• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Re: Is there any version of IOS that supports IPv6 for Cisco 4700 routers?

Started by pbrutsch, November 19, 2008, 12:10:32 PM

Previous topic - Next topic

pbrutsch

EDIT: updated with flash and RAM requirements and updated a few coments

I've been looking at Cisco's Software Advisor (I have access to Cisco's support site, no I can't legally help anyone out with IOS images, please don't ask), so I should clarify my previous post.

EDIT 1/3/2009: I was wrong, the Feature Navigator is publicly accessible here: http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp.
I reduced the 1800 platform section to only the 1811, all other 1800 models will be well over $500. A 3640 is 1/4 the cost and has the same "horsepower".

EDIT 6/8/2010: Updated for IOS 15

EDIT Jan 11 2011 - Updated comments regarding the 181x and 180x. Cisco seriously under-rates them.

Different models are limited to different IOS versions, and different IOS versions provide different feature sets with IPv6 support.

Take note that Cisco changed their packaging with IOS 12.4 - platforms that supported IPv6 under 12.3 may require a higher feature set under 12.4 if 12.4 is supported. At this point in time I strongly recommend 12.4 - IOS 12.3 hit EoSW (end of software maintenance) in March 2008 and is officially retired.

Here's some quick rules of thumb:

IOS 12.2 -> No IPv6 support. IPv6 was introduced in IOS 12.2T, which was the beta-quality development branch that lead to 12.3
IOS 12.3 -> IP PLUS or ADVANCED IP SERVICES minimum, depending on platform
IOS 12.4 -> IP PLUS or ADVANCED IP SERVICES minimum, depending on platform
IOS 12.4T -> IP PLUS or ADVANCED IP SERVICES minimum, depending on platform. This is the beta-quality development branch that will become IOS 12.5. Jun 8 2010: IOS 12.5 was released as IOS 15 in Nov 2009. My guess is IOS 13 was skipped due to Triskaidekaphobia. Dunno why IOS 14 was skipped.
IOS 15 -> ADVANCED IP SERVICES minimum, depending on platform

In terms of stateful firewall support, look for IP FW/IDS/PLUS or ADVANCED IP SERVICES. Here's another reason to go with IOS 12.4: IOS 12.4 supports stateful inspection for IPv6, IOS 12.3 does not.

If you are going to run 12.4T, I recommend the latest 12.4(15)T maintenance build, currently (Jan 11, 2011) 12.4(15)T14. Virtually everything listed here will not be supported by anything newer, so Cisco declared that it will be a long-lived release with many bugfix rebuilds. The current ETA for EoSW of IOS 12.4 and 12.4(15)T is January 2012. Hmph, that means only the latest stuff (860, 870, 880, 1800, 2800, 3800 and now the 1900, 2900 and 3900) will be supported by IOS 12.5 IOS 15  >:(

If you are going to run IOS 15, I always recommend the latest maintenance rebuild, currently 15.0(1)M4. I had lots of weird IPv6 connectivity problems with devices on my LAN running anything older than 15.0(1)M2; YMMV.

Here's some common cheap ($500 or less) Cisco IOS models and the minimum IOS versions and feature set they need for IPv6 support:

Cisco 830 series (831, 836, 837) ->
  12.3: Not recommended for these models
  12.4: IP/FW/PLUS 3DES (requires 48MB RAM and 12MB flash aka 48D/12F). Cisco says 64D/12F, my experience is that 48D/12F will work just fine. Jan 11 2011 - The latest images just BARELY work with 48D - you'll have less than 4MB free memory!
  12.4T: IP/FW/PLUS 3DES (requires 64D/16F). You can get by with 12F on an 831 but not on an 837 (ADSL).
  15: Not available for these models
Cisco 871, 876, 877, 878 ->
  12.3: Not available for these models
  12.4: Not available for these models
  12.4T: ADVANCED IP SERVICES (requires 128D/28F)
  15: ADVANCED IP SERVICES (Cisco says 192D/36F, but the image will fit in 28F)
Cisco 881, 888 ->
  12.3: Not available for these models
  12.4: Not available for these models
  12.4T: ADVANCED IP SERVICES (requires 256D/128F)
  15: ADVANCED IP SERVICES (requires 256D/128F)
Cisco 1710 ->
  12.3: IP/FW/IDS PLUS IPSEC 3DES (requires 48D/16F)
  12.4: IP/FW/IDS PLUS IPSEC 3DES (requires 64D/16F)
  12.4T: Not available for this model
  15: Not available for this model
Cisco 1720 & 1750 ->
  12.3: IP/ADSL PLUS or IP/ADSL/FW/IDS PLUS IPSEC 3DES (requires 48D/16F)
  12.4: Not available for these models
  12.4T: Not available for these models
  15: Not available for these models
Cisco 1711, 1712, 1721, 1751, 1760 ->
  12.3: IP/ADSL PLUS (requires 48D/16F), IP PLUS (requires 64D/16F) or ADVANCED IP SERVICES (requires 96D/16F)
  12.4: IP/ADSL PLUS (requires 64D/16F) or IP/ADSL/FW/IDS PLUS IPSEC 3DES (requires 64D/16F) or ADVANCED IP SERVICES (requires 96D/32F)
  12.4T: IP/ADSL PLUS (requires 96D/16F) or IP/ADSL/FW/IDS PLUS IPSEC 3DES (requires 96D/32F) or ADVANCED IP SERVICES - Cisco says 160D/32F, will work in 128D/32F. ADVANCED IP SERVICES is not supported by Cisco on anything but a 1760.
  15: Not available for these models
Cisco 181x ->
  12.3: Not available for this model
  12.4: Not available for this model
  12.4(15)T: ADVANCED IP SERVICES (requires 128D/32F)
  12.4(20)T -> 15: ADVANCED IP SERVICES - Cisco says 256D/64F but 128D/32F should work. I have not tested that configuration. Take note: They take laptop DDR SO-DIMMs.
Cisco 2600 platform (2610, 2611, 2620, 2621, 2650, 2651) ->
  12.3: IP/FW/IDS PLUS IPSEC 3DES BASIC or IP PLUS BASIC W/O HD ANALOG/AIM ATM/VOICE or IP PLUS BASIC W/O SWITCHING (all require 64D/16F)
  12.4: 2650 & 2651 only: ADVANCED IP SERVICES (requires 128D/32F). Use the 2600XM image. Not supported by Cisco.
  12.4T: Not available for these models
  15: Not available for these models
Cisco 2600XM platform (2610XM, 2611XM, 2620XM, 2621XM, 2650XM, 2651XM) ->
  12.3: IP PLUS (requires 64D/32F), IP/FW/IDS PLUS IPSEC 3DES (requires 96D/32F) or ADVANCED IP SERVICES (requires 96D/32F)
  12.4: ADVANCED IP SERVICES (requires 128D/32F)
  12.4T: ADVANCED IP SERVICES (requires 192D/48F)
  15: Not available for these models
Cisco 2691 ->
  12.3: IP PLUS or IP/FW/IDS PLUS IPSEC 3DES or ADVANCED IP SERVICES (all require 128D/32F)
  12.4: ADVANCED IP SERVICES (requires 128D/64F)
  12.4T: ADVANCED IP SERVICES (requires 256D/64F)
  15: Not available for this model
Cisco 3620 & 3640 ->
  12.3: 3620 -> IP PLUS (requires 64D/32F) or IP/FW/IDS PLUS IPSEC 3DES BASIC NO ATM (requires 64D/32F)
          3640 -> IP PLUS (requires 96D/32F) or IP/FW/IDS PLUS IPSEC 3DES (requires 128D/32F)
  12.4: 3640 ONLY  IP PLUS or IP/FW/IDS PLUS IPSEC 3DES (all require 128D/32F)
  12.4T: Not available for these models
  15: Not available for these models
Cisco 3660 ->
  12.3: IP PLUS or IP/FW/IDS PLUS IPSEC 3DES (all require 96D/32F)
  12.4: IP PLUS (requires 128D/32F) or IP/FW/IDS PLUS IPSEC 3DES (requires 128D/64F)
  12.4T: IP PLUS (requires 128D/64F) or IP/FW/IDS PLUS IPSEC 3DES (requires 256D/64F)
  15: Not available for these models
Cisco 3700 platform (3725, 3745) ->
  12.3: IP PLUS or IP/FW/IDS PLUS or ADVANCED IP SERVICES (all require 128D/32F)
  12.4: ADVANCED IP SERVICES (requires 128D/64F)
  12.4T: ADVANCED IP SERVICES (requires 256D/64F)
  15: Not available for these models

A few notes:

If you are going to put 12.4 on a 1721 or 1751, be mindful that not all units have 32MB flash - some have 16MB flash and the flash is not upgradeable. Oh, and keep in mind that they will struggle with internet connections faster than 8Mbit. 10Mbit is the highest they can be expected to handle. The performance limitations apply to all 1700 series routers.

A 1710 is a dual ethernet router that (as of this writing - November 2008) can easily be found for under $100 US, and with patience a 2611XM can be found for between $150 US and $200 US. Almost everything else on this list can be found for between $200 US and $500 US. A 3745 is the most powerful listed but is well over $500; the less powerful 3725 is close to $500, and ties the 1800 series in cost.

June 2010: A 1711 is a "dual ethernet" router - really one fast ethernet + 4-port fast ethernet switch - that typically sells for roughly $100 US. As previously written, a 2600XM series router is between $150 and $200 US. The 3725 has come down a good bit and can be found for $250 - $300 US. The 1811 has come down is price as well; if you get lucky you can get one for under $400 US.

January 2011: An 1811 is now $300-ish on a good day, less if you get lucky. A 3725 is about the same. If you can, go for the 1811!

The following are similar in horsepower: 1841, 265xXM, 2691, 3640. The 3725 is easily 3 or 4 times more powerful and is still the best bang for your buck  ;D Update Jan 11 2011 - The 1811 is, hands down, the best option. They make a 3725 look slow.

If you contact a reputable vendor they may be willing to sell you a damaged unit (bent chassis, broken faceplate, bad port, bad expansion slot, etc) at a discount.

Don't confuse a 2600 with a 2600XM! The 2600XM platform uses the same software images as the 2600 platform but takes more RAM and flash. In my eyes they are far more desirable for an IPv6 router & firewall.

I found this part out the hard way: If you are considering purchasing a wireless-equipped 870 series or 880 series (the 871W, 876W, 877W, 878W, 881W or 888W), be warned that IPv6 support does not always work! The feature Cisco uses to bridge the WLAN and LAN interfaces is called IRB (integrated routing and bridging); IPv6 does not work on the BVIs (bridge virtual interface), and the 802.11 interfaces don't support IPv6! As someone else mentioned, IPv6 will work on the wireless models if you configure IPv6 on the physical interfaces (ie Vlan 1 and Dot11Radio 0) rather than the BVI. It's not the same but it will have to do until Cisco gets off their arse and fixes it. Update Jan 11 2011 - Cisco has officially fixed this issue in 15.1T

The Cisco 851 is really cheap - $250-ish at NewEgg without wireless, $340-ish with - but does not support IPv6. The newer - and sightly more expensive - Cisco 861 also does not support IPv6.

Someone wanna pin this to the top?  ;D

sttun

hmm
Two things cofuse me
1: if I buy a new 877 today what size of ram/flash will i get (newegg says one ting ciscos upgrade guide says something else)
2: will the ios on the box supoty ipv6 or will i need an exsta license to enable it,an if sp what does that cost)

PS: I know I shold contact cisco support/sales but somehow I wold like an independent opinion so I don't get a sales pitch

jhawkes

ipv6 on an 87(X)w is a little tricky.

From   http://ipv6.internode.on.net/configuration/adsl-cisco/
How do I get IPv6 via wireless on 877W?

At least IOS 12.4(22)T3 is required to support IPv6 via a wireless Dot11Radio interface
Why don't my hosts get IPv6 addresses when I bridge my WLAN and LAN interfaces?

Cisco does not currently support IPv6 via BVI interfaces. If you use separate routed interfaces (Eg, Vlan1 and Dot11Radio0.1) for your LAN and WLAN interfaces it will work.

You can buy extra ram and flash on ebay for a reasonable price.

jimb


pbrutsch

Quote from: sttun on February 17, 2010, 03:00:26 PM
hmm
Two things cofuse me
1: if I buy a new 877 today what size of ram/flash will i get (newegg says one ting ciscos upgrade guide says something else)
2: will the ios on the box supoty ipv6 or will i need an exsta license to enable it,an if sp what does that cost)

PS: I know I shold contact cisco support/sales but somehow I wold like an independent opinion so I don't get a sales pitch
Getting an 87x with IPv6 will cost extra in the form of IOS licensing (upgrade from Advanced Security to Advanced IP Services) as well as a flash & DRAM upgrade.

pbrutsch

Quote from: jimb on April 03, 2010, 12:21:40 AM
How many of these support IPv6 routing at the ASIC level?
None. In the routers I listed all processing between routed interfaces is done in software, regardless of the L3 protocol (IP, IPv6, Novell, AppleTalk, DECnet, etc).

Generally speaking what you're looking for is called a layer 3 switch. Many of the newer ones have IPv6 processing in the switching ASICs. Examples are a Catalyst 3560 or Catalyst 3750. For the modular switches (like a Catalyst 4000/4500/4500-E or a Catalyst 6000/6500/6500-E) it depends on the supervisor engine.

L3 switches that do IPv6 in hardware are marketed towards the enterprise and make poor "routers", as most consumers call them - generally no NAT, packet filtering, or VPN.

antillie

I feel it is worth noting that Cisco's PIX and ASA series of firewalls also support IPv6. However the PIXs only support it in firmware version 7 or later. So the PIX 501, 506, and 506e are out of luck as they lack the amount of ram needed for code version 7 and they cannot be upgraded. However the 515, 515e, 525, and 535 can support IPv6 if they have enough installed ram to run 7.x (or 8.x) code. Note that the latest and greatest IPv6 features are in 9.x code which will *never* run on a PIX.

All ASAs run at least 7.x so they all support IPv6 out of the box. However PIXs and ASAs have some major limitations in their IPv6 implementation that make them poor edge devices in many IPv6 deployment situations. Such as:

1. No DHCPv6 support of any kind. Client or server. (However the ASA can act as a DHCPv6 relay in 9 code and later.)
2. You cannot control the config flags in prefix advertisement broadcasts sent from the device. (they are both hard set to "0") Config flags can be set in 9 code and later.
3. No tunneling of any kind aside from VPN. (no 6in4, no gre, ect...)
4. No prefix delegation support.
5. The AnyConnect VPN client can be dual stacked but the IPSec VPN client cannot be.
6. No split tunneling support for IPv6 in AnyConnect. This is supported in 9 code and later.
7. RADIUS and TACACS+ are limited to IPv4 auth servers.
8. No support for IPv6 DNS servers. (It can use IPv4 DNS servers to resolve AAAA records though.) This is supported in 9 code and later.
9. IPv6 site to site VPNs require 8.3 code or later which only runs on ASAs and may require a memory upgrade. (Note: per defect CSCtd38078, the ASA cannot peer to an IOS router for an IPv6 L2L tunnel.)
10. No IPv6 dynamic routing support. (EIGRP, OSPF, or RIP) OSPFv3 for IPv6 is supported in 9 code and later.
11. No IPv4 <-> IPv6 bridging of any kind. (NAT-PT, ect...) NAT between IPv4 and IPv6 is supported in 9 code and later.

However a PIX or ASA makes an excellent IPv6 firewall if placed behind an IPv6 router. That way you can do all your tunneling and routing on the router and let the PIX/ASA do the stateful firewall work.

cholzhauer

Quote
However the PIXs only support it in firmware version 7 or later

Are you sure on that?  I had a couple of 515e's running an OS > 7.0 and they wouldn't pass IPv6 traffic.

Quote
However a PIX or ASA makes an excellent IPv6 firewall if placed behind an IPv6 router.

Agreed.  That's how I have mine set up and it's been working flawlessly for a while now.  In the next few weeks, I'm going to be setting up a VPN over IPv6 (between two ASA's) and I don't anticipate I'll have many problems (at least ones I wouldn't normally have with v4)

Quote
IPv6 site to site VPNs require 8.3 code which may require a memory upgrade

According to Cisco, you need at least 2gb to upgrade to 8.3 (On the 5510 and greater).  Depending on when the ASA was purchased, it may have shipped with that amount.  IIRC, the 1x1GB kit was over $400 for the non-Cisco brand.  (If anyone reads this and is planning on upgrading to 8.3, you NEED to remove the old ram when upgrading.  This is a known bug and will cause reboots when you attempt to write to flash)

Quote
1. No DCHPv6 support on any kind. Client or server.
2. You cannot control the config flags in prefix advertisement broadcasts sent from the device. (they are both hard set to "0")

If you have a Cisco contact, I would contact them and place a feature request for this.  I already have and was told that implementation of it depends on the market (read, how many people bug them for it)

antillie

Quote from: cholzhauer on September 09, 2010, 12:03:03 PM
Quote
However the PIXs only support it in firmware version 7 or later

Are you sure on that?  I had a couple of 515e's running an OS > 7.0 and they wouldn't pass IPv6 traffic.

Yep. Its in the release notes for 7.0(1): http://www.cisco.com/en/US/docs/security/pix/pix70/release/notes/pix_70rn.html#wp162384 To be honest I have only configured IPv6 in 8.x so 7.x might have additional hoops to jump though to make it work properly.

pbrutsch

Quote from: antillie on September 09, 2010, 11:54:00 AM
I feel it is worth noting that Cisco's PIX and ASA series of firewalls also support IPv6. However the PIXs only support it in firmware version 7 or later. So the PIX 501, 506, and 506e are out of luck as they lack the amount of ram needed for code version 7 and they cannot be upgraded.

FYI a 506e will run 7.0 code through 7.0(6), but nothing newer. Anything else - including 7.0(7) and 7.0(8) - either won't boot or won't fit in flash. All it takes is a memory upgrade. I've done it.

A 506e is basically a 515e with a different SKU burned into one of the ROM chips - same goes for a 506 vs 515. Open one up sometime - notice they have 2 memory slots. If you can find sufficiently low-profile PC100 or PC133 memory sticks you can run them with as much as 256MB or even 512MB SDRAM.

cconn

Anyone using a Cisco 1921?  What licence level do you need to be able to do ipv6ip tunnels? 

pbrutsch

cconn,

The 1900 series routers use a universal firmware image. The feature set you are able to use is determined by the license codes you apply to the router.

All of the newer devices (1900, 2900, 3900) provide IPv6 support in the base license set. I believe that includes IPv6-in-IPv4 tunnels.

However, that does NOT include firewall support. You will need to add the SEC license for that.

This link has the details: http://www.cisco.com/en/US/prod/collateral/routers/ps10616/white_paper_c11_556985.html#wp9000798

cconn

i  had to get a newer version, the 15.0 that was pre-loaded was pretty useless.  15.1 is more featureful, including 6RD  8)