Cisco IOS Login Enhancements are not IPv6-aware

One of the comments to my “IPv6 in Data Center: after a year, Cisco is still not ready” post included the following facts:

Up through at least 15.0(1)M and 12.2(53)SE2 the IPv6 support for management protocols is spotty; syslog is there, SNMP traps and the RADIUS/TACACS control plane aren't.

Another bug along the same lines was discovered by Jónatan Jónasson: When the Cisco IOS Login Enhancements feature logs successful or failed login attempt, it reports the top 32 bits of the remote IPv6 address in IPv4 address format. Here’s a sample printout taken from a router running IOS release 15.0(1)M.

P#
%SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: test] 
[Source: 254.192.0.0] [localport: 23] at ...
P#who
    Line       User       Host(s)              Idle       Location
*  0 con 0                idle                 00:00:00   
   2 vty 0     test       idle                 00:00:06 FEC0::CCCC:1

It looks like the recommendation we’ve been making two years ago is still valid: use IPv4 for network management.

Recent posts in the same categories

7 comments:

  1. Trevor 26 November 2010 08:34
    "It looks like the recommendation we’ve been making two years ago is still valid: use IPv4 for network management."

    Is your recommendation because of lack of IOS support? How would you do it otherwise?

    Thanks,
    Trevor
  2. Ivan Pepelnjak 26 November 2010 08:40
    It's not just the lack of feature parity, there are more bugs in the IPv6 version of management services.

    For the moment, managing your devices over IPv4 is more reliable.
  3. Roman 26 November 2010 09:43
    I have been managing some of my production devices recently over IPv6, including SNMP. Had no issues so far. Though, some needed the upgrade to the latest IOS to work well.

    I agree, to some extent not everything is ready yet, but it is still absolutely necessary to take the small steps so the issues could be identified early. I prefer to leave the IPv4 management as a backup solution.
  4. DK 26 November 2010 10:25
    The relevance of using IPv6 for management should indeed be taken with more attention. Even when perhaps not so poular for techo guys, but from business perspective it could always be that business managent would like to consider handing the network monitoring or management to some other company, in which case not needing to deal with private Ip addresses and NAT is quite some advantage. In XaaS parlance, this would be NMaaS :-)
    However, for this to work, not only the network elements must properly support IPv6 in all management protocols, but also management/monitoring tools and apps must also support IPv6.. Does anyone have more experiences in this respect?
  5. xabrouck 26 November 2010 17:48
    This issue is reported in the Sev4 bug :
    CSCtb29296 ipv6 address not displayed properly in Login Success and Failure logs

    Seems like they have more severe bugs to work on :)

    Xavier
  6. Ben Jencks 27 November 2010 18:38
    As far as monitoring systems go, Zabbix has complete feature-parity; I think OpenNMS is actively developing their v6 features; Nagios is fairly agnostic, it's a per-plugin thing, and I suspect they're mostly compatible; last I checked (a year or so ago) Zenoss had no support and no plans.
  7. VRF-AWARE 27 November 2010 20:19
    SNMP, SYSLOG via IPv6 are NOT vrf aware.
    NTPv4 via IPv6 is not working with & w/o vrf
    BTW
    ACS 5.2 has undocumented v6-capabilities per default!!!
Add comment
Home
Sidebar