[c-nsp] Anybody here is running IPv6

TJ trejrco at gmail.com
Wed Apr 29 14:11:03 EDT 2009 

While this is a great conversation, and I hope people continue to jump in, I
have something to say in response to the following excerpt:

... and The Ugly:
	1) there are no Cisco training classes for IPv6-based services.
		Oh, sure, there's an -intro- to IPv6.  But nothing in terms
of
		migration planning, scaling, firewalling, application
support,
		nothing.


Cisco is making forward progress on this ... one step is migrating IPv6
(slowly!) into the certificatino process.

Additionally, there are a couple of courses; an ~intro level course
(IP6FDv2) and a more advanced course (DDINv2; which also has a "specialized"
day for either Enterprise or Service Provider).  ((Admittedly, still a bit
light on the firewalling and application side.  Not sure what you would like
to see from Cisco on the Application side ... ?))

Additionally (^2), for the IOS-XR side of the world, an IPv6 course is being
developed - IIRC, focussing on the configuration details and design goals.  
	I have no ETA on that, but feel free to have your SEs push that up
the chain :).

And finally, there are some books out there from Cisco Press ... on the
technical side, Chip's "Deploying IPv6 Networks" and Hogg's/Vyncke's "IPv6
Security" are top notch.


I guess what I am trying to say is I wouldn't call it "ugly" - certainly not
ideal yet, but better than it could be!
As for Ugly#2, TAC not being sufficiently IPv6 clueful ... I have to agree
with that!
/TJ

PS - In the interest of full disclosure, I suppose I should add a disclaimer
- I was part of the development team for IP6FD and DDIN, and have taught
both of them a couple of times.

PPS - IPv6 enabled at work and at home(home is via 6to4, for now) ...
dual-stack FTW.


>-----Original Message-----
>From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
>bounces at puck.nether.net] On Behalf Of Leif Sawyer
>Sent: Wednesday, April 29, 2009 12:34 PM
>To: cisco-nsp at puck.nether.net
>Subject: Re: [c-nsp] Anybody here is running IPv6
>
>> Renelson Panosky writes:
>> We are getting ready to start testing IPv6 at my job, if you are
>> running IPv6 right now please let me how is it working fo you?
>> I would like to know the good, the bad and the ugly.
>
>
>The good:
>
>	I have a heirarchical addressing model that puts all of my loopbacks
into
>a single /64; as well, all my internal core links are also consolidated
into a
>single /64.  This makes for very simple management ACLs*.
>
>* there is no trade-off in security here, as if you allow router-to-router
vty
>connections, once an attacker has brute-forced into one router, they have
>access to all of them hop-by-hop.
>
>	my 12xxx, 7600, 6500, 7200 series router all support it with BGP and
>ISIS, and no issues.  I've got /127's on some point-to-point links with no
>issues (cisco-to-cisco) and /125's on other non-cisco-to-cisco
point-to-point
>links.  I haven't rolled out to smaller-model devices, but my original lab
was
>2621XM's, so I know it's supported there, too.
>
>
>The bad:
>	There is no cisco firewall archetecture that allows mixed-mode
>IPv4 and IPv6.  Oh, they -claim- that it works, but it is so full of
caveats
>and bugs that it is effectively broken.
>
>	1) you can't have IPv6 on and IPv4 context using shared-interfaces
>		-even if- you have static IPv6 addresses with a prefix-len <
64
>		and have disabled auto-discovery.
>
>	2) you can't mix an IPv6 and a separate IPv4 context using cross-
>connected
>		switchports, -even with STP disabled-, because of what
appear to
>		be multiple issues. TAC case opened.
>
>	3) if you -want- to use the GUI, you can't use it for IPv6. at all.
>
>
>and The Ugly:
>
>	1) there are no Cisco training classes for IPv6-based services.
>Oh,
>		sure, there's an -intro- to IPv6.  But nothing in terms of
>		migration planning, scaling, firewalling, application
support,
>		nothing.
>
>	2) if you mention IPv6 to the TAC, your time for support resolution
>		increases exponentially; the image given is that nobody
there
>		understands it or is willing to support it.
>
>
>There's probably more, if I sit and think about it.
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list