[c-nsp] IPv6 routing vs IPv4 Nating
Lee
ler762 at gmail.com
Mon Aug 22 17:44:14 EDT 2016
On 8/22/16, Scott Voll <svoll.voip at gmail.com> wrote:
> I'm not really able to wrap my mind around what best practice would be.
>
> Currently I have two exit points in my network. BGP / iBGP. Two Firewalls
> behind those. Each Firewall has a IPv4 Class C to NAT to.
>
> With publicly Routed IPv6 not nat'ing how do I setup the firewalls / bgp to
> route correctly? Do I have to leak all IPv6 routes to the internal network
> to make sure the IPv6 address comes back to the correct Firewall? Also
> thinking about redundancy if one ISP / BGP router / Firewall goes down, I
> need it to dynamically reroute to the other side. See attached.
>
> Thank for your input..... maybe I'm just missing something easy.
Nope - you're not missing anything. I had the same question:
https://mailman.nanog.org/pipermail/nanog/2012-July/050324.html
I never did get a good answer for how to deal with multiple exits,
statefull firewalls, automatic failover & asymmetric routing on the
list. What we ended up with was http proxies at each exit doing DLP,
a/v, web reputation filtering, etc. The Internet traffic came back to
the proxies so everything Just Worked.
Regards,
Lee
More information about the cisco-nsp
mailing list