If you’ve worked with networking sometime in the last decade, I’m sure you’ve heard of this thing called IPv6. IPv6 has been around for quite a while, but it seems to be growing increasingly more popular as of late.
My focus on this article will be some of the challenges with security and IPv6, primarily those that Cisco IPv6 First-Hop-Security (FHS) solves.
Several times I’ve found myself looking at the network traffic traversing a customer’s network, asking if they use IPv6.
Unfortunately, most of the times the answer is no, even though I can see the Link-local and multicast addresses flying by my screen.
When I proceed to ask if they’ve added any security measurements in the network to protect against IPv6 attacks, the answer is mostly: “Why would we need any IPv6 security if we don’t use IPv6”? Read More »
Tags: #ciscochampion, IPv6, IPv6-security
By Gina Nienaber, Marketing Manager, SP Product and Solutions Marketing
Cisco estimates over 50 billion new devices will be connected to the Internet by 2020. To support the Internet of Everything, service providers must undergo an infrastructure transformation. The network needs to become more open, programmable, automated, adaptive, and agile. To guide this transformation, the Cisco open network strategy for service providers is depicted as three interwoven layers: the Evolved Programmable Network (physical and virtual network Infrastructure), the Evolved Services Platform (for orchestration of resources) and Applications and Services layer to enable virtualized services such as Cloud VPN and Security. With these three layers working together, providers can begin to realize the benefits of an open network that is readily open to new devices, open for quickly enabling new services, and open to endless possibilities.
Last week, Cisco announced two Read More »
Tags: Cisco Evolved Programmable Network, control, epn, esp, evolved services platform, IPv6, NFV, open network architecture, open network strategy, programmability, SDN, Service Provider, SP, virtualization
The next stable OpenStack release codenamed “Juno” is slated to be released October 16, 2014. From improving live upgrades in Nova to enabling easier migration from Nova Network to Neutron, the OpenStack Juno release will address operational challenges in addition to providing many new features and enhancements across all projects.
As indicated in the latest Stackalytics contributor statistics, Cisco has contributed to seven different OpenStack projects including Neutron, Cinder, Nova, Horizon and Ceilometer as part of the Juno development cycle. This is up from five projects in the Icehouse release. Cisco also ranks first in the number of completed blueprints in Neutron as well.
In this blog post, I’ll focus on Neutron contributions, which are the major share of contributions in Juno from Cisco.
Cisco OpenStack team lead Neutron Community Contributions
An important blueprint that Cisco collaborated on and implemented with the community was to develop the Router Advertisement Daemon (radvd) for IPv6. With this support, multiple IPv6 configuration modes including SLAAC and DHCPv6 (both Stateful and Stateless modes) are now possible in Neutron. The implementation provides for running a radvd process in the router namespace for handling IPv6 auto address configuration.
To support the distributed routing model introduced by Distributed Virtual Router (DVR), this Firewall as a Service (FWaaS) blueprint implementation handles firewalling North–South traffic with DVR. The fix ensures that firewall rules are installed in the appropriate namespaces across the Network and Compute nodes to support perimeter firewall (North-South). However, firewalling East-West traffic with DVR will be handled in the next development cycle as a Distributed Firewall use case.
Additional capabilities in the ML2 and services framework were contributed for enabling better plugin and vendor driver integration. This included the following blueprint implementations –
Cisco device specific contributions in Neutron
Cisco added Application Policy Infrastructure Controller (APIC) ML2 MD and Layer 3 Service Plugin in the Juno development cycle. The ML2 APIC MD translates Neutron API calls into APIC data model specific requests and achieves tenant Layer 2 isolation through End-Point-Groups (EPG).
The APIC MD supports dynamic topology discovery using LLDP, reducing the configuration burden in Neutron for APIC MD and also ensures data is in-sync between Neutron and APIC. Additionally, the Layer 3 APIC service plugin enables configuration of internal and external subnet gateways on routers using Contracts to enable communication between EPGs as well as provide external connectivity. The APIC ML2 MD and Service Plugin have also been made available with OpenStack IceHouse release. Installation and Operation Guide for the driver and plugin is available here.
Enterprise-class virtual networking solution using Cisco Nexus1000v is enabled in OpenStack with its own core plugin. In addition to providing host based overlays using VxLAN (in both unicast and multi-cast mode), it provides Network and Policy Profile extensions for virtual machine policy provisioning.
The Nexus 1000v plugin added support for accepting REST API responses in JSON format from Virtual Supervisor Module (VSM) as well as control for enabling Policy Profile visibility across tenants. More information on features and how it integrates with OpenStack is provided here.
As an alternative to the default Layer 3 service implementations in Neutron, a Cisco router service plugin is now available that delivers Layer 3 services using the Cisco Cloud Services Router(CSR) 1000v.
The Cisco Router Service Plugin introduces a notion of “hosting device” to bind a Neutron router to a device that implements the router configuration. This allows the flexibility to add virtual as well as physical devices seamlessly into the framework for configuring services. Additionally, a Layer 3+ “configuration agent” is available upstream as well that interacts with the service plugin and is responsible for configuring the device for routing and advanced services. The configuration agent is multi-service capable, supports configuration of hardware or software based L3 service devices via device drivers and also provides device health monitoring statistics.
The VPN as a Service (VPNaaS) driver using the CSR1000v has been available since the Icehouse release, as a proof-of-concept implementation. The Juno release enhances the CSR1000v VPN driver such that it can be used in a more dynamic, semi-automated manner to establish IPSec site-to-site connections, and paves the way for a fully integrated and dynamic implementation with the Layer 3 router plugin planned for the Kilo development cycle.
The OpenStack team at Cisco has led, implemented and successfully merged upstream numerous blueprints for the Neutron Juno release. Clearly, some have been critical for the community and others enable customers to better integrate Cisco networking solutions with OpenStack Networking.
Stay tuned for more information on other project contributions in Juno and on Cisco lead sessions at the Kilo Summit in Paris !
You can also download OpenStack Cisco Validated Designs, White papers, and more at www.cisco.com/go/openstack
Tags: ACI, APIC, CSR1000v, IPv6, Juno, Neutron, Nexus1000V, OpenStack
The North American IPv6 Summit is the largest annual IPv6 event in North America, designed to educate about IPv6 and the current state of IPv6 adoption. We were honored to receive industry recognition of the Cisco’s IPv6 leadership and continued innovation with the Best of Show Award of Product and Service for the Cisco Wireless Controller.
As you read about earlier this summer, Wireless Release 8.0 added a cornucopia of features to our wireless offering, many of which are targeted specifically for upcoming technologies, including IPv6. Let’s look back to see how far we’ve come:
Anticipating the growing demand of the next generation IP and eyeing the arrival of World IPv6 day, Cisco released the first support for IPv6 in its’ Wireless LAN Controller (WLC) software version 7.0 in 2011. There has been a steady progression of feature support ever since. Client mobility appeared in version 7.2 a year later in time to celebrate the launch of IPv6 on the global Internet.Then came the release of 7.4 and it’s support of First Hop Security tools, enabling organization’s to go beyond the lab and deploy IPv6 in a safe, secure manner. Read More »
Tags: 802.11, battery life, Cisco, controller, feature support, hot spot, Hotspot, internet, IPv6, LAN, mobile, mobility, multicast, network, protocol, retail, Revolution, social media, software, wi-fi, wifi, wireless, wireless LAN, wlan, WLC
For those that are not closely involved with IPv6, it may seem like the emphasis on migration to the new addressing scheme is waning. But while the hue and cry over IPv6 may appear to have quieted down to a background noise since 2010-2011; a closer inspection would prove that perception to be quite false.
What is IPv6 and why does it even matter? Simply put, when a device is on the Internet, it has its own specific address that it uses to communicate with other devices and the Internet and to define its location. With the non-stop growth of devices connecting to the Internet and the “Internet of Everything” (IoE) becoming a reality, the need for unique addresses for each personal device and machine-to-machine (M2M) connections has increased exponentially. To put this in perspective, the Cisco Visual Networking Index (VNI) 2013-2018 forecast estimates that there will be about 4 billion Internet users by 2018, which is 52% of the world’s projected population (7.6 billion people). And for every person on the Earth in 2018, there will be about 3 global Internet connections — that’s more than 21 billion devices/connections by 2018.The current communication and address format IPv4 was just not equipped for this explosive growth of devices and connections and the need to define addresses for each device. Hence the need for a new communication protocol, IPv6.
(Source: Cisco Visual Networking Index (VNI) 2013-2018)
On 3 February 2011, the last batch of IPv4 address blocks was Read More »
Tags: ipv4, IPv6, Service Provider, visual networking index, vni