R1.3.1
IPv6 on Cisco ACE 30 and ACE 4710
Vikas Deolaliker
ECBU Product Management
Version Date: September, 2011
NDA Required
Cisco Highly Confidential
© 2010 Cisco Systems, Inc. All rights reserved.
1
Availability – September 20th, 2011
 Ordering Guide
NDA Required
Cisco Highly Confidential
© 2010 Cisco Systems, Inc. All rights reserved.
2
Performance
Device
Layer 4
Connections
per second
Layer 4
Throughput
Gbps
Layer 7
Requests
per second
SSL TPS
SSL Bulk
(Gbps)
Compression
(Gbps)
ACE20-V4
545,578
11.5
214,397
31,403
6.534
6.5
ACE30-V6
409,774
12.1
173,327
32,469
5.32
6.7
ACE30-V4
500,191
11.4
198,100
31,496
6.326
6.587
ACE30V6XV4
285,438
12.3
151,825
31,853
ACEAPP-4.1V4
102,007
3.6
35,500
7096
1.2
2.4
ACEAPP-5.1V6
64,515
3.8
26,910
6639
1.1
2.0
ACEAPP-5.1V4
94,071
3.8
32,994
6890
1.1
2.1
ACEAPP-5.1V6XV4
65,369
3.8
28,305
6719
6.641
ACE30V4XV6
1.9
ACEAPP-5.1V4XV6
NDA Required
Cisco Highly Confidential
© 2010 Cisco Systems, Inc. All rights reserved.
3
IPv6 on ACE Overview
IPv6 support for load balancing, management and gateway. USGv6 and IPv6 Ph2
Logo compliance ready
KEY FEATURES
1.
1
Server farm
Catalyst
IPv4-to-IPv4
ACE
1
ANM
MANAGEMENT: Enable
2
3
SLB: Enable load balancing of
IPv6 servers with
3
NDA Required
Cisco Highly Confidential
Management of IPv6 over IPv4
interface functionality ACE
through
i. CLI on Module/Appliance
ii. DM for ACE 4710
iii. ANM for ACE-30 and ACE-4710
2
Available on ACE 30 and ACE4710
September 20th, 2011
COMPLIANCE: Enable ACE-30
and ACE4710 to comply with
IPv6 base profiles for network
devices from DISR and Cisco
Arch. Guidelines
4
i. Sticky
ii. ACLs
iii. Health checks
GATEWAY: V6 Gateway for
HTTP/HTTPs
i. V6 to V4 and V4 to V6 translation
© 2010 Cisco Systems, Inc. All rights reserved.
4
More Specifically…
SLB Services applied
to V6 VIP ….
that load balances to
servers …
1. IPv6-based SLB predictors
And is managed via v4
interface by v6 enabled
manager.
2. IPv6 based classMap
3. IPv6 based stickiness
4. IPv6-based Source NAT
5. IPv6-based Extended ACLs
6. SSL, incl. Client Certificate
Authentication
14. IPv6 or IPv4 addressing
7. IPv6-based probes
15. DHCPv6 Relay
8. IPv6-based SLB stateful HA
over IPv4 FT VLAN
9. Load balancing packets on a
port channel based on IPv6
address, TCP/UDP port
10. IPv6 DSR Support
(Transparent server farm)
16. Protocols supported in
Phase I: (HTTP, SSL, DNS)
Phase II: (SIP, Radius,
DIAMETER, RTSP)
17. Virtualized dual-stack IPv4/IPv6
18. IPv6 baseline Compliance
11. IPv6 TCP/IP Normalization
19. DM for ACE 4710
12. Add Static IPv6 routes
20. Support in ANM for IPv6
13. V6 Gateway for translation
between v6/v4 clients to v6/v4
servers
IPv6 Enhanced SLB
Services
NDA Required
IPv6 Enabled Services
to Servers in SF
Cisco Highly Confidential
Management
Services
© 2010 Cisco Systems, Inc. All rights reserved.
5
Transparency with IPv4 Deployments
A dual-stack approach to IPv6 enables ACE to support all deployment
models (NAT, Bridge Mode) with minimal loss of performance for IPv4
traffic.
IPv6 on ACE
Server Farm –V4
Key Differentiators
Server Farm – V6
1
2
One Arm
Two Arm
Routed
DSR
Bridged
2
1
IPv4-to-IPv4
3
IPv6-to-IPv6
IPv6-to-IPv4
Deployment Mode Support
• F5 does not have Bridge Mode with
DSR
•
V6 Gateway Support (Translation between
v6/v4 clients to v6/v4 servers)
• Support for HTTP/s
Latency of IPv6 Web App
• F5 translates/gateways regardless
of configuration. (Hint: product
called gateway)
3
• Gateway sold as product module
i.e. consumes the CPU and has no
acceleration
4
IPv4 Clients
NDA Required
Solution Approach
•
F5 does not work when frontended with FW
•
F5 does not support VPN services
on IPv6
IPv6 Clients
Cisco Highly Confidential
© 2010 Cisco Systems, Inc. All rights reserved.
6
Phased Implementation
1 Compliance
IPv6 on ACE
I.
I. USGv6
II. IPv6 Ph2 Logo
Virtual Dual Stack
II. ALL Deployment
Models
Server Farm – V4
III. Latency under 130ms
3 Protocol Support
One Arm
Two Arm
Routed
DSR
Bridged
IPv4-to-IPv4
Phase I: HTTP/s, SSL, DNS
V. CLI/Configuration
Consistency with IPv4
Phase II: SIP, Radius, Diameter,
RTSP
VI. V6 Gateway
VII. V6 Gateway for SIP,
Radius, Diameter,
RTSP, IMAP, SMTP,
POP3
IPv6-to-IPv6
IPv6-to-IPv4
4 Hybrid Server
Farm
I.
NDA Required
Hybrid Server Farms
with richer SLB policies
attached to hybrid
servers (dual stack
5 V6 Management
I.
SAC of ServerFarm
II. V6 Transport for Mgmt
Apps
IPv6 Clients
Cisco Highly Confidential
© 2010 Cisco Systems, Inc. All rights reserved.
Phase II
IPv4 Clients
IV. L3 V6-V6 SLB
Phase I
Server Farm –V6
2 SLB Services
7
Product or Feature Target Roadmap
IPv6 on ACE is expected in Q4 CY11
1H
CY11
2H
CY11
1H
CY12
2H
CY12
Phase - I
Phase - II
1.
1.
2.
3.
4.
IPv6 Addressing for
I.
II.
III.
2.
3.
4.
5.
6.
7.
8.
Interfaces
VIP
Servers in SF
DHCPv6 Relay
V6-V4 Translation (HTTP)
Health Monitoring
Extended ACLs
Protocols: HTTP/s, DNS
DM Support for ACE 4710
ANM Support for ACE-30
Management over V6
Stateless Autoconfig
Hybrid server support in SF
Protocols: SIP
Beta started May 31st.
NDA Required
Cisco Highly Confidential
© 2010 Cisco Systems, Inc. All rights reserved.
8
Competitive: Deployment Model and IPv6 Addressing
Dual stack implementation enables ACE to support all deployment models
IPv6 Functionality
Description
ACE
F5
Citrix
Supported SLB Insertion Models
- Dual Stack Node
Independent Dataplanes for V4 and V6
Yes
No
No
- Gateway Node
V6 -> V4 or V4 -> V6 translation
Yes*
Yes
Yes
- InterSLB communication in V6
HA heartbeat or state exchange using interfaces with V6
Ph-2
addresses
No
No
No
No
Yes
No
- Transparent Mode Support (IP transparency) Source IP of client sent to the host
Yes
HA configuration over IPv6 Only. Without this, HA goes
Ph-2
over IPv4
- HA over IPv6
IPv6 Addressing for SLB Resources
IPv6 addresses for
-
Device
-
ACE
Yes
Yes
Yes
-
NAT
-
Source IPv6 used when not DSR
Yes
Yes
Yes
-
VIP
-
VIP-6
Yes
Yes
Yes
-
GSS
-
IP on which GSS send KALs
Yes
Yes
Yes
-
Server Farm
-
IPv6 addr for v-servers
Yes
Yes
Yes
-
Mixed v4/v6 Server Farm
-
Yes
Yes
Yes
NDA Required
*V6 to V4 Only
V6 and V4 addresses in ServerFarm
Cisco Highly Confidential
© 2010 Cisco Systems, Inc. All rights reserved.
9
Competitive: Beyond Compliance
Comprehensive support for IPv6 features enables ACE to offer rich SLB
services beyond “just” compliance
IPv6 Functionality
Description
ACE
F5
Citrix
IPv6 Services to servers in serverfarm
- Path MTU Discovery
Allows hosts to query SLB and get optimal MTU
side
Ph2
No
No
- ICMPv6 support
Provides network health information (dropped
packets) to hosts in server farm
Yes
*
Yes
- DNS Support (PTR and AAAA)
AAAA maps a URL to IPv6 Addr, PTR maps
address to hostname
Ph2
*
Yes
- Router Advertisement
ACE will send RA messages to hosts in the
routed mode
Yes
*
Yes
- Neighbor Redirect
When multiple routers available ACE can sets
router preference through NR message
Yes
*
Yes
Yes
*
Yes
Yes
*
*
Yes
*
*
IPv6 Compliance
NDA Required
-
Address Resolution
-
Duplicated Address Detection
-
Neighbor Unreachability Detection
-
Router Discovery
Yes
*
Yes
-
Prefix Delegation
Yes
*
No
IPv6 Baseline and Compliance
Cisco Highly Confidential
© 2010 Cisco Systems, Inc. All rights reserved.
10
Competitive: Management
Integration with upstream Cisco devices enables a customer to implement
end-to-end IPv6 network.
IPv6 Functionality
Management Tools
- Ping for v6
- SSH for v6
- GUI for v6
- Transport Protocol over DM
over V6
- Probes
- CLI, GUI and Manager
IPv6 Enabled SLB Services
- Static Routing and RHI
- DSR Support
- ACL Support
- Port based VLAN Support
Description
Management/configuration over V4
Direct Server Return
3rd Party Management Apps
Enablement
- XML API Support
- SNMP v6 Support
NDA Required
Cisco Highly Confidential
ACE
BigIP
NS
Yes
Ph2
Ph2
*
*
*
Yes
Yes
Yes
Ph2
*
Yes
Yes
Yes
No
Yes
Yes
Yes
Yes
Yes
Yes
Yes
*
No
Yes
No
Yes
No
Yes
Yes
Yes
No
Yes
*
Yes
Yes
© 2010 Cisco Systems, Inc. All rights reserved.
11
IPv6 on ACE Performance
Device
Layer 4
Connections
per second
Layer 4
Throughput
Gbps
Layer 7
Requests
per second
SSL TPS
SSL Bulk
(Gbps)
Compression
(Gbps)
ACE30-4.1V4
545,578
11.5
214,397
31,403
6.534
6.5
ACE30-5.1V6
409,774
12.1
173,327
32,469
5.32
6.7
ACE30-5.1V4
500,191
11.4
198,100
31,496
6.326
6.587
ACE30V6XV4
285,438
12.3
151,825
31,853
ACEAPP-4.1V4
102,007
3.6
35,500
7096
1.2
2.4
ACEAPP-5.1V6
64,515
3.8
26,910
6639
1.1
2.0
ACEAPP-5.1V4
94,071
3.8
32,994
6890
1.1
2.1
ACEAPP-5.1V6XV4
65,369
3.8
28,305
6719
6.641
ACE30V4XV6
ACEAPP-5.1V4XV6
NDA Required
Cisco Highly Confidential
1.9
© 2010 Cisco Systems, Inc. All rights reserved.
12
NDA Required
Cisco Highly Confidential
© 2010 Cisco Systems, Inc. All rights reserved.
13
Customer Research
We polled 18 ACE customers across verticals for the IPv6 deployment status and
requirements.
Survey Says …
Customer wants
1. V6-V6 for initial
deployment
2.Are OK with
management over V4
Customer Preference for Dual Stack
9
3. REQUIRE IPv6
Baseline Compliance
8
7
SLED
6
ISP
5
4.Want Support for
HTTP/s, then DNS
FED
4
Enterprise
3
2
1
0
TBD
NDA Required
Cisco Highly Confidential
v4only
v6-v4
v6-v6
© 2010 Cisco Systems, Inc. All rights reserved.
14
IPv6 Adoption – Core and Datacenter
4.4% of the AS on internet support IPv6
routes
1.2% of the Web Server on internet have
IPv6 services
4.4% is not uniform across all AS.
18% of Transit AS support IPv6
2.3% of Origin AS support IPv6
1.2% of web servers
18% of Transit AS support IPv6
2.3% of Origin AS support IPv6
Source: APNIC
NDA Required
Cisco Highly Confidential
© 2010 Cisco Systems, Inc. All rights reserved.
15
IPv6 Clients and Transit Routes
Majority of clients are MacOS
Operating
System
IPv6 Source IP
MacOS
2.42%
Linux
0.96%
Vista
0.37%
Win 2K3
.07%
Majority of ISPs tunnel over IPv4
Based on incoming IPv6 address
prefix, we can deduce that 31% of
clients travelled over native IPv6
network. 66% of clients came over
IPv4 through a tunneling technology
deployed at ISP.
Source: Google
NDA Required
Cisco Highly Confidential
© 2010 Cisco Systems, Inc. All rights reserved.
16