Priority projects are IPv6-based public website and end-to-end reference implementation.
Corporations are seeing increased opportunities to their businesses and challenges to their IT organizations from mobility, `consumerization' of IT and virtualization of IT resources. All of these, along with the depletion of IPv4 address space have resulted in the need for migrating to IPv6. Cisco IT has been making the shift gradually, adopting a dual-stack approach to simultaneously support IPv4 and IPv6 traffic. The team's first project was enabling IPv6 for the cisco.com public website. This case study explores the decisions that Cisco IT has made to support IPv6, the current architecture, and design steps. Cisco customers can draw on Cisco IT's real-world experience in this area to plan their own strategy for IPv6 adoption.
The original Internet Protocol, known as IPv4, uses 32-bit addresses and can support 4.3 billion devices connected directly to the Internet. IPv6, in contrast, uses 128-bit addresses and supports a practically unlimited number of devices: 2 to the 128th power. Based on the projections from the Internet Assigned Numbers Authority and the various Regional Internet Registries, IPv4 addresses are nearly certain to run out by the end of 2011.
Some organizations regard Internet continuity as the main justification for IPv6 adoption, especially if they have a significant Internet business presence. Other organizations create a business case based on national competitiveness, education, or complying with regulatory requirements. For Cisco, as with other technology companies, IPv6 adoption is also important to give R&D and product teams a real-world testing ground for new solutions.
Cisco IT has been planning the shift from the IPv4 to IPv6 address space since 2002, balancing the project with other IT priorities, such as data center virtualization and continuing adoption of Cisco TelePresence® and other collaboration technologies. The migration became more urgent as the IPv4 address space approached depletion. "Compliance requirements from governments where we do business, lack of new IPv4 addresses (especially in emerging markets( and proliferation of mobile devices are driving the business case for our internal IPv6 adoption," says John Manville, vice president of network and data center services for Cisco IT.
In addition, Cisco needs an IPv6 infrastructure to develop and test IPv6-compliant solutions in a real-world environment for customers planning their own migration.
The IPv6 migration project is far-reaching, affecting network devices in 400 Cisco offices, in 90 countries. More than 180,000 people connect to the Cisco corporate network, including 72,000 employees, 20,000 channel partners, 100-plus application service providers, and approximately 200 development partners.
Like other companies, Cisco expects IPv4 devices to coexist with newer IPv6 devices for many years. To accomplish the transition to IPv6 while continuing to support IPv4, Cisco IT needed to:
• Bring together a cross-functional program team
• Acquire IPv6 address space
• Decide which IPv6 approaches to use: tunneling, proxy servers, and dual-stack
• Perform a readiness assessment, including network devices as well as the Cisco IOS™ Software on those devices
• Work with service provider partners to support IPv6 with service-level agreements (SLAs) equivalent to the existing IPv4 SLAs
• Develop an IPv6 version of the Cisco public website
"The cross-functional team extends beyond our core networking experts and data center services organization, to include application, security, and web teams," says Clyde Kennedy, IT program manager.
Discussions about IPv6 began with the Cisco IT networking team and are now spreading to other infrastructure and application teams (Figure 1). "Now that customers are beginning to access content and application with IPv6-enabled devices, the conversation is more meaningful," says Keith Brumbaugh, a Cisco IT lead architect for the project. "We're building a cross-functional roadmap for IPv6 support in Cisco IT."
Figure 1. Framework for IPv6 Adoption at Cisco
At the outset of the project, the cross-functional team agreed on goals for IPv6 integration and migration: "The overriding principle was to do no harm," says Khalid Jawaid, Cisco IT network engineer. Design principles are:
Do not jeopardize existing IPv4 services and applications, such as cisco.com and the internal corporate network
Preserve the cisco.com brand and control over the cisco.com experience
Do not compromise the corporate security posture
Re-use existing infrastructure, capabilities, content, and application environments whenever possible
Compile lessons learned to share with customers
Acquiring an IPv6 Address Space
Cisco started with a smaller block of IPv6 addresses, later acquiring a /32 address space (Figure 2). "We gave careful thought on how to carve up the address space for different geographies, following the same principles we did for IPv4 addresses," says Jon Woolwine, Cisco IT lead architect for the IPv6 program. "Anticipated growth in each region played a big role in our decisions."
Figure 2. Cisco IPv6 Breakout Plan
Cisco IT uses a dedicated web-based application, modified to support IPv6, to manage the IP address space. The IT team also added support for IPv6 in the company's domain name system (DNS) services. "Early on, we enabled our DNS infrastructure to advertise AAAA records, so that domain names can be resolved to IPv6 addresses," says Woolwine. "Now we're in the planning stages of enabling DHCPv6. Until then, we'll use SLAAC [Stateless Address Auto Configuration] for dynamic IPv6 address assignment."
Selecting an Approach to IPv6 Integration
When Cisco began IPv6 integration in 2002, the IT team built dedicated IPv6 environments for various business uses, such as testing. The environments connected through IPv6-over-IPv4 tunnels. On the client side, the team relied on Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) tunnels for IPv6-enabled endpoints.
Today, Cisco IT is moving towards a dual-stack approach, meaning that devices can simultaneous support IPv4 and IPv6. All network services, including quality of service (QoS) and multicast, apply to both IPv4 and IPv6. "The dual-stack strategy is enabling us to move one step at a time toward end-to-end IPv6," says Brumbaugh.
Cisco uses Enhanced Interior Gateway Routing Protocol (EIGRP) for IPv4 and will continue to use EIGRP with IPv6. "It's a good idea to use the same routing protocol for IPv4 and IPv6 to simplify support activities for operational teams," says Woolwine.
Priority Projects: Reference Architecture and IPv6 Internet Presence
Two IPv6 projects are nearly complete. "We're implementing an end-to-end IPv6 infrastructure as a reference for public sector customers that will also satisfy their compliance requirements," says Jawaid. "We have also created an IPv6 Internet presence on cisco.com that operates in parallel with our IPv4 presence."
The first phase for the end-to-architecture is regional IPv6 tunnel headends in San Jose, California and Research Triangle Park, North Carolina (Figure 3). The headends will provide regional 6in4 tunnel termination, a regional ISATAP service, and native IPv6 Internet connectivity.
Figure 3. Phase 1: Regional IPv6 Tunnel Headends
Conducting Readiness Assessment
Cisco IT engaged Cisco Services to provide IPv6 readiness support through the Cisco® Network Optimization Service (NOS). The service identified both hardware and software gaps. "We had to make sure that both hardware and software were ready for a large-scale IPv6 deployment," says Woolwine
To assess readiness, Cisco first determined if the hardware platform supported basic IPv6 functions. If not, Cisco replaced the hardware through the normal Fleet Management Program, Cisco IT's infrastructure lifecycle management program. Upgrading through the Fleet Management Program spread out the capital expense associated with IPv6 adoption.
If the hardware was IPv6-capable, Cisco IT determined if the Cisco IOS Software version supported IPv6. If not, the team upgraded the software. "We also worked with our vendors to find out when third-party software would be IPv6-compliant," says Joseph Chieng, a Cisco IT project manager focusing on the IPv6 efforts with the Cisco Global Government Solutions Group.
Partnering with Service Providers for IPv6 services
Until recently, IPv6 service providers provided IPv6-over-IPv4 tunnels. Now, many have begun offering dual-stack services. Cisco IT is currently meeting with its existing service providers to plan the addition of dual-stack support.
To provide an IPv6 Internet presence, Cisco IT installed dedicated IPv6 Internet circuits that are physically separate from ordinary production circuits. A few temporary circuits will be decommissioned as dual-stack circuits are deployed in production. "We are working with all of our service provider partners to make sure the IPv6-based services we receive are comparable to our current IPv4-based services," says Brumbaugh.
Creating IPv6 Internet Presence
Cisco IT has enabled native IPv6 on the cisco.com website. As the first step, the IT team built a parallel IPv6 environment (www.ipv6.cisco.com) that became active in 2010 and is available to users connecting from IPv6 network-enabled hosts. People visiting the site enter this URL to access the static IPv6 webpage, which directs them to the production IPv4 infrastructure (Figure 4).
Figure 4. IPv6 Internet Presence, Phase 1
"Making Internet-facing services IPv6-accessible requires changes only to the web server itself, not the underlying application servers and management software," says Woolwine.
The second phase will be to make additional web services IPv6-accessible. This step will be even simpler, because Cisco IT plans to deploy a proxy in front of the web servers (Figure 5). "We believe the proxy solution is the best option for the many Cisco hosts that are not already IPv6-enabled," Woolwine adds.
Figure 5. IPv6 Internet Presence, Phase 2
In the third and final phase, users will not have to enter a different URL to connect to the IPv6 infrastructure. IPv6-based clients will automatically connect to the newer IPv6 infrastructure, while IPv4 clients will connect to the IPv4 infrastructure.
"As Cisco continues its journey towards a borderless enterprise, our IPv6 deployment is enabling many of the infrastructure requirements mandated by our present and future business strategies," says Manville. "It has now become clear that for enterprises large and small, IPv6 is not just a side thought, but a core technology evolution that will play an important role in the future of business and IT strategies."
Cisco tested its IPv6 readiness on June 8, 2011, on World IPv6 Day, a global event organized by the Internet Society to test the readiness of the new Internet Protocol. Participants included the world's leading Internet vendors, and Cisco was among the first to join. During the event, Cisco IT tested its own IPv6 readiness while also compiling lessons learned from customers participating in the event.
To test its IPv6 website, Cisco IT pointed its DNS entries to AAAA records, enabling clients to reach
www.cisco.com over IPv6. Other participants took a similar approach to test their own websites.
"No major glitches occurred during the event, and Cisco IT is applying lessons learned about architecture, design, and operations as our IPv6 migration effort continues," says Brumbaugh. Cisco IT is currently documenting lessons learned about architecture, design, and operations for its own use, and to share with customers.
Following are the next steps for the IPv6 integration project at Cisco:
Documenting insights from participating in World IPv6 Day on June 8, 2011.
Delivering end-to-end IPv6 in more locations, initially critical labs and sales offices.
Adding IPv6 support to internal monitoring applications.
Providing an IPv6 Internet presence for all of cisco.com.
Extending IPv6 support to branch offices.
Enabling IPv6 for the 21,000 Cisco teleworkers who use Cisco Virtual Office. This project has begun.
Providing dual-stack support in the desktop environment.
Continuing to integrate IPv6 with other borderless network services.
Cisco IT shares the following advice with other organizations migrating to IPv6:
Engage early with IT teams outside the core networking team. Among the other teams to involve are applications, security, and web.
Consider the implications of IPv6 addresses with external parties. These parties include Internet service providers, content delivery networks, and third-party application providers.
Account for lead time from vendors in your project plans. Some of Cisco IT's vendors have not yet formulated a plan for IPv6. Lead time considerations are especially important for organizations that have compliance requirements for IPv6.
Realize that end-device operating systems behave differently with IPv6. For this reason, Cisco IT plans to test the various smartphone and tablet operating systems in use by the company's mobile workforce.
To read additional Cisco IT case studies on a variety of business solutions, visit Cisco on Cisco: Inside Cisco IT
This publication describes how Cisco has benefited from the deployment of its own products. Many factors may have contributed to the results and benefits described; Cisco does not guarantee comparable results elsewhere.
Some jurisdictions do not allow disclaimer of express or implied warranties, therefore this disclaimer may not apply to you.
CISCO PROVIDES THIS PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.