[c-nsp] Anybody here is running IPv6

Leif Sawyer lsawyer at gci.com
Wed Apr 29 12:33:51 EDT 2009 

> Renelson Panosky writes:
> We are getting ready to start testing IPv6 at my job, if you 
> are running IPv6 right now please let me how is it working fo you?
> I would like to know the good, the bad and the ugly.


The good:

	I have a heirarchical addressing model that puts all of my
loopbacks
into a single /64; as well, all my internal core links are also
consolidated
into a single /64.  This makes for very simple management ACLs*.

* there is no trade-off in security here, as if you allow
router-to-router
vty connections, once an attacker has brute-forced into one router, they
have access to all of them hop-by-hop.
 
	my 12xxx, 7600, 6500, 7200 series router all support it with
BGP and ISIS, and no issues.  I've got /127's on some point-to-point
links with no issues (cisco-to-cisco) and /125's on other
non-cisco-to-cisco
point-to-point links.  I haven't rolled out to smaller-model devices,
but
my original lab was 2621XM's, so I know it's supported there, too.


The bad:
	There is no cisco firewall archetecture that allows mixed-mode
IPv4 and IPv6.  Oh, they -claim- that it works, but it is so full of
caveats
and bugs that it is effectively broken.

	1) you can't have IPv6 on and IPv4 context using
shared-interfaces
		-even if- you have static IPv6 addresses with a
prefix-len < 64
		and have disabled auto-discovery.

	2) you can't mix an IPv6 and a separate IPv4 context using
cross-connected
		switchports, -even with STP disabled-, because of what
appear to
		be multiple issues. TAC case opened.

	3) if you -want- to use the GUI, you can't use it for IPv6. at
all.


and The Ugly:

	1) there are no Cisco training classes for IPv6-based services.
Oh,
		sure, there's an -intro- to IPv6.  But nothing in terms
of
		migration planning, scaling, firewalling, application
support,
		nothing.

	2) if you mention IPv6 to the TAC, your time for support
resolution
		increases exponentially; the image given is that nobody
there
		understands it or is willing to support it.


There's probably more, if I sit and think about it.

More information about the cisco-nsp mailing list