[c-nsp] So when is IPv6 failover coming to the ASA?
Gert Doering
gert at greenie.muc.de
Fri Oct 9 06:28:08 EDT 2009
Hi,
On Fri, Oct 09, 2009 at 05:59:56AM +0200, Andrew Yourtchenko wrote:
> @all: does everyone (who does deal with firewalls+IPv6) have also the
> almost identical IPv4 and IPv6 policies ?
Right now, our policies tend to diverge a bit, due to having to maintain
them individually and us being lazy people ("there is a problem -> adjust
IPv4 now, fix IPv6 later on").
Firewalls being what they are, that is, policy enforcement devices, our
policies actually *should* be very similar in many cases, e.g.:
- office networks can do outbound HTTP/HTTPS "to access the web"
(no need to distinguish v4 or v6 here)
- mail server is reachable on SMTP and POP3/IMAP "from the world", and
SSH "from the office networks" - again, no need to have differences
between v4/v6 here (well, "the office network" is a different address
block, of course, but the *concept* is the same)
so indeed, having integrated v4+v6 firewall management would prevent lots
of extra work and configuration accidents. Of course you need to have
the option to do "v4-only" or "v6-only" in special cases.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20091009/fdc19091/attachment.bin>
More information about the cisco-nsp
mailing list