Cisco Subnet An independent Cisco community View more

IPv6 Network Management

Consider how you will manage IPv6 as you prepare to deploy it

Good engineering practices dictate that when we prepare to build something we must plan for the long-term operations. Having the ability to properly manage the technology after it is deployed will ensure its longevity. If the system is neglected, it will become unreliable and eventually fail. There are many organizations that have deployed IPv6 at their Internet perimeters, yet they lack the ability to manage the usage of this new protocol. Having the right IPv6-capable management tools will give us the visibility to our IPv6 deployments.

External Visibility

Many organizations have deployed IPv6 at their Internet perimeter. Other organizations may have IPv6 traffic traversing their DMZs and they do not even realize it. There could be 6in4 tunnels in use that allows the IPv6 traffic to be transported within IPv4 encapsulation. Both of these types of organizations have a need to be able to maintain their IPv6-enabled systems and be able to troubleshoot IPv6-related problems. These organizations will be operating a dual-protocol environment for many years and they must develop in the capability to maintain both protocols.

Tom Coffeen, Infoblox IPv6 Evangelist, wrote an article on this subject titled "Are you neglecting IPv6 network management?" The good advice in this article prescribes that you should have IPv6-capable Network Management Systems (NMSs) as you deploy IPv6.

The issue that we come across frequently is that an organization may have IPv6 deployed at their Internet perimeter, but the network engineers are located internally and they lack any ability to troubleshoot IPv6. Some companies may choose to use a jump box that borders the internal IPv4-only network and the IPv6 Internet to facilitate those administrators reaching the IPv6 perimeter. Some organizations use a router to terminate Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) tunnels from specific administrator's IPv4-only connected computers. A few organizations have elected to use a Cisco ASA 5500 firewall and use the AnyConnect SSL VPN to facilitate IPv6 reachability with increased security.

If an organization has IPv6-enabled their public-facing web server then they need visibility into how their IPv6-capable web site is operating. They need some external system on the IPv6-enabled Internet to connect back to their site to validate reachability over native IPv6 transport. There are several ways to accomplish this. One possible option would be to select an IPv6-capable hosting provider and have an IPv6 Internet connected server that can perform this external monitoring. They can use simple utilities like Wget to connect to their site over IPv6 ("wget -6 http://www.example.com"). It is also possible to use ping, traceroute, nmap, and a host of other tools to validate end-to-end IPv6 reachability. The other option is to use a service that can make IPv6 connections to the IPv6-enabled site.

Nephos6 offers their v6Sonar (v6sonar.com) service that helps troubleshoot IPv6-enabled web sites and measure end-user experience. This site is particularly useful and provides attractive graphs and charts that show the site's performance from several test points around the world. Ciprian Popoviciu, President/CEO of Nephos6 gave a presentation on "Quantitative Metrics for IPv6 Enablement" at the 2013 North American IPv6 Summit that describes the benefits of this type of system.

There are commercial web monitoring services like Keynote Internet Testing Environment (KITE) and Compuware Application Performance Management (APM) (formerly Gomez). There is also a free site called "ipv6 test" that can validate the IPv6 Internet reachability of a web site.

Looking Glasses are also helpful at diagnosing BGP routing problems. Looking glasses show an external view of the BGP routing advertisements and can even test reachability to the IP addresses. There are now many looking glasses that are IPv6 capable and show IPv6 BGP routes and test native IPv6 Internet reachability. http://lookinglass.org and http://www.bgp4.as/looking-glasses are a couple of sites that have links to the IPv6-capable looking glasses that are used on a regular basis. Hurricane Electric's http://bgp.he.net is one of the more useful sites with IPv6 functionality and can quickly become an indispensable tool for IPv6 troubleshooting.

It is also important to validate that the IPv6-enabled E-mail server is operating properly. An organization can test their IPv6-enabled E-mail server with several E-mail reflectors that can check for IPv6 connectivity. You simply send E-mail to one of these E-mail addresses to and then receive a response that shows the IPv6 E-mail reachability.

bouncer@freenet6.net

echo@v6address.com

IPv6-Capable Network Management

There are many network management tools that have IPv6 support. They can communicate to the network devices and servers over IPv4 or IPv6 transport. They can also perform communications to those devices and servers regarding their IPv6 configuration, performance and status. Solarwinds' Orion, NCM, their IPAM software, all have IPv6 capabilities. Infoblox NetMRI (formerly Netcordia) has the ability to perform IPv6 discovery and manage IPv6-enabled devices. Cisco Prime Infrastructure (formerly Cisco Prime LAN Management Solution (LMS)) has had IPv6 functionality that dates back to the Cisco Campus Manager product. HP Intelligent Management Center (Formerly OpenView Network Node Manager (NNM) Advanced Edition) has had the ability to monitor IPv6 devices for many years.

Recent Network World article on network management mentioned that organizations will need to maintain their dual-protocol network environments. The article written by Barry Nance titled "How to keep your network in tip-top health" tested six different network management suites and states that some of these management systems work with IPv6.

There was another recent Network World NMS tool review article by Susan Perschke titled "Top open source network management tools" that tested four open source NMS platforms. This article reviewed these top open source NMSs and found that Zenoss Core, OpenNMS, and Nagios Core supported IPv6, but NetXMS does not.

Having an IPv6-capable management system is just one piece of the puzzle. Many organizations have IPv6-capable management platforms, but they are located on IPv4-only administrative networks. These admin and Out-of-Band (OOB) networks are IPv4-only and do not have direct connectivity to the perimeter systems that are actively using IPv6. Therefore, the NMS is not able to natively test connectivity to the DMZ. However, this is not necessarily a show-stopper because the NMS could still make SNMP queries over IPv4 transport for IPv6 MIB information. The NetFlow flow export data that includes information about IPv6 flows can be sent over IPv4 UDP to the NetFlow collector system. One can still use SSH over IPv4 transport to reach a router configured for IPv6. The NMS can communicate to the IPv6-enabled devices over IPv4 transport, so long as the NMS is able to discover that the device is using IPv6.

Achieving operational excellence with IPv6 involves a strategy that encompasses People, Process and Technology. If an organization relies solely on technology then they are not going to be as successful as if they were to focus equally on all three of these disciplines. Having trained staff that is able to troubleshoot and maintain the IPv6 systems is critical to achieving high availability. Having troubleshooting and management processes that account for operating an IPv4 and an IPv6 environment in parallel is highly valuable.

IPv6 Troubleshooting

The cost of downtime can be significant; depending on the nature of the business and the intangible negative reputation and customer dissatisfaction that results from an outage. Having good troubleshooting practices can help reduce the Mean Time To Repair (MTTR), thus improving availability of the mission-critical systems. During IPv6 deployment, the network and system configurations will be changing quickly and manual configuration changes introduce more likelihood for human error. Having the people, processes and technology that facilitate rapid troubleshooting of the IPv6-enabled systems will pay dividends.

The organizations that have IPv6 deployed on their Internet perimeters may not yet have created diagrams that show their IPv6 addressing in the same way they have topology diagrams of their IPv4 connectivity. One possibility is to use Microsoft Visio with layers for IPv4 and for IPv6. Manually updated documentation can quickly become out of date if not maintained by a disciplined staff. Systems that self-document or provide an automated way to document the network may be a better, but more costly option. Regardless, having that documentation of the evolving IPv6 roll-out will help with the troubleshooting efforts.

Providing IT staff the tools necessary to troubleshoot IPv6 end-to-end connectivity testing is a requirement. If the staff does not have ready access to the tools, or are unfamiliar with how to use them efficiently, then the MTTR will be longer than necessary. When it comes time to perform packet captures, being familiar with how to set a capture filter or display filter to find the IPv6 needle in the haystack of IPv4 traffic will improve the troubleshooting results. The longer it takes to gain visibility to the IPv6 traffic flows, the longer the diagnosis of the issue will take.

Final Thoughts

Organizations should consider how they intend to manage IPv6 before they deploy IPv6. Organizations probably already have some IPv6 traffic on their networks that they might not be aware of. If they lack this visibility, it will compromise their ability to troubleshoot IPv6-related issues. As organizations are planning their IPv6 deployment they should validate the NMS software for IPv6 capability. If they do not have IPv6 capabilities, then they should query their current vendor about their IPv6 capabilities roadmap. If the current vendor lacks IPv6 capabilities and lacks a vision for IPv6, then they will likely be going to be shopping for a new NMS. Organizations should also develop the ability to troubleshoot IPv6 as they are deploying IPv6 so that they can troubleshoot it and make the IPv6 deployment sustainable.

Scott

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.