[c-nsp] FWSM and mixed IPv4/IPv6 access-list
Leif Sawyer
lsawyer at gci.com
Tue Mar 3 20:56:29 EST 2009
Justin M. Streiner writes in reply to:
> On Tue, 3 Mar 2009, Leif Sawyer wrote:
>
>> Is anybody working with FWSM's and mixed-mode IPv4+IPv6 ACL's?
>>
>> I'm having trouble with traceroute6 not succeeding, but
>> ping6 working fine:
>
> You might be getting caught by flawed behavior of the FWSM.
> I've run into something similar with straight v4 firewall
> zones where certain flavors of traceroute will be dropped by
> the blade. When it was first reported to us, we thought is
> was a broken fixup, but the behavior persisted after the
> fixup was disabled. No word on a fix from Cisco.
Hrm. I guess it's time to open a ticket, then.
Damn. I hate dealing with TAC on complex issues.
And it's not like CiscoPress is up-to-date. what, 6 pages on Ipv6
in the FWSM manual? friggin joke.
> On a somewhat unrelated note, how has the v6 performance been
> on the FWSMs for you? Everything I've heard from Cisco and
> other sources suggests that the v6 packets are much more
> expensive for the FWSM to forward, so performance would
> suffer greatly.
Just starting to roll this out, so no load to speak of.
Can't wait to see what next issue creeps up!
More information about the cisco-nsp
mailing list