[159874] in North American Network Operators' Group
Re: IPV6 in enterprise best practices/white papaers
daemon@ATHENA.MIT.EDU (Seth Mos)
Sat Jan 26 16:31:03 2013
From: Seth Mos <seth.mos@dds.nl>
In-Reply-To: <CAP-guGX01KLj2cG3ASmfXbmpxZ6j=i1b0DZ++s4-W8Uq_vy-5Q@mail.gmail.com>
Date: Sat, 26 Jan 2013 22:30:43 +0100
To: NANOG Mailing List <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Op 26 jan 2013, om 18:47 heeft William Herrin het volgende geschreven:
> On Sat, Jan 26, 2013 at 4:26 AM, Pavel Dimow <paveldimow@gmail.com> =
wrote:
>> I can start to create
>> AAAA record and PTR recors in DNS and after that I should configure =
my
>> dhcp servers and after all has been done I can test ipv6 in LAN and
>> after that I can start configure bgp with ISP.
>> Is this correct procedure?
>=20
> Nope.
>=20
> In their infinite(simal) wisdom the architects of IPv6 determined that
> a host configured with both a global scope IPv6 address and an IPv4
> address will attempt IPv6 in preference to IPv4. If you configure IPv6
> on a LAN without first installing your IPv6 Internet connection, that
> LAN will break horribly.
>=20
> Work your way from the outside in: start with BGP, then the interior
> routers and configure the LAN last.
+3
That's what I did too, it works the best, you really need to make sure =
that the connectivity you turn up actually works. I started with the =
internet connections, and luckily HE.net also offers free BGP tunnels =
for PI connectivity, which will do in a pinch and you still can maintain =
redundancy of only 1 ISP can actually do native yet.
=46rom there I started with the firewalls and routers, dual stacked =
those first. I then did some servers, some Linux, some Windows. DNS was =
first, then email. I wish more ISPs dual stacked their email servers, =
they are prime candidate because nothing dies instantly and delivery is =
retried. It seems so obvious, and everybody is focusing on port 80, =
weird. Email for offices also seems like the prime candidate for =
end-to-end for businesses. More then websites.
I still see plenty of companies hosting their own email.
Oh, and if you add a IPv6 on a AD server, do all of them at once. =
Because ipv6 is preferred, they will all try that single server with a =
IPv6 address. That is address preference for you!
So make sure that for some of the steps you deploy it just like IPv4, =
not a little bit, but all the way.
Add all the IPv6 addressing to your monitoring before going any further. =
You don't want to fly this blind. We use Nagios, it works well enough, I =
can't see BGP table size, but I can monitor next hop with ping6, so that =
worked fine.
The clients still don't have IPv6, but everybody browses the net via a =
dual stack squid proxy, so they didn't even notice. At some point in =
2013 the clients will get a IPv6 address too, dhcp6 only, no autoconfig =
for management reasons.
Not that the clients can actually get out to the internet, they can't =
now with IPv4, so no change there.
Regards,
Seth=
