Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
965
Views
0
Helpful
8
Replies

ipv6 routing

NetworkGuy!
Level 1
Level 1

‎09-20-2022 04:04 AM

I need to introduce ipv6. Does it follow the same way of using private IPv6 address on the inside network (for users, switches/routers) and NAT'ing to Public IPv6 on the outside of firewall?

Labels:
0 Helpful
8 Replies 8

Harold Ritter
Cisco Employee
Cisco Employee

‎09-20-2022 05:02 AM

Hi @NetworkGuy!  ,

Although IPv6 NAT is supported on certain devices, it is not recommended to use NAT in the IPv6 context as it breaks end to end connectivity. 

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
0 Helpful

NetworkGuy!
Level 1
Level 1
In response to Harold Ritter

‎09-20-2022 06:39 AM

Thanks for your feedback but wouldnt it be security risk to expose if i were to use Public IPv6 address on inside network?

0 Helpful

Harold Ritter
Cisco Employee
Cisco Employee
In response to NetworkGuy!

‎09-20-2022 07:03 AM - edited ‎09-20-2022 07:04 AM

Hi @NetworkGuy!  ,

There is definitely a need for a proper FW to address the security issue. NAT is sometimes mistakenly seen as a security measure.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
0 Helpful

NetworkGuy!
Level 1
Level 1
In response to Harold Ritter

‎09-20-2022 07:23 AM

So if I use the public address on the inside network, then is there not  a chance people can access this address from outside? (if the outside access list is allowed accidentally)

like in ipv4, even if the outside acl is open, because we are using NAT, it cant be reached from outside right?

We have /48 ipv6 its plenty for us but my thoughts goes towards using public ip for each laptop that is behind the firewall?

0 Helpful

Harold Ritter
Cisco Employee
Cisco Employee
In response to NetworkGuy!

‎09-20-2022 07:44 AM

Hi @NetworkGuy!  ,

So if I use the public address on the inside network, then is there not  a chance people can access this address from outside? (if the outside access list is allowed accidentally)

Misconfiguration can lead to very bad things, either NAT is in used or not.

like in ipv4, even if the outside acl is open, because we are using NAT, it cant be reached from outside right?

We have been breaking the end to end connectivity for decades with the NAT model and this is one of the things we are trying to stay away from with IPv6. This doesn't mean you do not need security at the edge of your network to make sure only allowed traffic should traverse the security perimeter.

We have /48 ipv6 its plenty for us but my thoughts goes towards using public ip for each laptop that is behind the firewall?

I see the vast majority of deployments going with global unicast addresses (GUA) internally. You could use private internally if you want, but I would definitely not recommend it.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
0 Helpful

NetworkGuy!
Level 1
Level 1
In response to Harold Ritter

‎09-21-2022 01:28 AM

Thank you so much Harry,

"I see the vast majority of deployments going with global unicast addresses (GUA) internally. You could use private internally if you want, but I would definitely not recommend it."

any reason why you would not recommend this so I understand?

0 Helpful

Harold Ritter
Cisco Employee
Cisco Employee
In response to NetworkGuy!

‎09-21-2022 06:03 AM

Hi @NetworkGuy!  ,

The trend is clearly to go with global connectivity. This will certainly have an impact on the number of vendors and the quality of the solution that will be available to support NAT solutions in the IPv6 context. 

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
0 Helpful

NetworkGuy!
Level 1
Level 1
In response to Harold Ritter

‎09-21-2022 06:30 AM

ok thanks

0 Helpful
Customers Also Viewed These Support Documents