Building Network Automation Solutions
6 week online course starting in September 2017

Is Anyone Using DMVPN-over-IPv6?

One of my readers sent me an interesting challenge: they’re deploying a new DMVPN WAN, and as they cannot expect all locations to have native (non-NAT) IPv4 access, they plan to build the new DMVPN over IPv6. He was wondering whether it would work.

Apart from “you’re definitely going in the right direction” all I could tell him was “looking at the documentation I couldn’t see why it wouldn’t work” Has anyone deployed DMVPN over IPv6 in a production network? Any hiccups? Please share your experience in the comments. Thank you!

6 comments:

  1. Ivan,
    It works, I've run v6 over v6, v6 over v4, and v4 over v4 just not v4 over v6 in my lab and some small deployments. I've used http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_dmvpn/configuration/15-2mt/ip6-dmvpn.html but there may be an updated version of that doc that is more current. The routing protocol selection (as you are aware) is likely the bigger deal given what you want to do. We can chat at Interop if you want to chat details. - Ed H.

    ReplyDelete
  2. It's working fine. I've run v6 over v6 and v6 over v4 in a test environment using ios xe. Last I looked 6 months ago, the 6500 can't do any v6 dmvpn yet.

    ReplyDelete
  3. On my side I tried ipv4 over ipv6 ipsec tunnel, so my outside interfaces were in ipv6 while inside were in ipv4... and it works well
    I used "mode gre ipv6" with "protection ipsec" with IOS 15.1(4)M6
    it was in VTI
    Nico

    ReplyDelete
  4. It was my understanding that while DMVPN could transport either v4 or v6 in its tunnels, it required a v4 WAN at this time.

    ReplyDelete
  5. Per Cisco Live Europe, 2013, BRKSEC-3052:
    * Cat 6500 - Not recommended for DMVPN
    * IPv6 transport support (underlying transport or "outer" VPN) added in IOS 15.2(1)T and IOS-XE 3.8S

    Also, 15.2(4)M was classified as a mainline release in June of 2013 and is currently one of the recommended releases for the ISR-G2s. So if you have ASRs or ISR-G2s I would be comfortable deploying with testing. The other big caveat is you have to make sure your carriers and internal operations/NMS can handle this decision.

    ReplyDelete
  6. Thank you everyone for your feedback. -Tony

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.