RabobankIPv6numberplan
WhattodowithallthatIPspace?
FrisoFeenstraNetworkSpecialist
Rabobankdetails
•  Corporatebank
•  3rdlargestbankfromtheNetherlands
•  LocatedintheNetherlands
•  2DataCenters
•  800Officelocations
•  3000Unmanagedlocations
•  International
•  20Countries
•  10DataCentres
•  200Officelocations
•  Expansion
2
IPaddressassignmentfromRIPE
•  RabobankIPv4space
145.72.0.0/16fortheNetherlands
•  RabobankIPv6space 2a02:cc0::/29
•  PublicASnumber8211fortheNetherlands
•  OtherASnumbersforothercountries
3
Maindivision
2A02:0CC0::/32 ITI(WRRRabobankInternationalnetworks)
2A02:0CC1::/32 Reservedbutnotallocatedyet
2A02:0CC2::/32 Reservedbutnotallocatedyet
2A02:0CC3::/32
Reservedbutnotallocatedyet
2A02:0CC4::/32 ITN(RabobankNederlandincl.localbanknetworks)
2A02:0CC5::/32
Reservedbutnotallocatedyet
2A02:0CC6::/32 Reservedbutnotallocatedyet
2A02:0CC7::/32
Reservedbutnotallocatedyet
4
Enddevicesandnetworkinfra
•  StructureforIPnumberplan
•  Easyandsimple(tounderstand,toexpandandtotroubleshoot)
•  Summarizable(keeproutingtablessmallandkeeproutingefficient)
•  KeepingACLsandfirewallregionssimple
•  SplitinNetworkinfraIPspaceandEnddeviceIPspace
1.  Enddevicescanbeservers,workstations,telephone,BYOD,etc.
2.  NetworkinfraforLoopback,PtP,connectionVLANs
•  Thefirstaretypicalpersecurityarea,thesecondareneededforallsecurity
area’s
•  ByprovidingsecurityareawithenddeviceandnetworkinfraIPspace,there
canbespecificenddevicesecurityrulesandnetworkinfrarules.
5
Standardallocationenddevices
PPP:PPPE:ZVLL:LXXX::/64
Definition:
P: Official allocated IPv6 prefix for Rabobank (2a02:0cc)
E: Entity (e.g. ITI, ITN, see 3.1)
Z: Main security zone (see 3.2)
V: Security subzone (e.g. VRF/VPN)
L: Label (various purposes e.g. location code)
X: Subnet serial number (VLAN-id)
6
Networkinfra
PPP:PPPE:0ZVLL:LXX::/64
Definition:
P: Official allocated IPv6 prefix for Rabobank
E: Entity (e.g. ITI, ITN, see 3.1)
0: Network infra
Z: Main security zone (see 3.2)
V: Security subzone (e.g. VRF/VPN)
L: Label (various purposes e.g. location code)
X: Subnet serial number (VLAN-id)
7
MainSecurityZones
Z-id
MainSecurityZone
0
Reservedfornetworkinfra
1
Unsecurezone
Untrusted
2
DMZzone
DMZ
3
Accesszone
Trusted
4
LYNzone
Trusted
5
Standardzone
Trusted
6
HighSecurezone
Trusted
7
Mgmtzone
Trusted
8-F
Reservedforfutureuse
8
Securitysubzones
•  ZonesandsubzonesintheNetherlandsareallcentrallyrouted(over
MPLSnetwork)
•  SummerizationperZoneandsubzone
•  PerZoneandSubzoneseperateEnddeviceandNetworkinfraIPspace
•  Tousesubzonedependonmainzone
9
Locationsandsubnets
•  PersubzoneeitherLL:LXXXorLL:LLXXfornetworks
•  LL:LXXXmeans
•  4096locations
•  4096subnetsperlocation
•  Usedforofficelocationsanddatacentrelocations
•  LL:LLXXmeans
•  32768locationsused
•  256subnetsperlocation
•  Usedforunmanagedlocations
•  LL:LLXXmeansfornetworkinfraL:LLLX.Thismeansis:
•  16Networkinfrasubnets
10
Questions???
11