Enterprise & Service Provider
As service providers and enterprises add IPv6 applications to their networks, it is imperative that the networks be designed and built to efficiently support the simultaneous use of both IPv4 and IPv6. To support this, Foundry Networks has developed a set of dual protocol networking solutions that have been designed with embedded support for the high-speed switching and routing of IPv4 and IPv6 traffic, as well as the IPv6 transition mechanisms that have become popular in the industry. In addition, two pieces that are frequently overlooked in the design of dual-protocol networks, security and management have been embedded in Foundry's IPv6 networking solutions. The first is a set of extensions to provide IPv6 aware VLANs and access control lists. The second is a high-speed implementation of the sFlow RFC. This article discusses the features necessary to provide highly functional, dual-protocol networks that provide instrumentation for network-wide visibility and extended support for security.
Dual-Protocol Network Transition Methodologies
Clearly there must be a transition that allows for IPv6 to co-exist with IPv4 network equipment and applications. A range of options is available to implement this transition. One option is for IPv6 application islands to be tunneled over IPv4 networks. This allows IPv6 applications to talk to other IPv6 applications, but given there are so many existing IPv4 applications, this has its limitations. The other option is for a gateway to be used to interconnect IPv4 and IPv6 applications. There are a number of methods for providing this gateway service. All have performance limitations and are difficult to manage. There are also methods for providing services for the coexistence of IPv6 applications and nodes on actual IPv4 networks. For example, ISATAP allows an IPv6 node to operate on an IPv4 network.
Regardless of which of these technologies and methodologies one chooses, given the sudden push for IPv6, many of the operators are now looking for core networking equipment that provides scalable, high-performance, highly reliable IPv4 and IPv6 support. As they upgrade their networks, they must be able to support both IPv4 and IPv6 switching and routing in high-speed hardware, they must have embedded support for IPv6 transition technology, and they must have underlying support for the security and manageability services needed to insure the operational viability of their networks.
Delivering Core IPv6 Services for Dual-Protocol Networks
Foundry's FastIron & NetIron product families provide full support for hardware-based Pv4 and IPv6 switching. The key to this technology is that both IPv4 and IPv6 forwarding is done using an advanced hardware-based dual-stack architecture, delivering wire-speed packet forwarding. For enterprise aggregation, core density and performance, the FastIron RX family of products provides high-speed IPv4 and v6 routing and switching. For highly scalable operator environments, the NetIron IMR and XMR family's support FDR (Foundry Direct Routing), which provides large scale hardware based routing with the capacity to support many copies of the entire Internet routing table in hardware.
To control the high-speed dataplane, Foundry's IronWare operating system supports a range of both unicast and multicast IPv4 and IPv6 routing protocols. This includes:
For service providers, it is critical that next generation network equipment have high-density port configurations, be extremely reliable & resilient, and support high-speed IPv6 forwarding. In addition, supporting protocols like IS-ISv6, PIM-SSMv6 and BGP-4+ are needed to ensure that new services are delivered reliably and managed efficiently.
In addition to the routing protocols, embedded support for IPv4-to-IPv6 transition software must be provided as part of the edge & core infrastructure. This is especially important in enterprise environments where new IPv6 applications must coexist with existing IPv4 applications and networks. To this end, Foundry provides three different types of tunneling to facilitate the migration to IPv6 in an IPv4 world. This includes 6to4, as well as both configured and automatic tunnels.
It is in the area of access control and security where enterprises & network operators frequently have little visibility or control of their operations. To provide for this control, Foundry's IronWare provides IPv6 protocol VLANs, which allow the creation of separate IPv4 and IPv6 broadcast domains. IronWare also supports wire-speed extended IPv6 access control lists (ACLs). This includes the ability to identify traffic based on source/destination IP address, IP protocol type, TCP/UDP port, IP precedence or ToS values. This also allows selective ACL logging and can scale up to 120,000 ACLs.
Embedded sFlow for Network Wide Visibility