IPv6 Workaround

m.glosson · ‎12-19-2012

Since Cisco's great commitment to IPv6 seems not to infiltrate the WSA product team, I'm looking for some brainstorms as to how to roll out IPv6 without allowing IPv6 web browsing? I suppose a DNS filter could be made in the ASA to block any response with a colon in it. But that would kill activity for every protocol over IPv6. Or I could simply block IPv6 on TCP port 80, but depending on the browser used (and this is a university, so it could be anything) it will take an undetermined amount of time to fall back to IPv4. So since we can't count on Cisco to add this functionality to the WSA any time soon, I'm just looking for ideas...

Thanks,

Matt

Erik Kaiser · ‎12-21-2012

Hi Matt,

We do have IPv6 slated for one of the future WSA releases. I will have to do some research to find out when that is expected and provide an update to you.

Sincerely,

Erik Kaiser
WSA CSE
WSA Cisco Forums Moderator

Sincerely, Erik Kaiser WSA CSE WSA Cisco Forums Moderator

m.glosson · ‎01-03-2013

Hi Erik. Thanks for replying. Have you gotten a chance to do the research yet? This is the answer I've been hearing for two years: "It's coming some day, but we're not sure when." It's getting to be crunch time and I would like more specifics than "sometime in the future." I have been monitoring this thread and it says the same thing.

Also, in the meantime, I want to open the discussion back up for workarounds.

Thanks,

Matt

Erik Kaiser · ‎01-08-2013

Hi Matt,

I am still trying to get this information. I will provide you with an update daily until I have an answer.

Sincerely,

Erik Kaiser
WSA CSE
WSA Cisco Forums Moderator

Sincerely, Erik Kaiser WSA CSE WSA Cisco Forums Moderator

jpietzold · ‎01-08-2013

I have the exact same question. I have been asking for 3 years now. I get the same response of "Sometime in the future" and "it's on the road map". But it has come to a time we HAVE to filter IPv6 and the newest code from Ironport/Cisco still doesn't support it. I look forward to your daily updates. I need to respond to management when this will go live.

Thanks

Jeremy

Erik Kaiser · ‎01-09-2013

HI Guys,

I do have an update. IPv6 is going to be released in the 2 half of 2013.

Sincerely,

Erik Kaiser
WSA CSE
WSA Cisco Forums Moderator

Sincerely, Erik Kaiser WSA CSE WSA Cisco Forums Moderator

jpietzold · ‎01-09-2013

Erik,

Let me get this straight. We bought the WSA 3 years ago with the understanding that IPv6 was comming "really soon" and it might be another full year. We love these boxes and they do an amazing job but they suck when it comes to keeping promises of when new features will be released. ie. IPv6 and others. urg!!!

What is Ironports current work around for our issue? Thanks Matt for your post. I am glad I am not the only one having the same issues with Ironport.

Jeremy

jpietzold · ‎01-09-2013

Thanks Erik for looking into this and following up with us.

Jeremy

Erik Kaiser · ‎01-09-2013

Hi Jeremy ,

No worries. Unfortunately I do not have an ETA for when this will actually be availible. Currently the 2nd half of this year is all that I could get from product support.

Sincerely,

Erik Kaiser
WSA CSE
WSA Cisco Forums Moderator

Sincerely, Erik Kaiser WSA CSE WSA Cisco Forums Moderator

m.glosson · ‎02-08-2013

Wow, bad news all around. Last year my understanding was that 4Q 2012 was when IPv6 support would be supported. I just guessed that from this thread, but I actually don't believe anything that I hear about this, because it always has the usual disclaimers attached to it. I guess it comes when it comes, and I will just resolve to be careful about buying anything from Cisco that's not a router or a switch, because that's obviously where they put most of their "forward thinking." Red-headed step-children, e.g., products that have been acquired from the purchase of other companies are literally years behind.

They put IPv6 support into the ESA, which I personally think is not as important as putting it into the WSA. The reason being that if someone relys on a WSA for proxy and filtering functions, they basically cannot roll out IPv6 to end-users, because once you roll it out, people can get right past the WSA (especially in a wccp situation without an explicit proxy set on the clients). And of course many questionable sites are already on IPv6, because they have a stake in getting around old filtering products that don't keep up with the times.

Thus closes my rant and my hopes that a once-great product will be again. I will have to be content with rolling out IPv6 to the DMZ only.

m.glosson · ‎12-02-2013

Here we are again... second half of 2013 is almost over and it seems like another false promise from Cisco unless they release a new version in the next 29 days...

Any new updates Erik?

Merry Christmas,

Matt

jpietzold · ‎12-02-2013

Erik,

We still have the same frustration. I have IPv6 deployed in only test vlans as I can not have unfiltered traffic passing my school networks. I have now been waiting 4 years on a promise that IPv6 would be able to filter "Really Soon"

I would also love an update.

Jeremy