IPv6 in Data Center: after a year, Cisco is still not ready

Today I’m delivering another IPv6 presentation, this time at the 4th Slovenian IPv6 Summit organized by tireless Jan Žorž from the go6 Slovenian IPv6 initiative. It’s thus just the right time to review the post I wrote a bit more than a year ago about lack of IPv6 readiness in Cisco’s Data Center products. Let’s see what has changed in a year:

EquipmentLast yearThis year
Routers Yes (6vPE on IOS XE might be missing) Yes
Firewalls (ASA) No redundancy (IPv6 failover doesn’t work) Yes
Data center switches Yes (Catalyst and Nexus) Yes (Not on Nexus 1000V)
Firewall Service Module (FWSM) Not in transparent mode, on the main CPU (awfully slow) in routed mode. Not in transparent mode, no failover.
Load balancers (ACE) No No
Application-level firewall (XML Gateway) No Dead
WAN optimization (WAAS) No No
Ironport No No

The changes from last year:

  • 6VPE was introduced in IOS XE release 3.1S.
  • IPv6 failover bug in ASA was fixed.
  • WAF and XML Gateway were killed.

Not much, I would say, but I probably have a wrong perspective. After all, John Chambers is very proud about Cisco’s IPv6 thought leadership.

Enjoy the video, I particularly liked the part around 1:50 where “every our product” quickly becomes “... every router, every switch, all of our core IOS software ...” Proves my point, does it not?

Recent posts in the same categories

20 comments:

  1. Job Snijders 24 November 2010 09:03
    - FWSM will always be IPv6 in software - a new device that yet has to be released will replace FWSM and do IPv6 in hw (supposedly).
    - You can throw away your ACE10's & ACE20's because they will never do IPv6
    - WLC does not do IPv6
  2. Isam 24 November 2010 10:54
    FWSM is doing IPv6 on NP3 not in CPU.
    ASA IPv6 bugs and features ... don't get me started, it's still a long way to go :-)
  3. Job Snijders 24 November 2010 13:07
    @Isam, thanks, I did not know that. Anyway: FWSM will pass through no more than 60 to 80 mbit of traffic, which makes it relatively useless in Service Provider context.
  4. Ivan Pepelnjak 24 November 2010 13:22
    Thanks for the update, @Isam. Was that true a year ago as well? In that case, I will update the second column of the table and the last year's post.
  5. JS 24 November 2010 15:33
    Up through at least 15.0(1)M and 12.2(53)SE2 the IPv6 support for management protocols is spotty; syslog is there, SNMP traps and the RADIUS/TACACS control plane aren't. I haven't checked the very latest images, though.
  6. Job Snijders 24 November 2010 16:48
    @Ivan the NP3 is also called "the slow path" here http://www.scribd.com/doc/28698783/FWSM-Architecture
  7. Phil 24 November 2010 18:44
    IMO ASAs are not even close to being IPv6 ready.

    As of 8.2 code all it really does is basic unicast routing. ASA 8.3 code added a few things (like IPv6 LAN to LAN IPsec). It doesn't change the fact that there is "poor" feature parity between IPv4 and IPv6. In this case, "poor" is a severe understatement.

    IPv6 IPsec? Static LAN to LAN only.
    IPv6 remote access VPN - L2TP, AnyConnect? nope.
    dynamic routing - OSPFv3 or RIPng? nope

    PIXes and ASAs support all of the above for IPv4 networks.

    IOS boxes don't have feature parity either but they are MUCH MUCH farther along, especially if you are really brave and run 15.1T ;)
  8. chris 25 November 2010 08:21
    Whoever told you that FWSM only does 60-80mbit of throughput was pulling your leg.
  9. Ivan Pepelnjak 25 November 2010 08:41
    Chris, we're talking about IPv6 here. Can FWSM do more with IPv6 traffic? Do you have any hard performance data? I would love to publish it.
  10. Isam 25 November 2010 11:00
    @Ivan, I believe it was always the case. Theoretical performance will be at around 500Mbit/s due to architecture limitation - check Job's link below. Real performance will vary ;-)

    In other words forget about FWSM and IPv6, although if you have a big account behind you, contact your Cisco SE, maybe they can talk some sense into development. For everyone else, we have to wait for the next-generation-firewall-in-chassis - people from Cisco told me it's not that long of a wait (no specifics).
  11. Ivan Pepelnjak 25 November 2010 11:26
    I'm far from being an expert on the FWSM, so I have to rely on external sources. The BRKSEC-3020 (Advanced Firewalls) section from Cisco Live 2010 claims on Slide #25 that FWSM does IPv6 in the control point central CPU, not in the NP slow path (NP3).

    If anyone has anything more authoritative pointing to a different conclusion (IPv6 running on NP3), please share it.
  12. Martin Zidek 25 November 2010 19:10
    According to this discussion
    http://www.gossamer-threads.com/lists/cisco/nsp/132935?do=post_view_threaded#132935
    and reply from cisco, IPv6 is handled by CPU - PIII.
  13. Anonymous 25 November 2010 21:47
    Funny seeing this as I learnt just this week that CCP won't even know about ipv6 until may 2011.
  14. Job Snijders 27 November 2010 11:21
    I'll try to arrange for some performance tests with the FWSM's i have access to. That should solve the matter of throughput. :-)
  15. Frank Bulk 12 December 2010 07:01
    I have that Chambers video mentally bookmarked, ready to use in any TAC case if an engineer gives me a hard time in regards to IPv6. =)
  16. Frank Bulk 12 December 2010 07:01
    Any idea how a VPN client is supposed to recieve an IPv6 DNS server when using the AnyConnect client?
  17. Ivan Pepelnjak 12 December 2010 08:15
    Currently the only way for a client to receive DNS information is to issue a DHCPv6 request, which means that the router has to set the other-config flag in RA messages.
  18. Isam 22 January 2011 11:50
    Ivan, indeed I stand corrected, a few chats with guys in TAC and indeed FWSM does everything IPv6.
    On top you might find this interesting:
    http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtl77322
  19. Isam 22 January 2011 11:51
    Ivan, indeed, I stand corrected, a few chats with guys in Cisco TAC and indeed FWSM does everything IPv6 in CPU.
    On top you might find this interesting:
    http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtl77322
  20. rraver 25 January 2011 11:30
    I seem to be running into an issue where the FWSM doesn't route more then 500-550 Mbit of traffic. Can someone provide more detail about the resource limitations mentioned above. I looked at the slides but don't see where it specifically talks about that limitation, I see the PPS limit that drops throughput to the 2 gbit range.
Add comment
Home
Sidebar