IPV6 in enterprise best practices/white papaers

Seth Mos seth.mos at dds.nl
Sat Jan 26 21:30:43 UTC 2013

Op 26 jan 2013, om 18:47 heeft William Herrin het volgende geschreven:

> On Sat, Jan 26, 2013 at 4:26 AM, Pavel Dimow <paveldimow at gmail.com> wrote:
>> I can start to create
>> AAAA record and PTR recors in DNS and after that I should configure my
>> dhcp servers and after all has been done I can test ipv6 in LAN and
>> after that I can start configure bgp with ISP.
>> Is this correct procedure?
> Nope.
> In their infinite(simal) wisdom the architects of IPv6 determined that
> a host configured with both a global scope IPv6 address and an IPv4
> address will attempt IPv6 in preference to IPv4. If you configure IPv6
> on a LAN without first installing your IPv6 Internet connection, that
> LAN will break horribly.
> Work your way from the outside in: start with BGP, then the interior
> routers and configure the LAN last.


That's what I did too, it works the best, you really need to make sure that the connectivity you turn up actually works. I started with the internet connections, and luckily HE.net also offers free BGP tunnels for PI connectivity, which will do in a pinch and you still can maintain redundancy of only 1 ISP can actually do native yet.

From there I started with the firewalls and routers, dual stacked those first. I then did some servers, some Linux, some Windows. DNS was first, then email. I wish more ISPs dual stacked their email servers, they are prime candidate because nothing dies instantly and delivery is retried. It seems so obvious, and everybody is focusing on port 80, weird. Email for offices also seems like the prime candidate for end-to-end for businesses. More then websites.

I still see plenty of companies hosting their own email.

Oh, and if you add a IPv6 on a AD server, do all of them at once. Because ipv6 is preferred, they will all try that single server with a IPv6 address. That is address preference for you!

So make sure that for some of the steps you deploy it just like IPv4, not a little bit, but all the way.

Add all the IPv6 addressing to your monitoring before going any further. You don't want to fly this blind. We use Nagios, it works well enough, I can't see BGP table size, but I can monitor next hop with ping6, so that worked fine.

The clients still don't have IPv6, but everybody browses the net via a dual stack squid proxy, so they didn't even notice. At some point in 2013 the clients will get a IPv6 address too, dhcp6 only, no autoconfig for management reasons.

Not that the clients can actually get out to the internet, they can't now with IPv4, so no change there.



More information about the NANOG mailing list