Building network automation solutions

9 module online course

Start now!

Cisco launched two more IPv4-only Data Center products

Cisco recently launched two very interesting products: layer-3 routing for the Nexus 5000 switch and the Virtual Security Gateway (which is a fantastic solution that you’ll hear more about in my future posts). Sadly, both products support only IPv4.

I’m in this industry long enough to understand the need for “baby steps” and “focusing on what customers want” (and I know there are hundreds of great engineers within Cisco who know what needs to be done, but still have to read blog posts like this one), but launching critical products without IPv6 support after the IPv4 global address pool has already been depleted definitely doesn’t look futuristic (just for fun, you might want to watch John Chambers talking about Cisco’s IPv6 thought leadership).

Color-coded systems (like this one) seem to be popular, so here’s my current understanding of Cisco’s IPv6 Data Center readiness in (mostly rosy) vivid colors:

FunctionalityIPv6 readiness state
Routers All WAN edge routers are IPv6 ready
Switches Catalyst 6500, Nexus 7000
Nexus 5000 (no IPv6 routing), Nexus 1000V (no IPv6 PACL)
Firewalls ASA
FWSM handles IPv6 on main CPU. No transparent mode.
Virtual Security Gateway filters IPv6 based on Ethertype
Email/Web security IPv6 only supported by cloud-based Ironport solution (NAT64 anyone?)
Load balancers Future IPv6 support promised on ACE30
NAT64 Stateless NAT64 on ASR1000 (pretty useless). No stateful NAT64 support.
WAN optimization IPv6 not supported

Have I missed something? Is the table incorrect? Please let me know!

Getting more information

The problems you might encounter when deploying IPv6 in your data center are described in my Enterprise IPv6 – the first steps webinar (buy the recording or register for an online session).


  1. If the FWSM only supports IPv6 on the main CPU then it can handle about 100 - 200 Mbps of traffic. At that point, CPU will be 100% and firewall will be dropping traffic or failing.

    Effectively, this means it doesn't actually "work" with IPv6 at all.
  2. For more details, read the FWSM-related comments to this post

    Looks like FWSM can handle a bit more than 100 Mbps, but it's very far off from the IPv4 performance.
  3. Nexus 5000 isn't a L3 platform. It doesn't have IPv4 routing either. The data sheet says it does support IPv6 ACLs but I haven't read what the limitations are
  4. The 5k now has the ability to do routing with the new 5.0(3)N1 code and the L3 expansion modules/daughtercards. Just came out.
  5. Where we are at with NAT-PT ? It was implemented in IOS quite a few years ago but it has never made it into ASA code...
Add comment