[c-nsp] IPv6: Getting started

Peter Rathlev peter at rathlev.dk
Wed Mar 17 16:58:09 EDT 2010


Now that the whole world knows we (my employer) don't do IPv6, there's
no hiding anymore. :-)

I tried brainstorming with a couple of my colleagues, and we came up
with a few questions. I could imagine other (enterprise) users could
benefit from the answers as well. I anyone can share some good advice or
experience I'd love to hear.

Forgive me if it's too much off topic.

Q: We use currently use FWSM 3.1 and ASA 7.2 on our firewalls. We're
planning to upgrade to some later release for many other reasons.
Looking at configuration notes for both:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/configuration/guide/ipv6_f.html
http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/ipv6.html

> Failover does not support IPv6.

The "no failover" is clearly a show stopper for us. I hope a dual-stack
setup can still do IPv4 failover. Is it because IPv6 handles this in
another way? Otherwise it would be hard to convince serious services to
shift to IPv6. (I leave out of account the discussions on the merits of
firewalls in the first place here.)

Q: IPv6 auto-configuration on p-t-p core links: Good or bad idea? I
guess the downside is comparable to using RFC1918 addresses on Internet
core router's interfaces, where e.g. traces break.

Q: We run an MPLS VPN network, global routing only used for management.
According to this document (which should also cover 12.2SX):

http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-ov_mpls_6vpe.html#wp1054029

> 6VPE supports an MPLS IPv4-signaled core. An MPLS IPv6-signaled core
> is not supported.

We have to keep an IPv4 core then? I guess the important part is to
enable IPv6 for the users and services, but (excuse my french) it seems
a little half-assed to not support an IPv6 core. Especially MPLS being
what it is.

Q: Should our initial "test phase" with IPv6 be accomplished using
FE00::/7 local addresses (as per RFC 4193), or should we just aim at
starting out with globally unique addresses? (I assume they're almost
trivial to apply for and have allocated.)

Q: We currently use IPv4 PI address space. Any point(s) in not applying
for IPv6 PI address space? We have ~25 larger geographic sites and ~150
smaller. We're logically strictly hierarchical, so there isn't much need
for a lot of prefixes. We currently use about 1/3rd of the /16s in
10.0.0.0/8 network wide, mostly /24 subnets. A single /48 would thus
easily fit our needs.

Q: We almost only use 6500/Sup720 (12.2(33)SXI) and 3560/3750
(12.2(5n)SEn). According to Cisco's IPv6 technology white paper

http://www.cisco.com/en/US/technologies/collateral/tk648/tk872/tk373/technologies_white_paper_09186a00802219bc.html

we should be okay. Are all relevant management stuff IPv6-ready? TACACS
+, NetFlow (C6k FTW!), SSH, syslog, SNMPv3 et cetera.

Q: Many of our smaller sites are reached via a set of VRFs over our
local carrier's (TDC AS3292) MPLS VPN network. Right now the contract
doesn't say anything about them transporting IPv6. Their CPEs are 3560
running IP Services. They do the L3 termination. We expect them to want
some kind of money for delivering IPv6. Any advice in how to handle
this?

Thank you for your time.

-- 
Peter




More information about the cisco-nsp mailing list