IPv6 in Data Center: after a year, Cisco is still not ready

Today I’m delivering another IPv6 presentation, this time at the 4th Slovenian IPv6 Summit organized by tireless Jan Žorž from the go6 Slovenian IPv6 initiative. It’s thus just the right time to review the post I wrote a bit more than a year ago about lack of IPv6 readiness in Cisco’s Data Center products. Let’s see what has changed in a year:

Equipment Last yearThis year
Routers Yes (6vPE on IOS XE might be missing) Yes
Firewalls (ASA) No redundancy (IPv6 failover doesn’t work) Yes
Data center switches Yes (Catalyst and Nexus) Yes (Not on Nexus 1000V)
Firewall Service Module (FWSM) Not in transparent mode, on the main CPU (awfully slow) in routed mode. Not in transparent mode, no failover.
Load balancers (ACE) No No
Application-level firewall (XML Gateway) No Dead
WAN optimization (WAAS) No No
Ironport No No

The changes from last year:

  • 6VPE was introduced in IOS XE release 3.1S.
  • IPv6 failover bug in ASA was fixed.
  • WAF and XML Gateway were killed.

Not much, I would say, but I probably have a wrong perspective. After all, John Chambers is very proud about Cisco’s IPv6 thought leadership.

Enjoy the video, I particularly liked the part around 1:50 where “every our product” quickly becomes “... every router, every switch, all of our core IOS software ...” Proves my point, does it not?

20 comments:

  1. - FWSM will always be IPv6 in software - a new device that yet has to be released will replace FWSM and do IPv6 in hw (supposedly).
    - You can throw away your ACE10's & ACE20's because they will never do IPv6
    - WLC does not do IPv6

    ReplyDelete
  2. FWSM is doing IPv6 on NP3 not in CPU.
    ASA IPv6 bugs and features ... don't get me started, it's still a long way to go :-)

    ReplyDelete
  3. @Isam, thanks, I did not know that. Anyway: FWSM will pass through no more than 60 to 80 mbit of traffic, which makes it relatively useless in Service Provider context.

    ReplyDelete
  4. Thanks for the update, @Isam. Was that true a year ago as well? In that case, I will update the second column of the table and the last year's post.

    ReplyDelete
  5. Up through at least 15.0(1)M and 12.2(53)SE2 the IPv6 support for management protocols is spotty; syslog is there, SNMP traps and the RADIUS/TACACS control plane aren't. I haven't checked the very latest images, though.

    ReplyDelete
  6. @Ivan the NP3 is also called "the slow path" here http://www.scribd.com/doc/28698783/FWSM-Architecture

    ReplyDelete
  7. IMO ASAs are not even close to being IPv6 ready.

    As of 8.2 code all it really does is basic unicast routing. ASA 8.3 code added a few things (like IPv6 LAN to LAN IPsec). It doesn't change the fact that there is "poor" feature parity between IPv4 and IPv6. In this case, "poor" is a severe understatement.

    IPv6 IPsec? Static LAN to LAN only.
    IPv6 remote access VPN - L2TP, AnyConnect? nope.
    dynamic routing - OSPFv3 or RIPng? nope

    PIXes and ASAs support all of the above for IPv4 networks.

    IOS boxes don't have feature parity either but they are MUCH MUCH farther along, especially if you are really brave and run 15.1T ;)

    ReplyDelete
  8. Whoever told you that FWSM only does 60-80mbit of throughput was pulling your leg.

    ReplyDelete
  9. Chris, we're talking about IPv6 here. Can FWSM do more with IPv6 traffic? Do you have any hard performance data? I would love to publish it.

    ReplyDelete
  10. @Ivan, I believe it was always the case. Theoretical performance will be at around 500Mbit/s due to architecture limitation - check Job's link below. Real performance will vary ;-)

    In other words forget about FWSM and IPv6, although if you have a big account behind you, contact your Cisco SE, maybe they can talk some sense into development. For everyone else, we have to wait for the next-generation-firewall-in-chassis - people from Cisco told me it's not that long of a wait (no specifics).

    ReplyDelete
  11. I'm far from being an expert on the FWSM, so I have to rely on external sources. The BRKSEC-3020 (Advanced Firewalls) section from Cisco Live 2010 claims on Slide #25 that FWSM does IPv6 in the control point central CPU, not in the NP slow path (NP3).

    If anyone has anything more authoritative pointing to a different conclusion (IPv6 running on NP3), please share it.

    ReplyDelete
  12. According to this discussion
    http://www.gossamer-threads.com/lists/cisco/nsp/132935?do=post_view_threaded#132935
    and reply from cisco, IPv6 is handled by CPU - PIII.

    ReplyDelete
  13. Funny seeing this as I learnt just this week that CCP won't even know about ipv6 until may 2011.

    ReplyDelete
  14. I'll try to arrange for some performance tests with the FWSM's i have access to. That should solve the matter of throughput. :-)

    ReplyDelete
  15. I have that Chambers video mentally bookmarked, ready to use in any TAC case if an engineer gives me a hard time in regards to IPv6. =)

    ReplyDelete
  16. Any idea how a VPN client is supposed to recieve an IPv6 DNS server when using the AnyConnect client?

    ReplyDelete
  17. Currently the only way for a client to receive DNS information is to issue a DHCPv6 request, which means that the router has to set the other-config flag in RA messages.

    ReplyDelete
  18. Ivan, indeed I stand corrected, a few chats with guys in TAC and indeed FWSM does everything IPv6.
    On top you might find this interesting:
    http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtl77322

    ReplyDelete
  19. Ivan, indeed, I stand corrected, a few chats with guys in Cisco TAC and indeed FWSM does everything IPv6 in CPU.
    On top you might find this interesting:
    http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtl77322

    ReplyDelete
  20. I seem to be running into an issue where the FWSM doesn't route more then 500-550 Mbit of traffic. Can someone provide more detail about the resource limitations mentioned above. I looked at the slides but don't see where it specifically talks about that limitation, I see the PPS limit that drops throughput to the 2 gbit range.

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.