New Cisco Validated Design – Deploying IPv6 in the Internet Edge

Posted on January 3, 2012 by Shannon McFarland

Just before the holiday break I posted a new Cisco Validated Design (CVD) on Deploying IPv6 in the Internet Edge.  Check it out here:

PDF version

Online version

To meet deadlines I had to cut a few things out that I had originally planned on including such as:

  • More on NetFlow
  • Network Management using Cisco Prime
  • Considerations for IPv6 access to your content on a cloud providers network
  • and other junk

Future work on this document will include the above as well as:

Posted in IPv6 | Tagged , , , , , , , , , , , , , , , , , , , , | Leave a comment

Cisco Launches IPv6 Support for Cisco ACE

Posted on September 21, 2011 by Shannon McFarland

I have been pushing for IPv6 support for Cisco ACE for years now and today, finally, the first release of support is on Cisco.com.

Cisco ACE software release A5(1.0) provides several feature enhancements with IPv6 being the most important in my view. ;-)

A summary of IPv6 features added:
•Dual stack:

–IPv4-to-IPv4 and IPv6-to-IPv6

–HTTP and DNS inspection for native IPv6-IPv6 traffic

•Translation:

–SLB64, SLB46 for all Layer 4 load balancing which do not require payload modifications or pinholes

–NAT64, NAT46 for all TCP and UDP protocols which do not need payload modifications or pinholes

–SLB64 and SLB46 support for Layer 7 load balancing for HTTP and SSL protocols.

–No DNS64 or DNS46 support on ACE

•Mixed IPv4 and IPv6 real server support

•IPv6 addressing, including link-local, global unicast, unique local, peer, and alias addresses.

•IPv6 protocol support:

–Neighbor Discovery (ND)

–Router Discovery (RD)

–Duplicate Address Detection (DAD)

–ICMPv6

–DHCPv6

•Application awareness: HTTP, HTTPS, and DNS

•Online Certificate Status Protocol (OCSP) support for authenticating Secure Socket Layer (SSL) offloaded sessions, for both IPv6 and IPv4 support

•DM GUI changes in A5(1.0):

–Support for the IPv6 and SSL OCSP features and functions outlined above.

–Updated look and feel to the DM GUI and all associated pages.

–Homepage—A launching point to selected areas within the DM GUI. It appears under the Home option menu. Homepage includes quick access to a series of operational tasks, monitoring functions, Guided Setup tasks, configuration functions, and quick links to the associated user documentation.

–Guided Setup—Provides a series of setup sequences that offers screen guidance and networking diagrams to simplify the configuration of the ACE appliance through the DM GUI.

–Network monitoring enhancements:

Dashboards—Allows faster and more accurate assessment and analysis of device and virtual context health and usage, as well as performance. Corresponding monitoring views allow for quick access to details for further investigation into potential problems highlighted in the dashboards. Graphs, as well as monitoring screens, allow you to view historical data and compare the performance with the peer objects.

Historical Graphs—Displays data recorded during the last hour, 2-hour, 4-hour, 8-hour, 24-hour interval, or 30-day (last month) interval. There is also support for real-time charts as part of the monitoring graphs feature

Dedicated Real Server and Probe Views—Displays load-balancing information that is related to real servers and the probes that monitor the health and availability of a real server.

Topology Maps—Provide a graphical representation of an application network.

Cisco ACE A5(1.0) Configuration Documentation: http://bit.ly/pKQxIq

Cisco ACE A5(1.0) Release Notes: http://bit.ly/oO0Skn

Slideshare configuration examples I have built on Cisco ACE SLB66/SLB64, ASR1k Stateful NAT64 and proxy: http://t.co/RLVof3jU

Posted in IPv6 | Tagged , , , , | 3 Comments

VMware View Bootcamp – 9-part Video Series

Posted on July 19, 2011 by Shannon McFarland

I was happy to have been invited to participate as one of the speakers for the VMware View Bootcamp series.

Check it out:

http://communities.vmware.com/community/vmtn/desktop/view/bootcamp/

Posted in VDI/DaaS, Virtualization | Tagged , , , , , , | Leave a comment

Public DaaS – I have questions

Posted on June 16, 2011 by Shannon McFarland

Desktop as a Service (DaaS) is one of the many cloud service components that is really just VDI but with a cloud-sounding acronym.  I know customers who call their internal VDI deployments a DaaS service and I also know cloud purist who say DaaS only applies to the public cloud.  Whatever.  I care nothing about nomenclature.

What I do care about is usable services that customers can use for solving business and technical problems.  In small, medium and large VDI deployments we find that the complexity of design, deployment and ongoing management ends up being nearly as painful as the traditional thick desktop model, at least for a while.

I am starting to hear more and more from customers of all sizes that they would like to move to VDI for all of the traditional advantages, but only they don’t want to own or manage the environment that supports it.  Here come public cloud DaaS offerings and our discussion.

Companies like Desktone, CSC’s Dynamic Desktop service and others are providing a desktop in the public cloud.  The feedback from customers I have talked to ranges from barely usable to a completely acceptable service for certain user groups. In the very small amount of time that I have devoted to looking at some of these offerings I have found that the traditional issues that are found in old-school VDI deployments equally apply to these new DaaS offerings, but in some cases are compounded by the variability of the Internet.

User Experience

We know this is the make or break element of any VDI or Terminal Services-style deployment.  It comes down to display protocol performance, compute performance and back-end storage.  In some of the DaaS offerings, the display protocol has to deal with the variability of the Internet (loss/latency/jitter/bandwidth).  We know that even the best performing display protocols that also have the usual goodies bolted on the network to help them out (i.e. WAN optimization), still offer less-than-acceptable user experience in many cases.  Take this already tough situation and dump it over a public Internet connection and things get interesting, fast.

In addition to display protocols you have to wonder how powerful the compute design is and how extravagant the storage is when the provider has to balance a reasonable price for the service with an upfront deployment of what should be a highly scalable service.  Is the SAN going to be that kick ass (acceptable IO, tiered storage capabilities, etc.)?  Will the compute be able to keep up with anything other than task worker loads?

Can the DaaS provider offer dedicated links to enterprises where they have more control over the network variables?  Sure, some providers are but this cannot scale and only adds more to the cost model making it more attractive for the enterprise to keep this whole thing on their network.  If a traditional SP got into the DaaS business then offered a network service just for DaaS then this may make more sense.

Storage/Data Privacy

It’s the cloud. It’s not your cloud, but the providers cloud and you are just buying time on it. So, now you have a desktop to connect to, but where do you go now?  You probably need to access enterprise applications (i.e. SAP, Oracle, call center apps) and not just Office. You either use this desktop to go back to your own environment or other SaaS application or you have local apps on that desktop that access local data.  That local data is the issue.  Who has access to it?  Does the DaaS provider do encryption at rest?  Inflight?

This is one of the usual issues with the whole public cloud debate – who has access to my super critical data?

Companies like Box (http://www.box.net/features/security) and Oxygen Cloud (http://www.oxygencloud.com/features/security) and others do encryption in flight (over IP) and at rest.  But these guys are probably not appropriate for DaaS due to the IO requirements.  High-end storage vendors like EMC, NetApp, Hitachi and many others do this too and they meet the availability, scalability and IO requirements, but at a price.

It is a balancing act with cost, performance, privacy of data and scale.  I don’t have the answers and I don’t think anyone does – at least not all of them.

Use Cases

Who is DaaS for?  Given a group of task workers such as call center agents seems good as the resource requirements and number of apps is low, but if you want to integrated voice into the equation then it gets rough due to rich media, QoS and all of the stuff in the user experience section.  Where does the call center apps reside.  Are they SaaS-able so the desktop can just access them via a browser connecting to another SaaS provider?  Is the DaaS provider going to host enterprise-class applications on-premises (doubtful)?

Power/Knowledge Workers have the same requirements as task workers in addition to a much larger list of applications and probably a much higher need for a butt-kicking user experience due to the diversity of apps and rich media uses.

Summary

Am I rambling?  You bet.  I am just now getting into research mode on what is out there and what is available.  I am hearing about this from customers on an alarmingly growing rate and need to have some answers on what is real, what is a pipe dream and/or what is real, but out in the future.

I welcome comments of any kind on any questions I have asked and any that I have not.  I am very much in the I don’t know what I don’t know mode.

More to come on this topic.

Shannon

 

 

Posted in VDI/DaaS | Tagged , , , , , , | Leave a comment

Pearson IT Certification: Q&A with Shannon McFarland

Posted on April 13, 2011 by Shannon McFarland

I did a Q&A Interview with the Pearson folks on the new Cisco Press title: IPv6 in Enterprise Networks.

Check it out:
http://www.pearsonitcertification.com/articles/article.aspx?p=1692561

Posted in IPv6 | Tagged , , , , , | Leave a comment

IPv6 for Enterprise Networks – Available Now

Posted on April 7, 2011 by Shannon McFarland

It’s out!  Available at book stores, online retailers and also in electronic format.  “IPv6 for Enterprise Networks” by Cisco Press is ready for your consumption. For you Safari Online readers, the book should be available by end of this week (4/8) or beginning of next week.

Amazon:

http://www.amazon.com/IPv6-Enterprise-Networks-Networking-Technology/dp/1587142279/ref=sr_1_1?ie=UTF8&s=books&qid=1301616511&sr=1-1

Cisco Press (Hardcover):

http://www.ciscopress.com/bookstore/product.asp?isbn=1587142279

Cisco Press (Electronic):

http://www.ciscopress.com/bookstore/product.asp?isbn=1587142325

Anyone that knows me knows that I am pretty straightforward with my comments and am especially self-deprecating.  I have two things to say about this book that I co-authored:

-I really like that we now have technical books that are available electronically. I hated carrying around a massive book on planes.  Now I don’t have to but the auto-justify KILLS the configurations.  As a guy who learns new stuff by reading configuration flow, this is irritating as hell as it is tough to follow configs that are all jacked up based on formatting.  Jerking around with font size helps, but it is no picnic to read.

-As with any technology book, you are late to the game on some topics the moment you lock changes and the book goes to print.  We did not have time to really do a good job of Internet Edge/DMZ design and also any real depth on topics such as multi-homing.  While these designs are pretty much the same as what you already do with IPv4, we still wanted to cover them but didn’t, which disappoints me.

I hope you enjoy the book.  I have to get busy documenting minor errors in it so we can update the next printing batch. ;-)

Shannon

Posted in IPv6 | Tagged , , , , , | 2 Comments

My New Book – IPv6 in Enterprise Networks

Posted on March 31, 2011 by Shannon McFarland

You can pre-order the book I co-authored from Cisco Press (Pearson) or Amazon.  It comes in hardcover and eBook format.  It should be available April 7th, 2011

Amazon:

http://www.amazon.com/IPv6-Enterprise-Networks-Networking-Technology/dp/1587142279/ref=sr_1_1?ie=UTF8&s=books&qid=1301616511&sr=1-1

Cisco Press (Hardcover):

http://www.ciscopress.com/bookstore/product.asp?isbn=1587142279

Cisco Press (Electronic):

http://www.ciscopress.com/bookstore/product.asp?isbn=1587142325

 

Posted in IPv6 | Tagged , , , , , , , , , , | Leave a comment

Rocky Mountain IPv6 Summit – Registration Open

Posted on February 15, 2011 by Shannon McFarland

The annual Rocky Mountain IPv6 Summit in Denver, CO will be happening April 25, 2011 – April 27 at the Grand Hyatt Denver.

You can register here: http://conta.cc/f2vpHZ

More info about the event here: http://www.rmv6tf.org/IPv6Summit.htm

This is event was fantastic last year and it is looking to be another great agenda this time around.  See you there.

Shannon

Posted in IPv6 | Leave a comment

What phase of IPv6 deployment are you in?

Posted on December 6, 2010 by Shannon McFarland

In the last blog entry we talked about the external and internal pressures many enterprise accounts are feeling as it relates to addressing, OS/Applications and other generic drivers that cause them to begin IPv6 planning and deployment.

In this entry we are going to talk about the three common phases many enterprises find themselves when dealing with IPv6.   Most enterprises I work with generally fall into one of the three phases as shown below.

Preliminary Research

Some are in the “Preliminary Research” phase where they are simply trying to get basic education, find out if IPv6 is real enough to pursue, what can it be used for, what would they have to do cost-wise (CAPEX/OPEX) to get started.  I spend quite a bit of time working to perform what I call “first contact” meetings to help enterprises find/learn this basic info.

The critical element in this phase is to let the customer know that they are not the first to go down this path.  They need to know others have deployed and learned critical lessons based on real world mistakes that they need not repeat.  The other critical bit of work that happens here and throughout the life-cycle of deployment is the assessment.  Performing an initial end-to-end assessment of what can support IPv6, what has no clue of IP and what, if anything, needs to be upgraded/replaced to get the organization where they need to be to support their goals for IPv6.  This is especially critical to help nail down time frames and budget.  Many enterprises very often get IPv6 for little-to-no cost as they get IPv6-support via a regular refresh.  As they come out of a depreciation cycle and they begin to replace PCs, Data Center compute, OS updates, networking gear, newer application versions and the like, they most often get IPv6 support for free or at least have the capability to enable IPv6 later on.

I always tell customers I work with that “it is critical to know what you don’t know”.  If at the end of an assessment you find out that you have 2 years on a depreciation cycle and the gear/OS/application you have works fine today but lacks IPv6, you may determine that your deployment time line just got extended as you do not want to or need to prematurely break your purchasing cycle to just get IPv6 support.  Whatever the outcome, you must have the basic information on hand to make these decisions and that all comes via a thorough end-to-end assessment.

Pilot/Early Deployment

At some point you are ready to turn something on.  This could be in a very small lab with a few network devices, a client or two and a server with some basic application capabilities.  This could also be a quite extravagant environment with a smaller, but still significant representation of your real network.  This is ideal as you need to have some idea of what IPv6 will look like on your own production gear, OS, applications, topology, and against your own IT policies.  Some do not have the budget for this type of sandbox environment so they opt to select a few guinea pigs out of IT and, perhaps, some other department to participate in a pilot using their production network, but under very tightly controlled conditions.

Again, there is an ongoing assessment that is happening.  You update your product/feature/policy/training gap list continuously and, sadly enough, will be fighting your vendors for an accurate list of IPv6-supported products and services, sufficiently detailed road maps.  Also, you may need to help the vendor account teams generate business justification data to get feature/performance parity on the more advanced products.

Production/Looking for Parity and Beyond

At some point in your lifetime you will end up with what is considered to be a “production quality” IPv6 deployment.  The definition of “production quality” varies for every enterprise.  What one enterprise would consider “good enough” would not even qualify as a successful pilot for another enterprise.  Whatever your level of expectation and whatever your criteria of success is, you will still be working to ensure your assessment list is being worked, gaps are filled, vendors are dealt with, and everything else IT-related are updated and include IPv6 as a critical element.

Only through a proper assessment, detailed gap analysis, testing and the formation of a cross-functional virtual team within IT, can an enterprise (or any organization) successfully deploy IPv6.

Shannon

Posted in IPv6 | Tagged , , | Leave a comment

Common Market Drivers for IPv6 in the Enterprise

Posted on November 9, 2010 by Shannon McFarland

It has been awhile so prepare for a long entry.

At work, I was asked to summarize my customer engagements for the last few months.  This list, which includes all of the customers I have worked with regarding IPv6 deployment, has a name, date, and summary of the various meetings and action items.  As I read back through them all I realized that every one of them have 2-5 things in common.  If you have attended one of my Cisco Live “Enterprise IPv6 Deployment” sessions somewhere on planet earth at some point over the past 8 years, some of these will sound familiar.

There are really three elements to what is happening in many enterprise organizations as it relates to IPv6 deployment:

  1. External Pressure
  2. Internal Pressure
  3. New Opportunities

Let’s look at these in a bit more detail.  As the figure shows, the three elements have some kind of force (external, internal or both) as well as a potential for using IPv6 capabilities in a new technology, design or market.

External Pressure

Growth/Protection:

Many of the enterprise customers I work with are doing what any business does and that is to grow their business or at least protect what they have.  I lost count on the number of enterprises that have already or are trying to take their businesses into emerging markets such as China, India, South America and other locales.  While the business folks are trying to sort out demographics, pricing models, legal stuff, import/export rules, the IT folks are hard at working trying to get things connected.  With the growing threat of globally routable IPv4 address exhaustion and the already tightly constrained access to this addressing in these emerging markets, enterprise organizations are either already being told “no” for new IPv4 addressing in these markets or fear they soon will be.  Basically, if you want to continue to grow or if you sell your products or services on the Internet, IPv6 matters to you as you do not want to lose out on sales just because you did not support an IP protocol of which others in the world are using.  This is an external pressure on the enterprise due to the IPv4 address exhaustion issue that can and is impacting their business today, not in two years, today.

Partnerships

I recently had the two most busy weeks of customer engagements I have had in probably 10 years.  I met with over 18 major enterprise customers in about 10 days in very deep IPv6 deployment conversations.  1/3 of them were talking to me about IPv6 deployment for no other reason than them needing to peer with a partner organization (sub-contractor, manufacturing facility that makes stuff for them, Federal government contractor) that had already deployed IPv6 pervasively.  Like a vendor RFI/RFP check mark, these customers were being told “this is the way we are going and in order to maintain good business continuity you need to go this way also. At least when talking to us via IP”.  Again, this is an external pressure being applied when the enterprise account themselves may not have an immediate need for IPv6 deployment but those with whom they do business do. They must respond or threaten that relationship.  This is really no different than a product vendor such as Cisco – if a customer mandates a requirement for a feature, Cisco can either ignore it and lose the business or they can support it and maintain the relationship.

Internal Pressure

Operating Systems and Applications

This is an oldie, but a goodie.  I used to laugh at this one, but no more.  My friends at Microsoft have done a stellar job of getting a very good IPv6 stack in Microsoft Windows 7 and Server 2008.  They also shipped the OS with IPv6 enabled which was not the case in XP/2003, thank goodness.  However, many enterprises are totally clueless of the fact that this is not just another client or server OS upgrade. The networking folks in IT are generally out of the loop on many OS upgrades as 1) they don’t own that part of IT 2) they traditionally have not cared.  However, since Windows Vista and now with Windows 7 and Server 2008, there are boatloads of new and cool network-impacting features that all areas of IT should be knowledgeable about.  Stuff I tested and wrote about way back when such as RFC1323 functions such as SACKs, Timestamps, TCP auto-tuning, and on the server side all of the RFC1323 stuff plus Compound TCP (CTCP) and many more.  All cool stuff and all of it network impacting.  But, if you don’t know about them, what they do and how they interact (or break) with certain network-focused components then you will pay dearly.  An older PPT I did on the topic of Microsoft OS impact on the network can be found at: http://bit.ly/6EaIK1

This idea of assuming that just because a new OS (Windows, Mac, Linux, whatever) lands on your network, you don’t need to pay attention as it should not matter has never been more wrong than now with IPv6.  For years, I never talked to a single banking or finance customer about IPv6 until they started ringing my phone off the proverbial hook over the last year.  Many have discovered IPv6 on their networks via just basic link-local Router Advertisement (RA)/Neighbor Solicitation (NS) activity or full-on automatic tunneling behavior via Teredo or 6to4.  Sure, you can kill this behavior if you know it is happening, but often it is happening and for a long period of time without any knowledge of the OS or networking teams.  I recently talked to a customer who uses publicly routable IPv4 address space in their data centers and had recently upgraded from Microsoft Windows Server 2003 to Server 2008 R2.  All went very well, everything worked, everyone was happy.  However, they noticed that their network monitoring tools flat-lined on traffic that ‘should’ have been using IPv4.  Since IPv6 was enabled by default and link-local addresses where created, these servers immediately started communicating on-link with each other over IPv6 via their link-local addresses vs. IPv4.  In addition to this, since the hosts were using non-RFC1918 addressing, 6to4 interfaces/tunnels were formed which troubled them greatly.  Everything still worked great, but the IT staff was going into a coma from not understanding that this is the default behavior.  In the end, they were educated on it, learned their lesson (hopefully) and actually embraced IPv6, kept it in the OS, deployed many applications over IPv6 transport and are quite happy with their decision.  Others may decide to kill IPv6 in the OS until they know what to do with it.  But, again, an external force causing a knee-jerk reaction.  This stuff is happening regardless of the vertical or market the enterprise is in.

The final point here is about IPv6-only solutions such as Microsoft DirectAccess.  Microsoft does a great job of selling the idea of Microsoft DA to executives as an ease-of-use tool which then translates to those executives coming back and saying to their IT staff “thou shall deploy this”.  The IT folks start working with it and realize that this thing is IPv6-only.  Sure, my friend Sean Siler from Microsoft and his team did a killer job of allowing for a decision-process that allows for the client to determine if native IPv6 can be used or if some sort of encapsulation has to take place, but even with that, the application on the client and server needs to either directly support IPv6 or be protocol agnostic.  Either way, the application requirements may be more robust than what the IT staff are prepared for.  This creates friction with meeting the mandate or business requirement from the executive side and the ability to have the applications work over IPv6.

Fixing Old Problems

I am not going to spend much time on this as this topic could be a full series of blog entries on its own.  The point here is that bunches of enterprises face IT issues with stuff like Mergers & Acquisitions (M&A) and one of the most irritating issues in that space is colliding RFC1918 IPv4 address space.  Until one of the merged entities can be re-addressed (if needed) into the parent organizations address space, a common short-term resolution (which very often ends up being permanent) is NAT overlap.  NAT overlap has been used for a long time by organizations all of the world.  Basically, NAT overlap is when you create a NAT pool that uses a non-colliding address space that can be used to allow for endpoints and applications to be accessible between sites (such as reservation systems or other mission critical systems that both entities need to use immediately) until re-addressing solves the collision issue.  Now, IPv6 and how it plays…  I have had several customers come and say “we solved our M&A issue by creating an IPv6 overlay network that allows only those critical systems and users to communicate without this NAT overlap nightmare”.  Very often they achieve this in a very rapid way as they leave their existing network as-is and deploy just enough IPv6 to get the job done which relieves the time pressure of mucking around with IPv4 to get it all to work with NAT overlap.  They can then focus on dealing with the collision issues in the background while business continues on as usual.

New Technology

IPv6 is a greenfield opportunity and using IPv6 and its massive address space to deal with new technologies such as SmartGrid (not really an enterprise-specific topic but still cool) is growing.  Also, the movement to large-scale Virtual Desktop Infrastructure (VDI) and specifically, Hosted Virtual Desktops (HVD) environments has left many customers in trouble as it relates to IPv4 space.  This is true due to the fact that most HVD deployments (i.e. VMware View, Citrix XenDesktop) are additive in nature.  With the exception of call center environments, most HVD deployments are adding virtual machine (VM) agents into the DC in addition to keeping the existing thick clients (PCs, Macs, other endpoints).  When you glue together the IP addressing demands for thick clients such as PCs or printers, servers, IP Phones and now, VMs to serve as HVD agents, you end up with a boatload of hosts chewing up IPs.  Right now, I have a MacBook Pro, with a VMware View client connected into our corporate data center, an iPad connected to a WebEx session and also my iPhone 4 connected to the corporate network all while I am listening to WebEx audio over my IP Phone. Do the math – that is a bunch of IP addresses being chewed up for one person.  Multiply this and you can see the challenge in a large network.  Customers are now telling me “if I went to IPv6, I resolve a bunch of issues I have with addressing. Yes, I have some short-term deployment challenges, but in the long run, I should be good to go, especially in my data center”.  This glues together HVD + IPv6 which then challenges vendors such as VMware, Citrix and Cisco to fill the gaps.

I will have dedicated posts on this topic that are not just around IPv6 addressing, but also around the idea of how IPv6 can help increase the number of hosts-per-VLAN issue that many of the enterprise customers are testing and wanting to implement.  Stay tuned.

Sorry for the long post but we will work from this baseline of drivers to walk through enterprise deployment over the next few weeks.

Cheers,

Shannon

Posted in IPv6, Microsoft Stuff, Networking | Tagged , , , , , , , , , , , | 2 Comments