cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
879
Views
0
Helpful
8
Replies

ipv6 routing

NetworkGuy!
Level 1
Level 1

I need to introduce ipv6. Does it follow the same way of using private IPv6 address on the inside network (for users, switches/routers) and NAT'ing to Public IPv6 on the outside of firewall?

8 Replies 8

Harold Ritter
Cisco Employee
Cisco Employee

Hi @NetworkGuy!  ,

Although IPv6 NAT is supported on certain devices, it is not recommended to use NAT in the IPv6 context as it breaks end to end connectivity. 

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Thanks for your feedback but wouldnt it be security risk to expose if i were to use Public IPv6 address on inside network?

Hi @NetworkGuy!  ,

There is definitely a need for a proper FW to address the security issue. NAT is sometimes mistakenly seen as a security measure.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

So if I use the public address on the inside network, then is there not  a chance people can access this address from outside? (if the outside access list is allowed accidentally)

like in ipv4, even if the outside acl is open, because we are using NAT, it cant be reached from outside right?

We have /48 ipv6 its plenty for us but my thoughts goes towards using public ip for each laptop that is behind the firewall?

Hi @NetworkGuy!  ,

So if I use the public address on the inside network, then is there not  a chance people can access this address from outside? (if the outside access list is allowed accidentally)

Misconfiguration can lead to very bad things, either NAT is in used or not.

like in ipv4, even if the outside acl is open, because we are using NAT, it cant be reached from outside right?

We have been breaking the end to end connectivity for decades with the NAT model and this is one of the things we are trying to stay away from with IPv6. This doesn't mean you do not need security at the edge of your network to make sure only allowed traffic should traverse the security perimeter.

We have /48 ipv6 its plenty for us but my thoughts goes towards using public ip for each laptop that is behind the firewall?

I see the vast majority of deployments going with global unicast addresses (GUA) internally. You could use private internally if you want, but I would definitely not recommend it.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Thank you so much Harry,

"I see the vast majority of deployments going with global unicast addresses (GUA) internally. You could use private internally if you want, but I would definitely not recommend it."

any reason why you would not recommend this so I understand?

Hi @NetworkGuy!  ,

The trend is clearly to go with global connectivity. This will certainly have an impact on the number of vendors and the quality of the solution that will be available to support NAT solutions in the IPv6 context. 

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

ok thanks