Windows Production Environment - IPV6 setup
Shadow Hawkins on Friday, 26 June 2009 01:56:51
I am the administrator for a small Windows domain. I would like to setup a dual stack environment (add IPV6 networking on top of our current IPV4). All the information I see appears to be about home networks - or single servers, or Lab environments. What about production environments. My ISP (Telepacific) has stated that they do not as of yet support IPV6 and will not supply my with IPV6 addresses. I run Juniper SSG20 as my Firewall and see some posts for configuring SSG5 firewalls. My IPV4 network has Static Global IP addreses and we use NAT with all internal nodes having private IP addresses. As all of my new servers are Windows 2008 and my Desktops / laptops are Vista or Windows 7.
Please advise. I still seem to be missing something (or a few things :-)).
Windows Production Environment - IPV6 setup
Shadow Hawkins on Monday, 29 June 2009 02:31:10
What is your production need or desire for IPv6? I want to promote the use of IPv6, but running IPv6-only or dual stack takes extra administrative effort at this time, and you'll need a justification for that in a production environment.
That said, again, what is your goal? Here are some that I can imagine:
- Want public web (or mail, ftp, etc) servers available to IPv6 internet (for future-proofing or current clients or prospective clients who are on IPv6)
- Need employees to access work computers without VPN
- Have specific application needs better served by IPv6 than NAT
- Future-proofing infrastructure
Your goal will clarify your options. Also, do you have more than one subnet? Check my SixXS Wiki page or other IPv6 resources for explanations of the various link scopes I'll mention below.
If you just want to use private IPv6 addressing (doubtful but certainly possible) you should pick a Unique Local Addressing /48 range and use it internally. Site Local addressing is deprecated, and Link Local addressing is not meant for general transport.
Since you have a static global IPv4 address you automatically have a 6to4 /48 of global IPv6 addresses available. While not a permanent solution it may suffice until you have native IPv6 through your ISP. If your router doesn't handle the tunneling and IPv6 routing then you could forward protocol 41 packets from your existing router to a PC or router that can handle the conversion, and use that device as your IPv6 gateway. A possible downside is that I'm not sure how reliable 6to4 is as the path relies on an IPv4 anycast address, and in my brief experiments there are usually a lot of hops involved in using 6to4, and the forward and reverse paths may be quite different.
I can't think of a production use for Teredo, so avoid that.
Or you can get a tunnel and subnet from a tunnel broker. I know there are for-pay tunnel brokers, and if I were running a production IPv6 tunnel I'd check into what I'd get (SLA? Phone support? On-site install support?) and not get for the money. But as a home user I'm thrilled with SixXS for free so far. A tunnel is also not permanent, but will certainly do until native IPv6 is ubiquitous. Since you have a static IP I expect you'll have the same setup issues as 6to4 with either getting your router to handle the tunnel and IPv6 routing or setting up a second device and forwarding protocol 41 packets from your IPv4 gateway to your IPv6 tunnel endpoint. But you won't have the indeterminate routing of 6to4, and your IPv6 subnet won't change if your IPv4 address changes.
If you just want public servers available on IPv6 you might set up just a DMZ network with v6, or you might get a hosted server or VPS with IPv6 capability rather than shoehorn it into your NAT network.
If you need access to IPv6-only material (hard to imagine at this point, but someday...) you could again have a DMZ with proxy servers.
But it all starts with "why?".
Windows Production Environment - IPV6 setup
Shadow Hawkins on Monday, 29 June 2009 16:16:12
I'm also the admin of a small domain. I have an ASA5520 that supports IPv6 transport, so we're using that. Used to be running everything over FreeBSD (acting as both a tunnel and router), but I'm not good with IPtables, so I moved it to the ASA. AT&T doesn't know when they're going to start handing out IPv6 addresses, so I got one through Sixxs.
Internally, we're set up the same way as you...Vista on the desktops and Server 2008/2003 on servers. The config of IPv6 was pretty easy and I was able to do it during the day.
The only thing I don't have running over IPv6 is Exchange, and that's only because Exchange 2007 doesn't support it if you're running on Server 2003.
Posting is only allowed when you are logged in. |