Cisco IOS Login Enhancements are not IPv6-aware

One of the comments to my “IPv6 in Data Center: after a year, Cisco is still not ready” post included the following facts:

Up through at least 15.0(1)M and 12.2(53)SE2 the IPv6 support for management protocols is spotty; syslog is there, SNMP traps and the RADIUS/TACACS control plane aren't.

Another bug along the same lines was discovered by J├│natan J├│nasson: When the Cisco IOS Login Enhancements feature logs successful or failed login attempt, it reports the top 32 bits of the remote IPv6 address in IPv4 address format. Here’s a sample printout taken from a router running IOS release 15.0(1)M.

P#
%SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: test] 
[Source: 254.192.0.0] [localport: 23] at ... P#who Line User Host(s) Idle Location * 0 con 0 idle 00:00:00 2 vty 0 test idle 00:00:06 FEC0::CCCC:1

It looks like the recommendation we’ve been making two years ago is still valid: use IPv4 for network management.

7 comments:

  1. "It looks like the recommendation we’ve been making two years ago is still valid: use IPv4 for network management."

    Is your recommendation because of lack of IOS support? How would you do it otherwise?

    Thanks,
    Trevor

    ReplyDelete
  2. It's not just the lack of feature parity, there are more bugs in the IPv6 version of management services.

    For the moment, managing your devices over IPv4 is more reliable.

    ReplyDelete
  3. I have been managing some of my production devices recently over IPv6, including SNMP. Had no issues so far. Though, some needed the upgrade to the latest IOS to work well.

    I agree, to some extent not everything is ready yet, but it is still absolutely necessary to take the small steps so the issues could be identified early. I prefer to leave the IPv4 management as a backup solution.

    ReplyDelete
  4. The relevance of using IPv6 for management should indeed be taken with more attention. Even when perhaps not so poular for techo guys, but from business perspective it could always be that business managent would like to consider handing the network monitoring or management to some other company, in which case not needing to deal with private Ip addresses and NAT is quite some advantage. In XaaS parlance, this would be NMaaS :-)
    However, for this to work, not only the network elements must properly support IPv6 in all management protocols, but also management/monitoring tools and apps must also support IPv6.. Does anyone have more experiences in this respect?

    ReplyDelete
  5. This issue is reported in the Sev4 bug :
    CSCtb29296 ipv6 address not displayed properly in Login Success and Failure logs

    Seems like they have more severe bugs to work on :)

    Xavier

    ReplyDelete
  6. As far as monitoring systems go, Zabbix has complete feature-parity; I think OpenNMS is actively developing their v6 features; Nagios is fairly agnostic, it's a per-plugin thing, and I suspect they're mostly compatible; last I checked (a year or so ago) Zenoss had no support and no plans.

    ReplyDelete
  7. SNMP, SYSLOG via IPv6 are NOT vrf aware.
    NTPv4 via IPv6 is not working with & w/o vrf
    BTW
    ACS 5.2 has undocumented v6-capabilities per default!!!

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.