SDN/SDDC Retreat in Miami, Florida (November 4th-6th)
Separate SDN hype from real life!

DMVPN: another IPv6 failure

Yesterday I started developing the IPv6 section of my new DMVPN: New Features webinar (register here). I’ve been looking forward to this topic, wondering how they manage spokes having a mixture of IPv4 and IPv6 transport (public) addresses. Disappointment kicked in after a few minutes: they don’t. Even worse, the DMVPN for IPv6 feature allows you to run IPv6 over DMVPN tunnel, but not DMVPN between IPv6 endpoints.

I’m convinced Cisco implemented DMVPN for IPv6 to cater to the needs of those few huge multinational enterprises that have already rolled out IPv6 internally to get away from the RFC1918 subnetting mess (Bechtel is an oft quoted example). Most of us will face a different scenario in the near future: we won’t be able to get a public IPv4 address from our ISP (particularly in APNIC region, where the RIR exhaustion is predicted before the end of April 2011). Once we get there, we’ll be stuck and might have to fall back to point-to-point IPsec tunnels (those do work with IPv6).


  1. Ivan,

    My sources tell me that's still in the pipeline and 15.2T will contain support for IPv6 transport.

    The said source was not able to share the release date though.

  2. Ivan Pepelnjak06 April, 2011 13:39

    I never doubted Cisco would eventually roll it out. But like with many other IPv6-related features, it's still promised (on the roadmap/in the pipeline) with no committed delivery date.

    IPv6 load balancing on ACE was promised a long time ago and it's still "on the roadmap", NAT64 for ASR1K was promised 18 months ago, it's still only stateless (= useless) ... You can see a pattern forming.

  3. I think what happened here's all these features went into the Linksys routers, and you can run this stuff at home. Of maybe, they've even included it in their flip cameras... who knows... <---- sarcasm :)

  4. Ivan,

    You're not going to see any decent IPv6 in ACE (or FWSM for that matter) until next generation of hardware comes along, and ... it's on the roadmap.

    As for NAT64 on ASR1k, I do believe you'll need DNS64 (I don't believe Cisco implements it anywhere?). Just go dual stack, who cares about possible (user experienced) slowness/delay, let network equipment push IPs (be it v4 or v6) :-)

  5. Said hardware is out and in some cases orderable ACE30 just needs a code upgrade so its still a waiting game. The FWSM replacement has been announced now if you still want a module version of the ASA 5585-X. I can't remember the name for that one. It was only announced a few days ago.

  6. Jonathan,

    Care to point me to the FWSM replacement?
    I was checking here:
    Not much :{

  7. Jónatan Natti07 April, 2011 01:58

    Here's the new ASA service module:

  8. Ivan Pepelnjak07 April, 2011 08:00

    @Yandy: IPv6 not available in Linksys (yeah, another #FAIL). Must be the Flip cameras :-E

  9. Ivan Pepelnjak07 April, 2011 08:03

    DNS64 is not a problem, the latest BIND can do it

    Dual-stack is a problem if you don't have enough IPv4 addresses (which is why SPs will have to deploy IPv6-only clients and use NAT64).

  10. Thx Jónatan ;-)

    Ivan, I'm afraid we're going to see more double/triple NAT (v4) for clients instead of NAT64.
    But that's a completely different subject.

    I'm hoping IPv6 will get some traction after IPv6 day... I don't even mind if we're using proxies and reverse proxies...

  11. Just learned that vmware HA does not support IPv6, seems cisco is not alone in forgetting about v6.


You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.