DMVPN: another IPv6 failure

Yesterday I started developing the IPv6 section of my new DMVPN: New Features webinar (register here). I’ve been looking forward to this topic, wondering how they manage spokes having a mixture of IPv4 and IPv6 transport (public) addresses. Disappointment kicked in after a few minutes: they don’t. Even worse, the DMVPN for IPv6 feature allows you to run IPv6 over DMVPN tunnel, but not DMVPN between IPv6 endpoints.

I’m convinced Cisco implemented DMVPN for IPv6 to cater to the needs of those few huge multinational enterprises that have already rolled out IPv6 internally to get away from the RFC1918 subnetting mess (Bechtel is an oft quoted example). Most of us will face a different scenario in the near future: we won’t be able to get a public IPv4 address from our ISP (particularly in APNIC region, where the RIR exhaustion is predicted before the end of April 2011). Once we get there, we’ll be stuck and might have to fall back to point-to-point IPsec tunnels (those do work with IPv6).

11 comments:

  1. Ivan,

    My sources tell me that's still in the pipeline and 15.2T will contain support for IPv6 transport.

    The said source was not able to share the release date though.

    ReplyDelete
  2. Ivan Pepelnjak06 April, 2011 13:39

    I never doubted Cisco would eventually roll it out. But like with many other IPv6-related features, it's still promised (on the roadmap/in the pipeline) with no committed delivery date.

    IPv6 load balancing on ACE was promised a long time ago and it's still "on the roadmap", NAT64 for ASR1K was promised 18 months ago, it's still only stateless (= useless) ... You can see a pattern forming.

    ReplyDelete
  3. I think what happened here's all these features went into the Linksys routers, and you can run this stuff at home. Of maybe, they've even included it in their flip cameras... who knows... <---- sarcasm :)

    ReplyDelete
  4. Ivan,

    You're not going to see any decent IPv6 in ACE (or FWSM for that matter) until next generation of hardware comes along, and ... it's on the roadmap.

    As for NAT64 on ASR1k, I do believe you'll need DNS64 (I don't believe Cisco implements it anywhere?). Just go dual stack, who cares about possible (user experienced) slowness/delay, let network equipment push IPs (be it v4 or v6) :-)

    ReplyDelete
  5. Said hardware is out and in some cases orderable ACE30 just needs a code upgrade so its still a waiting game. The FWSM replacement has been announced now if you still want a module version of the ASA 5585-X. I can't remember the name for that one. It was only announced a few days ago.

    ReplyDelete
  6. Jonathan,

    Care to point me to the FWSM replacement?
    I was checking here:
    http://www.cisco.com/en/US/products/hw/vpndevc/products.html#network
    and
    cisco.com/go/support
    Not much :{

    ReplyDelete
  7. Jónatan Natti07 April, 2011 01:58

    Isam:
    Here's the new ASA service module:
    http://www.cisco.com/en/US/products/ps11621/index.html

    ReplyDelete
  8. Ivan Pepelnjak07 April, 2011 08:00

    @Yandy: IPv6 not available in Linksys (yeah, another #FAIL). Must be the Flip cameras :-E

    ReplyDelete
  9. Ivan Pepelnjak07 April, 2011 08:03

    DNS64 is not a problem, the latest BIND can do it http://www.tuscanynetworks.com/isc-releases-bind-980-and-dns64-support-i-3272.php

    Dual-stack is a problem if you don't have enough IPv4 addresses (which is why SPs will have to deploy IPv6-only clients and use NAT64).

    ReplyDelete
  10. Thx Jónatan ;-)

    Ivan, I'm afraid we're going to see more double/triple NAT (v4) for clients instead of NAT64.
    But that's a completely different subject.

    I'm hoping IPv6 will get some traction after IPv6 day... I don't even mind if we're using proxies and reverse proxies...

    ReplyDelete
  11. Just learned that vmware HA does not support IPv6, seems cisco is not alone in forgetting about v6.

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.