send/receive FIX via the other with failover. This will work even if the same servers are getting both fix and market data. For example, server A talking to server Z will receive/send market data via link 1 and receive/send FIX via link 2. If I had full control of both sides, there are many other solutions such as PBR without natting, but since we don't, there is virtually no other way. 




-----Original Message-----
From: Mark Smith [mailto:nanog at 85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org] 
Sent: Monday, April 18, 2011 6:47 PM
To: Matthew Huff
Cc: 'Justin Krejci'; 'Mark Kamichoff'; 'Dale W. Carder'; 'ipv6-ops at lists.cluenet.de'
Subject: Re: IPv6 in the enterprise

On Mon, 18 Apr 2011 17:45:36 -0400
Matthew Huff <mhuff at ox.com> wrote:

> So that when that ip address was discovered within monitoring systems we could do a reverse map back to the switch. Not possible with a link local. 
> 

I can see that might be useful for monitoring purposes, however I don't
understand what the benefits are of then using a GUA a default gateway
address on the end-nodes is. Wouldn't using link-locals for end-node
default gateway addresses would make renumbering to a different GUA an
easier task than the current efforts we have to go to in IPv4? 

> -----Original Message-----
> From: Mark Smith [mailto:nanog at 85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org] 
> Sent: Monday, April 18, 2011 5:10 PM
> To: Matthew Huff
> Cc: 'Justin Krejci'; 'Mark Kamichoff'; 'Dale W. Carder'; 'ipv6-ops at lists.cluenet.de'
> Subject: Re: IPv6 in the enterprise
> 
> On Mon, 18 Apr 2011 13:20:37 -0400
> Matthew Huff <mhuff at ox.com> wrote:
> 
> > When I used a GUA for my HSRP address, Windows 7 would get confused after a few days and lose its global address. Switching to a link-local address for HSRP appears to have resolved that, although we are still testing. We are running SXI5 on a 6509/sup720
> > 
> > 
> 
> Why did you want to use GUA for your default router, other than
> "that's the way we do it in IPv4"?
> 
> > 
> > ----
> > Matthew Huff             | 1 Manhattanville Rd
> > Director of Operations   | Purchase, NY 10577
> > OTA Management LLC       | Phone: 914-460-4039
> > aim: matthewbhuff        | Fax:   914-460-4139
> > 
> > 
> > -----Original Message-----
> > From: Justin Krejci [mailto:jkrejci at usinternet.com] 
> > Sent: Monday, April 18, 2011 1:06 PM
> > To: Mark Kamichoff
> > Cc: Dale W. Carder; Matthew Huff; 'ipv6-ops at lists.cluenet.de'
> > Subject: Re: IPv6 in the enterprise
> > 
> > 
> > 
> > On Mon, 2011-04-18 at 12:02 -0400, Mark Kamichoff wrote:
> > > On Mon, Apr 18, 2011 at 10:39:56AM -0500, Dale W. Carder wrote:
> > > > We are using HSRP with static addressing (for link-local as well).
> > > > For the version of code that we are on, we couldn't use a global
> > > > address as the HSRP address, but this has not proved to be an issue.
> > > > In addition, it has had the nice side effect of being able to tell
> > > > everyone that the router is always fe80::1, regardless of what network
> > > > you are on.
> > > 
> > > We're doing the same exact thing with HSRP, and Cisco tells us that GUA
> > > addresses will be supported in the future.
> > 
> > According the documentation for 6509s the SXI4 release supports GUA for
> > HSRP. Previous to that you must use link-local for the virtual address.
> > http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/product_bulletin_c25_603217_ps708_Products_Bulletin.html
> > 
> > A quick google search also yields 12.4T has support for HSRP GUA.
> > http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-fhrp.html#wp1062511
> > 
> >

More information about the ipv6-ops mailing list