[c-nsp] IPv6 routing vs IPv4 Nating

Lee ler762 at gmail.com
Mon Aug 22 17:44:14 EDT 2016


On 8/22/16, Scott Voll <svoll.voip at gmail.com> wrote:
> I'm not really able to wrap my mind around what best practice would be.
>
> Currently I have two exit points in my network.  BGP / iBGP.  Two Firewalls
> behind those.  Each Firewall has a IPv4 Class C to NAT to.
>
> With publicly Routed IPv6 not nat'ing how do I setup the firewalls / bgp to
> route correctly?  Do I have to leak all IPv6 routes to the internal network
> to make sure the IPv6 address comes back to the correct Firewall?  Also
> thinking about redundancy if one ISP / BGP router / Firewall goes down, I
> need it to dynamically reroute to the other side.  See attached.
>
> Thank for your input..... maybe I'm just missing something easy.

Nope - you're not missing anything.  I had the same question:
https://mailman.nanog.org/pipermail/nanog/2012-July/050324.html

I never did get a good answer for how to deal with multiple exits,
statefull firewalls, automatic failover & asymmetric routing on the
list.  What we ended up with was http proxies at each exit doing DLP,
a/v, web reputation filtering, etc.  The Internet traffic came back to
the proxies so everything Just Worked.

Regards,
Lee


More information about the cisco-nsp mailing list