[c-nsp] IPv6: Getting started

Alan Buxey A.L.M.Buxey at lboro.ac.uk
Wed Mar 17 18:00:03 EDT 2010


Hi,

> Q: We use currently use FWSM 3.1 and ASA 7.2 on our firewalls. We're
> planning to upgrade to some later release for many other reasons.
> Looking at configuration notes for both:
> 
> http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/configuration/guide/ipv6_f.html
> http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/ipv6.html
> 
> > Failover does not support IPv6.
> 
> The "no failover" is clearly a show stopper for us. I hope a dual-stack
> setup can still do IPv4 failover. Is it because IPv6 handles this in
> another way? Otherwise it would be hard to convince serious services to
> shift to IPv6. (I leave out of account the discussions on the merits of
> firewalls in the first place here.)

latest ASA 8.x code fixes a lot of the IPv6 issues... but basically,
what DOESNT happen is that currently open sessions wont stay open.
the IPv6 will now failover (previously it didnt and you had to manually
remove and reinstate the IPv6 etc to get it back alive). 

> Q: IPv6 auto-configuration on p-t-p core links: Good or bad idea? I
> guess the downside is comparable to using RFC1918 addresses on Internet
> core router's interfaces, where e.g. traces break.

SLACC for links? hmm, not if you want to know where things are - use real
assigned addresses. 

> We have to keep an IPv4 core then? I guess the important part is to
> enable IPv6 for the users and services, but (excuse my french) it seems
> a little half-assed to not support an IPv6 core. Especially MPLS being
> what it is.

currently you have to be dual-stack in the core as several functions
dont operate on IPv6 yet.

> Q: Should our initial "test phase" with IPv6 be accomplished using
> FE00::/7 local addresses (as per RFC 4193), or should we just aim at
> starting out with globally unique addresses? (I assume they're almost
> trivial to apply for and have allocated.)

only if you want basic local testing. use real addresses. 

> Q: We currently use IPv4 PI address space. Any point(s) in not applying
> for IPv6 PI address space? We have ~25 larger geographic sites and ~150
> smaller. We're logically strictly hierarchical, so there isn't much need
> for a lot of prefixes. We currently use about 1/3rd of the /16s in
> 10.0.0.0/8 network wide, mostly /24 subnets. A single /48 would thus
> easily fit our needs.

you can use real world public IPv6 addresses for services ..and you can
use site-specific IPv6 addresses for local stuff that needs not go anywhere.
your services can run with both addresses...local connections via local
addresses and external connections for those with real world addresses.

> Q: We almost only use 6500/Sup720 (12.2(33)SXI) and 3560/3750
> (12.2(5n)SEn). According to Cisco's IPv6 technology white paper

pretty fine - SXi3 and 12.2(52) strongly recommended :-)

regarding other little bits...functions of routers/switches - there are
many functions that are only IPv4 - RADIUS, netflow export etc. but
things are improving... soon we'll be able to log in (transport and
authentication) via IPv6, interogate with IPv6 etc.... the real fun
is with clients on your network...once they start seeing addresses
like 2002:100:201:e342:ffee:5500:eeff:3233 rather than 172.16.34.4
some get panicky... its just an address! i just go to www.google.com, after
all..not 2a00:1450:8001::63  8-)

alan


More information about the cisco-nsp mailing list