Building an IPv6 Training and Testing Lab

It is recommended by IPv6 experts that organizations construct an IPv6 testing and Proof-of-Concept (PoC) laboratory as part of their preparations for eventual implementation.  This article discusses the uses for such a lab environment and the benefits it provides.  It covers what the IPv6 lab environment should contain, where it should be located, and how it should be connected.

 

Uses for an IPv6 Lab

There are many benefits to constructing an IPv6 testing lab environment.  Here are the most important considerations.

 

Preparing configurations for actual IPv6 deployment

One of the most common uses for an IPv6 lab is for IT staff to verify that the commands they are preparing for implementation actually work.  The lab environment can confirm the configurations have the correct syntax and work on the software versions used by production devices.  This activity is typically performed during the later stages of an IPv6 transition project.  Sometimes government IPv6 mandates require that an organization construct a proof-of-concept IPv6 lab as part of the IPv6 project plan.  This type of PoC lab helps an organization prepare the configuration commands that will be implemented during a production change window.  Documenting the “configuration script” shows the change management approval board the details required to obtain their permission to proceed with implementation. 

 

 

Continued IPv6 learning

Organizations will build an IPv6 training plan to help their teams obtain the requisite knowledge and experience with IPv6 as part of their IPv6 program.  They will be leveraging cost-effective IPv6 training resources in addition to hands-on training classes.  However, after attending classes, IT teams will want to continue their education by getting more experience configuring IPv6 on products the enterprise uses.  This additional learning in an IPv6 lab bridges the gap between theoretical training class content and the practicality of implementing IPv6 in the real world.

 

IPv6 product testing

Another use of IPv6 testing lab is to confirm that vendors’ products and services have the necessary IPv6 features and functionality required for production implementation.  Doing online research of a vendor’s product or service IPv6 capabilities only gives partial information.  It is often better to perform empirical product testing to verify that the product or service has the required IPv6 features and functionality as part of detailed technical planning for implementation.  An IPv6 PoC lab can help verify IPv6 capabilities in three operational planes: the data-plane, control-plane, and the management plane.

 

Hogg Networking’s IPv6 Training and Testing Lab

Hogg Networking has an extensive IPv6 training and testing lab environment.  It is used for teaching IPv6 classes, for testing IPv6 features in products, and for helping customers troubleshoot IPv6 problems.  Hogg Networking teaches technical IPv6 training classes with hands-on lab exercises for the students to perform independently of each other using a lab environment.  HoggNet also uses this lab to advance its own learning of the latest IPv6 capabilities and security measures.

 

Contents of the IPv6 Lab

There are some required items to add to the IPv6 lab environment.  Here are the most common components.

 

Investing in constructing an IPv6 testing lab

An organization doesn’t need to invest a lot of money in a lab environment to have something that is useful.  It is possible to use smaller versions of products that are used in the production environment.  The lab won’t have high volumes of IPv6 traffic so the bandwidth capacity can be modest.  For example, 1 Gbps interfaces are probably sufficient for a lab.  Since IPv6 “is just software”, it makes sense to have the similar software versions of devices in the production environment.  Some organizations elect to use “hand-me-down” equipment from production upgrades.  Maybe this equipment isn’t the newest model, but it can run a current version of code that supports IPv6 close enough to the current production environment.

 

IPv6 lab environments need an underlying network

Routers will form the basis for connecting end-nodes and facilitate end-to-end routing of IPv6 packets across the lab.  IPv6-capable routers are needed for sending various types of ICMPv6 Router Advertisements (RAs) on different LAN segments.  The lab should have a variety of various networks with different RAs and address assignment models.  A single router could be used to connect all these various IPv6 testing networks, or multiple routers could be used to replicate the topology of the production network.

IPv6-capable switches can construct VLANs of various types and connect PoE devices.  The lab could possibly have wireless connectivity to prepare for a deployment that involves IPv6 enablement of end-user mobile devices.  This could simply be an autonomous access point with several different SSIDs for these various types of IPv6 operating modes.  The lab could also include a wireless controller that matches the wireless environment used in the enterprise network.

 

Dual-protocol and IPv6-only lab networks

VLANs can be used to separate different IPv6 network segment operational models.  The lab should have a dual-protocol network using DHCP for IPv4 and DHCPv6 for IPv6 similar in a traditional end-user access network or in a data center.  The lab should have a dual-protocol network using DHCP for IPv4 and SLAAC/RDNSS/DNSSL for IPv6.  The lab should also have an IPv6-only network using SLAAC/RDNSS/DNSSL, and PREF64 RAs.  This IPv6-only segment could possibly use a DNS server with ipv4only.arpa and this test network would use DNS64 and have a stateful NAT64 (that could function as a 464XLAT PLAT). 

 

Host operating systems

An IPv6 lab should have variety of network styles to help IT teams learn about how various end-node host operating systems behave and how applications are accessed.  The lab should have similar server host operating systems that are used in the production data centers.  The lab needs to have servers running shared services such as: DNS (DNS64 capable), DHCPv6, and sample applications that confirm reachability.  Server virtualization and hypervisors can be used to run several virtual hosts on the same underlying server hardware and connect them to the different types of IPv6-enabled networks.

 

End-user mobile devices

The lab should be used for testing end nodes that are using either dual-protocol or IPv6-only connectivity.  The lab should contain laptops similar to those used by end-users in the production environment.  If employees use some kind of mobile device, hand-held device, or specialized mobile tablet, then those would be good to have in the test lab.

 

IPv6 testing in cloud infrastructure

The lab might also need to include cloud infrastructure or be extended to the cloud.  Part, or all, of the lab can be constructed in public cloud infrastructure to test IPv6 configurations in development and test environments prior to production IPv6 enablement.  The lab maybe include an IaaS cloud environment that simulates how applications run on IPv6-enabled instances running in virtualized cloud network infrastructure.

 

Security devices in the lab

IPv6 deployment often starts at the Internet edge so testing the IPv6 capabilities of these products first is prudent.  Other devices that are beneficial to have in an IPv6 lab environment are security protection measures including firewalls.  The lab environment is the perfect place to test the organization’s approach to proactively securing IPv6 prior to implementation.

 

Hogg Networking’s IPv6 Training and Testing Lab

Hogg Networking’s IPv6 lab has been evolving for decades and is now quite extensive.  The lab has countless routers from Cisco, Juniper, Arista, Nokia, MikroTik, FRR, and VyOS.  These routers allow for testing complex dual-protocol and IPv6-only network topologies involving SRv6 and VXLANv6.  VMware, Proxmox, VirtualBox, and Cisco Modeling Labs (CML) virtualization systems are also running on several large servers and over twenty Intel NUCs.  Many laptops, phones/tablets, and nearly twenty Raspberry Pis to function as dual-protocol and IPv6-only end-node devices.  The IPv6-only networks in the lab utilize DNS/DNS64, and DHCPv6 servers along with a wide variety of NAT64 systems.  There are many security systems in the lab topology including six different firewalls from major vendors, IDS/IPS, SIEMs, security and network monitoring services.  To extend the functionality to public cloud infrastructure and demonstrate modern application environments, the HoggNet lab also runs in AWS.

 

Connecting the IPv6 Lab

There are several different addressing options and connectivity methods for IPv6 labs, and they each have advantages and disadvantages.

 

Type of IPv6 addresses for the lab

First, the type of unicast IPv6 addresses that will be used in the lab must be determined.  A lab could use the IPv6 documentation prefix (2001:db8::/32 (RFC 3849) or 3fff::/20 (RFC 9637)) but then those networks would require some type of IPv6-to-IPv6 Network Prefix Translation (NPTv6) (RFC 6296) or NAT66 to reach other external networks.  It is recommended for labs to avoid using Unique Local Addressing (ULA) (fc00::/7) prefixes.  This wouldn’t work well for dual-protocol host operating system and would also require some type of NPTv6 or NAT66 function to reach other external networks.  Using a part of the enterprises Provider Independent (PI) Global Unicast Address (GUA) IPv6 address space allocated by a RIR is the best approach.  The addresses won’t overlap and there is the opportunity to connect the lab to external networks without requiring any NPTv6/NAT66.

 

Air-gapped from production and the Internet

Initially it might seem responsible to construct the lab in a way that completely isolates it from any production network or even the Internet.  While secure, this may be operationally difficult and prevent it from connecting to other resources.  Hosts operating systems that test external IPv6 Internet connectivity before activating their DNS queries may fail and fall back to IPv4-only operations (e.g. Microsoft’s Network Connectivity Status Indicator (NCSI)).  A lab could still be air-gapped from production and use a dedicated Internet connection that is separate from the enterprise’s Internet connectivity.  This may be a compromise and an improvement over a completely isolated lab.

 

Using cloud infrastructure for the lab

One possible design option would be to construct the entire IPv6 lab in public cloud infrastructure.  Some IaaS cloud service providers even offer IPv6-only virtualized networking with DNS64 and NAT64 functionality.  However, cloud services may not support all the types of devices found in the corporate enterprise and may not support host operating systems like end-user mobile devices.  Cloud services may have very different security functions found in corporate enterprise networks and cloud providers may frown on performing extensive security attack testing.

 

Using a home lab

Many people in IT have some type of home lab for their own individual learning and professional development.  Certainly, independent learning of IPv6 can advance one’s career and a home IPv6 lab could help with that goal.  Constructing a home networking lab with IPv6 can be low cost and leverage an existing dual-protocol Internet connection.  However, residential broadband Internet services using DHCPv6-PD and a Provider Assigned (PA) prefix may not provide enough global unicast IPv6 addressing resources for a complex network topology.

 

Connected internally to the enterprise

One common method for connecting an IPv6 lab environment to the production corporate network is through a firewall.  This separates the lab from the production environment, but system in the IPv6 lab can still connect to company applications and resources if needed.  Using this method, the IPv6 lab still has access to the rest of the enterprise and to other IPv4-only applications still in the larger enterprise network.  Lab devices could still have IPv4 connectivity from within the dual-protocol lab networks to shared services like Microsoft Active Directory, Certificate Authority (CA), PKI, SSO, IDaaS authentication services that would be extremely difficult to fully replicate in the lab.

 

Hogg Networking’s IPv6 Training and Testing Lab

HoggNet’s IPv6 training and testing lab is connected directly to the Internet with a dedicated dual-protocol connection.  The training and testing lab uses IPv6 documentation prefix, since it is being used for training purposes.  Therefore, the lab uses a NPTv6/NAT66 to reach Internet resources.  This isolated sandbox environment allows for extensive testing and even security attack simulation in a safe isolated network.

 

Summary

Constructing an IPv6 testing lab is a step in a larger multi-phased IPv6 planning and deployment project.  Hogg Networking has decades of experience guiding enterprises along their IPv6 deployment journey.  HoggNet helps organizations construct an IPv6 testing and validation lab environment and prepares organizations for actual IPv6 implementation.  We can help you make the right architecture and design choices based on leading best practices.

Hogg Networking provides other information on IPv6.  This information can be accessed via the website.  If you need additional information on IPv6, then please contact me (info@hoggnet.com).