Overblog Follow this blog
Administration Create my blog
Cisco & Cisco Network Hardware News and Technology

Short Review: Cisco Catalyst 2960-S vs. 2960-X Series Switches

September 30 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

Cisco Catalyst 2960-X series debut at Cisco Partner Summit this year. Cisco announced that the Cisco 2960-X series is the greenest catalyst access switch, as well as the next generation of the world’s most widely deployed access switches.

New-Cisco-Catalyst-Access-Switches.jpg

These switches also provide Layer 3 routing capability, application-aware intelligence, and double the scale. They are the greenest Cisco Catalyst access switches ever. These switches are built to reduce total cost of ownership.

Compared with Cisco 2960-S series, what’s the New features of Cisco Catalyst 2960-X Series Switches? Like the 2960-S Series, Catalyst 2960-X Series is line-rate no blocking switches with the following added features:

●Dual-core CPU at 600 MHz

●Cisco FlexStack-Plus stacking

       80 Gbps bandwidth

        8-member stack

●Dual-FRU power supply with integrated fan (2960-XR only)

●NetFlow-Lite on all downlink and uplink ports

●Switch Hibernation mode integrated with Cisco Energ yWise

●Energy-Efficient Ethernet (EEE) downlink ports

●Signed Cisco IOS Software images

●Layer 3 features with IP Lite feature set (2960-XR only)

●24 port fan less model with 2 SFP and 210/100/1000BT uplinks

More Related Cisco Catalyst Switch Reviews:

Cisco Catalyst 2960-X Series Switches Debut at Cisco Partner Summit

Cisco Catalyst 2960-X and Catalyst 2960-XR Review

Cisco to Unveil New Catalyst Access Switch to Converge Wired&Wireless Networking

Cisco’s Greenest Catalyst Access Switch

Read more

Top 5 Reasons to Purchase Cisco ASA 5500 Series

September 26 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

A key component of the Cisco Secure Borderless Network, the Cisco ASA 5500 Series Adaptive Security Appliances delivers superior scalability, a broad span of technology and solutions, and effective, always-on security designed to meet the needs of an array of deployments.

By integrating the world’s most proven firewall; a comprehensive, highly effective intrusion prevention system (IPS) with Cisco Global Correlation and guaranteed coverage; and a high-performance VPN, the Cisco ASA 5500 Series helps organizations provide secure, high performance connectivity and protects critical assets for maximum productivity.

Offering seamless client and clientless access for a broad spectrum of desktop and mobile platforms, the Cisco ASA 5500 Series delivers versatile, always-on secure mobility integrated with web security and IPS for a comprehensive solution. Unlike most security providers that force you to choose between a high-quality firewall and an effective intrusion prevention system (IPS), Cisco combines the world’s most proven firewall with the industry’s most comprehensive, effective IPS for a powerful security solution.

Figure1. Cisco ASA 5500 Series

 Cisco-ASA-5500-Series-Adaptive-Security-Appliances.jpg

The Cisco ASA 5500 Series delivers superior real-time protection: Integrating innovative IPS with Global Correlation, firewall, and VPN technology, the Cisco ASA 5500 Series delivers highly effective intrusion prevention capabilities using hardware-accelerated IPS modules. And Cisco guaranteed coverage delivers peace of mind.

Site-to-site VPN: Using the hardware-accelerated site-to-site IPsec VPN capabilities provided by the Cisco ASA 5500 Series, businesses can securely augment or even replace legacy WANs by using low-cost Internet connections and IPsec VPN tunnels to connect to business partners and to remote and satellite offices worldwide.

Secure mobility: The Cisco ASA 5500 Series offers flexible technologies that deliver tailored solutions to suit connectivity and secure mobility requirements for company-managed assets such as desktops, laptops and smartphones, as well as unmanaged devices such as Internet kiosks or employee-owned desktops, laptops and handhelds. The Cisco ASA 5500 Series delivers both clientless and SSL/DTLS/IPsec VPN secure mobility client options.

Secure unified communications: The Cisco ASA 5500 Series provides extensive protocol support, signaling and media inspection, remote office and mobile user support, and simple provisioning to enable a secure, integrated voice and data network.

Top 5 Reasons to Purchase Cisco ASA 5500 Series Adaptive Security Appliances

1. Advanced intrusion prevention services with guaranteed coverage

With real-time reputation technology, the Cisco ASA 5500 Series IPS with Global Correlation is twice as effective as legacy IPS and includes guaranteed coverage for greater peace of mind. It protects against a wide range of threats, including worms, application-layer attacks, operating-system-level attacks, rootkits, spyware, peer-to-peer file sharing, and instant messaging for both IPv6 and IPv4 networks.

2. Industry-leading content security services

With the Cisco ASA 5500 Series, customers have their choice of on-box threat protection and content control based on Trend Micro technology, or a proven off-box solution with the Cisco IronPort Web Security Appliance. Both solutions provide comprehensive antivirus, antispyware, file blocking, ant spam, antiphishing, URL blocking and filtering, and content filtering services.

3. Secure mobility

The Cisco AnyConnect Secure Mobility solution provides business employees and partners with ubiquitous, highly secure access to enable employee mobility, enhance collaboration and improve productivity, while protecting the company’s resources and data from web-based threats and data leakage by enforcing acceptable use policies.

4. Unified communications

The Cisco ASA 5500 Series delivers secure access by enabling protection for voice, video, and multimedia traffic. Businesses can securely take advantage of the improved productivity and lower operational costs of a Cisco Unified Communications solution.

5. Comprehensive management and monitoring services

Several elements round out a rich complement of management options: with Cisco Adaptive Security Device Manager (ASDM), a comprehensive CLI, verbose syslog, and support for Simple Network Management Protocol (SNMP). Cisco Security Manager supports distributed deployments of up to 500 devices.

Figure2. Market-Leading Application/IPS/Content Security Services

 Market-Leading-Application-IPS-Content-Security-Services.jpg

Figure3. Secure Unified Communications

 Secure-Unified-Communications.jpg

Figure4. Threat-Protected SSL and IPsec VPN Services

 Threat-Protected-SSL-and-IPsec-VPN-Services.jpg

Figure5. Industry-Leading IPS/Content Security Service

 Industry-Leading-IPS-Content-Security-Service.jpg

Acronyms

SSC: Security Services Card; SSM: Security Services Module; SSM: Security Services Module; CSC SSM: Content Security and Control Security Services Module; 4GE SSM: 4 Gigabit Ethernet Security Services Module; SSP: Security Services Processor; IPS SSP: IPS Security Services Processor; IEC: Interface Expansion Card.

Table1. Cisco ASA 5505, 5510, 5520, 5540, 5550 Product Comparison

 Cisco ASA 5505, 5510, 5520, 5540, 5550 Product Comparison

Table2. Cisco ASA 5580 and ASA 5585-X Product Comparison

Cisco ASA 5580 and ASA 5585-X Product Comparison

Tips:

1. Max firewall throughput measured under ideal test conditions

2. VPN throughput and sessions count depend on the ASA device configuration and VPN traffic patterns. These elements should be taken in to consideration as part of your capacity planning

3. Licensed features

4. A/S = Active/Standby; A/A = Active/Active

Note: Performance numbers tested and validated with the ASA 7.2 software release for ASA 5505 through ASA 5540, and the ASA 8.4 software release for ASA 5550 through ASA 5585-X

Reference: The full PDF file of Cisco ASA 5500 Series Adaptive Security Appliances you can visit: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80285492.pdf

More Related Cisco ASA Topics:

Cisco ASA 5500 Family, Key Component of the Cisco Secure Borderless Network

How to Configure Cisco ASA 5505 Firewall?

Simple Steps to Connect a Remote Office to Cisco ASA 5510

How to Set up a Cisco ASA 5505 Firewall with a Wireless Router?

The Way to Activate Your Cisco ASA 5500

Read more

Cisco, Ubiquity Enterprise-level Access Points Match Up

September 22 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Networking

Cisco Aironet 36021 AP and Ubiquiti's UniFi AP are part of the so-called “wave 1” phase of 802.11ac standard.Cisco--Ubiquiti-Access-Points-Top-Out-at-Nearly-400Mbps.jpg

These access points (APs) are theoretically capable of reaching data rate of up to 1. 3 Gigabits per second but actual maximum throughput speeds achieved during a test conducted by technology publication Computerworld.com just reached the 360 to 380 Megabits per second range.

Here is how the two access points fared against each other in terms of speed, features and performance:

Cisco Aironet 36021 APThis access point came with an 802.1ac module. A Cisco 2504 Wireless LAN controller was use for the test.

The Aironet 36021 comes with two integrated 2.Ghz/5GHz dual radios. The 802.1ac module adds ass a 5-GHz radio supporting three spatial streams.

The AP supports the standard Control and Provisioning of Wireless Access Points Protocol (CAPWAP) and broadcasting up to 16 SSIDs. The maximum transmit power for both integrated dual band radios is 23 dBm and 22dBm for the 802.11ac module.

The Aironet 36021 AP is worth $1,495. Its accompanying 802.11ac model is $500.

Ubiquiti UniFi AC-The $299 Ubiquiti AP came with UniFi Controller software to manage the AP.

This access point has a 2.4GHz radio and 5GHz radio with three spatial streams that support up to four BSSIDs per radio. The radios maximum transmit power is 28 dBm.

This AP has a similar physical dimension as the Cisco unit but weighs about a pound more. It is straightforward to setup and configure just like the Aironet. The Ubiquiti AP has a user-friendly interface.

While the unit does not allow user to configure many settings it allows application of general wireless, network and guest settings across multiple UniFi Aps. User can also place access points on an uploaded map and view stats information on AP and client usage.

Testers found the Cisco AP performed four per cent to 22 per cent better than the Ubiquiti AP in the throughput test. The Cisco AP is recommended for larger enterprise networks.

They concluded that the Ubiquiti AP lacked advanced enterprise settings but is easier to setup and more ideal for small to midsize networks

---News from http://www.itworldcanada.com

More Related to Cisco Wireless Aps:

Cisco 802.11ac Module for the Cisco 3600 Access Point

Differences between WLANs, Wi-Fi and WiMax

How to Connect Cisco Wireless Access Point?

802.11ac Wi-Fi vs. the 802.11n

Wi-Fi Alliance Announces 802.11ac Certification

Cisco Enterprise-level Access Points Top Out at Nearly 400Mbps

Read more

NGN Convergence: To Transform the Business Model

September 12 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Networking

As service providers continue their IP network convergence, they also need to establish a business strategy that can provide a solid return on their next-generation network investment. Creating a network transformation plan is an essential part of the process that will help service providers increase the efficiency and flexibility of their next-generation networks and services while reducing operations expense (opex).

This Telecom Insights guide looks at what service providers need to know about deploying a converged network architecture that focuses on offering differentiated services that capitalize on their infrastructure and unique customer knowledge and how providers should go about building a solid network transformation plan that will result in the necessary ROI to compete and thrive.

In this series:

  • A new vision for telecom network transformation
  • Five steps to a next-gen network transformation plan
  • Three mega-trends revolutionize telecom

A new vision for telecom network transformation

Much bigger than problems created by an economic downturn, network operators worldwide are facing much more pressure from longer-term erosion in the value of their stock-in-trade: transport bits.

Because business planners need to focus first on profit and revenue growth, today's fundamental market shifts mean that shorter-term planning will have to encompass a different vision of transformation and a different model of monetizing network investment.

The telecom services market is increasingly like a supermarket, with supermarket-like principles. Some services, like certain grocery items, will always be in demand but don't have much feature differentiation. These will become commodities in terms of price but will sustain the foundation of revenues and create customer loyalty. Other services, such as premium items in a store, will produce less revenue but command strong margins and boost profits. The transformation of the network marketplace to this model is the most significant goal for the industry.

 

Turning transformation on its head

Supporting this kind of transformation is still a hazy notion that could be called the Next-Generation Networks Services Architecture, or NGNSA. This architecture harmonizes the key components of next-generation network transformation:

  • Service feature orchestration and syndication through developer partners, over-the-top partners, and traditional service provider partners.
  • Business and operations management tools that are "service-focused" to align them with new directions in service creation and support a much higher level of automation of service lifecycle processes.
  • Network infrastructure that can be quickly adapted to the traffic patterns and service-level agreement (SLA) needs of the widest variety of services, and tight coupling to the service layer of the network so network operators can differentiate their services from over-the-top solutions. This includes service delivery platforms (SDPs) for computing/software service components and network equipment for connection and transport.

The primary reason NGNSA notions are still fuzzy is the fact that activities are spread across a number of standards processes. While there are active liaisons between the bodies, standards are not moving in synchrony or even particularly quickly. As a result, network operators are looking increasingly to vendors for leadership in these areas and expecting those vendors to support the standards as they develop rather than waiting for them.

Nearly all major network operators worldwide report that they expect to buy into some vendor vision for integrated NGN services in the next year. For those operators, the choice of what approach to take is likely to be set by the priority they place on the three major NGNSA elements.

 

Complete solutions will drive partnerships

Of the three areas, the second (service operations and management) is probably the most developed in a standards sense, and thus network operators probably understand the positions of their vendor partners and have a good sense of convergence on standards approaches. But not every major equipment vendor has a service management strategy, and pressure to provide a complete solution is likely to create partnerships between management and networking vendors.

Service feature orchestration and third-party partner access to service elements for composition of retail services are likely to be the major focus of network operators in the near term. This area has not been active in the standards-setting sense for as long because the requirements of the space are less understood.

A number of announcements or commitments by equipment vendors in 2008 support the componentization, syndication and composition of services. And the architectures are only starting to emerge. The best approach here may be the most important single factor in creating NGNSA partnerships in the next two years or more.

 

Service-layer technology must create ROI

For the longer term, the last issue cannot be neglected. Service-layer technology that simply sits on top of connection/transport infrastructure ("anything over the Internet") empowers not only network operators but also over-the-top players. What network operators need and want is a way of creating value from their networks in the form of something linked with, but stepping beyond, the movement of bits. Little has been done in an organized industry sense to create specific service-layer partnership with the network layer. This partnership would provide a special benefit to those who build and own the networks. Thus it would justify network infrastructure investment more effectively by sustaining a higher return on investment (ROI).

ROI has been important for network operators for years, but the importance of ROI is magnified by a combination of economic uncertainty and increased pressure to evolve off the older TDM voice platforms in favor of IP-based services, including voice. 4G technology is based on IP voice, and fixed mobile convergence (FMC) is facilitated if voice technology in both wireline and wireless is based on VoIP. Major tier 1 operators are already announcing serious VoIP offerings, and this will put additional pressure on service-layer deployment because the move is almost certain to lower revenue per call-minute over time.

 

The role of IMS in the next-generation network

The fact that voice may be a driver for near-term change makes the IP multimedia subsystem (IMS) decision particularly important for operators. IMS is the approved and standardized way to manage mobile VoIP, FMC and non-voice mobile services. IMS is at least a candidate for supporting other NGN services such as video. Here again, standards may not keep pace with market requirements, and network operators may have to work with vendors prepared to take leading-edge positions on harmonizing IMS with service models beyond those involving SIP calling.

The ITU has suggested, in its NGN material, that IMS is one of several elements in what we have called here an NGNSA. But the precise role of IMS in that mix is not defined, nor are the other elements that would coexist with IMS. The vision of IMS's role in NGNSA may be the most critical of all in the near term because of the pressure to evolve voice services.

Network operators plan over a very long cycle--typically about seven years. That means that economic disturbances in the field are less a factor than they would be to industries with shorter capital cycles. Long planning cycles also mean that network operators require a very high degree of confidence in every step of their solution to evolving service needs and opportunities. That requirement is likely to generate new relationships and new levels of cooperation with vendors in the coming years.

 

Five steps to a next-gen network transformation plan

If transformation has a business goal and convergence a technical goal, then surely one of the challenges that face service providers today is how to navigate a commitment to both at the same time.

The problem is only complicated by the fact that transformation, unlike convergence, has no established formula or timetable. It's hard to get management support for something that, except for the goal itself, seems rather hazy.

The goal of transformation is to define a business strategy that creates sustainable revenues and profits from next-generation network (NGN) investments. Meeting that goal may require different specific technologies and services, but it can be accomplished with a general program that has some defined elements and timing recommendations. It is also important to address a few considerations or recommendations of what not to do, because some steps that are often taken are rarely successful.

 

Five steps to creating an NGN transformation plan

1. Picking a specific NGN service target set: This is the most problematic of all transformation steps. The most significant difference between the service environment of the past and that of the present is the short-term nature of buyer commitments to service paradigms. Basic voice and connectivity services are long-lived, in large part because they are so basic. As operators attempt to monetize NGN services, they must contend with the fact that the most valuable services to an operator are also those most valuable to service consumers, and this value proposition will change over time.

If committing to an inflexible NGN service strategy is exactly the wrong move, the best move is to create a service-layer architecture with the greatest flexibility possible -- both in terms of the way it can compose and combine service features and in the delivery options (wireless, wireline, computer, TV, phone, etc.) available. In fact, the difference between an IP network and an NGN is in the service-layer flexibility. IP alone simply creates a connectivity base that will be exploited by others but may not be profitable. NGNs must ensure the profit by providing services in a flexible way, not just transporting their traffic.

2. Restructure network, operations and business management systems around services, not technologies. In the second transformation step, the NGN service set will differ from the old set in that it will be made up of shorter-contract-period services with much wider markets. This means that inefficiency in service operations cannot be tolerated, or the costs will mount to swamp the budget. There are standards processes under way to guide this resetting of operations priorities, and many vendors already have tools and plans to support the switch. Services are the product of service providers, and management systems must reflect that reality.

3. Classify service opportunities at the high level. There is a taxonomy of service opportunities, starting with the basic classification of the customer (residential, enterprise, small business) and the nature of the value proposition the service will have for the customer (communication, data exchange, collaboration, hosting, software and computer outsourcing, etc.). For each opportunity element in the structure, there will be a total addressable market and a likely market penetration curve, and these can be used to set service opportunity priorities -- but not yet.

 

4. Identify the infrastructure implications of each of the opportunities. The goal here is not to plan out every piece of equipment or technology direction but rather to group the opportunities according to the type of infrastructure investment required to support them so that co-dependencies can be identified. In terms of an NGN transformation plan, the right answer will probably come by picking the opportunity group that has the best relationship between cost of infrastructure and benefit in terms of opportunity value.

 

5. Implement and execute a project to create an effective NGN transformation plan.The final step is a project to execute in the direction that is identified by the last step listed above. At the same time, the incremental steps involved in addressing other related opportunity groups should be explored to develop a plan for later investment and service deployment.

 

Projected timeline for an NGN transformation project

Most service providers have the information needed to support this sequence. If that is the case, operator experience seems to suggest that a task to complete the first three steps would require approximately eight months, assuming that work already done could not be leveraged. Service-layer deployments generally require about that same time for initial deployments, and so it may be that the operations processes in step 2 will be the inhibiting factor in preparing a quick response. This suggests that it is highly advisable that operations restructuring be given a high priority.

Every NGN program will be different, and every operator will have completed some of the tasks associated with each of the steps outlined here. An inventory of activities is often very useful in ensuring that nothing that has already been done is wasted, and this will also produce a faster path to NGN success.

 

Three mega-trends revolutionize telecom

Upcoming telecom changes are nothing short of revolutionary, or at least evolutionary, as trends emerge to create a single business model ecosystem out of telecom and the Web, content players and service providers find a workable balance of power, and cloud computing and social networking features gain in importance. Here's a look at the three main trends that will change telecom for the long haul.

1. An emerging online ecosystem joins telecom and the Web into a single business model

In December 2008, Alcatel-Lucent announced a company strategy based on creating the tools for this new ecosystem. Cisco CEO John Chambers had similar comments about binding the tools of the Web into a single, cohesive development framework.

In addition, articles about how Google was looking for a "fast lane" from access providers to speed its content to users seemed to make it clear that the old face-off between the over-the-top players and the telecoms might be ending. We've had years of "over-the-top" versus the carriers, and now we're heading for a future where the distinction will become very fuzzy indeed -- not through mergers and acquisitions but through cooperation.

For three or four years, telecoms and Web companies alike have been working to gain support from application developers to enrich their services. The iPhone and Android models were compelling because they generated a cottage industry that has driven the core product and service set to much greater utility, as well as greater adoption rates and revenue generation. The problem is that while everybody seems to want to support developers, everyone supports them differently.

No one has solved the question of how all these cooperative players manage to combine their efforts to create something stable, easily supported and capable of generating revenue for all through cooperative settlement. Standards have been marking time in this area, and now it looks as if equipment vendors are stepping in to create the framework for the new ecosystem. Why? Because capex is usually pegged to revenue, so if you can't help your carrier customers raise their top line, their spending will languish and so will vendor profits.

Service providers tried to solve this problem of cooperative ecosystem-building with standards, but they moved too slowly. They then started to pressure their equipment vendors to come up with a solution, and the Alcatel-Lucent and Cisco announcements are the result. There will be others; and it will be all about "service mashups."

 

2. A CDN/cloud computing model emerges for settlement for online services

This is why the new ecosystem is suddenly developing. For decades, the Internet has suffered from a basic problem of lack of settlement among the providers. Everyone pays for access to their ISP, but nobody pays for transit. Where there's no revenue, there's no investment.

On the other hand, content providers are happy to pay for content delivery network (CDN)caching, and Software as a Service (SaaS) providers are eager to find good cloud computing resources. The access carriers are putting money there, and these new resources link not to the Internet core but to the access networks. Telecoms worldwide have seen the opportunity to create a link between investment and revenue, and that new link threatens the whole legacy model of the Internet. It's bringing the Web guys to the table.

If every piece of content and every application were cached or hosted in metro centers, there would be no core traffic on the Internet at all. That extreme isn't likely, but what's certain is that the valuable stuff is migrating to the metro area. That forces the big players like Google to transport their own content via fiber to each access provider, which further bypasses the old Internet peering model.

You can't create a new ecosystem without having the pressure of the old one breaking, and that's what's happening. In the new ecosystem, content and application players will join with search and portal companies and telecoms to fight out a new balance of power.

The most significant winners will be the content/application giants, because getting commercially valuable content via a network connection is the stock in trade of the future.

 

3. Integrating social network features and relationship knowledge into communications is a trend in the making.

Yahoo launched an advanced email system that illustrates the value of relationship-managed communications, and this new notion will be incorporated into an expanding notion of presence as the central framework for communications and collaboration.

Presence-centered personal communication is the most "tactical" of the major trends because it will have an immediate impact on a number of emerging technical and product trends. Collaboration and telepresence both work better, and justify more investment, if they're mediated through social-network-like frameworks. This is likely to be one of Cisco's major areas of focus in harmonizing all of the Web 2.0 APIs into a new ecosystem. It's also likely to be a focus for unified communications and even things like IMS, femtocells and fixed-mobile convergence (FMC).

 

What technologies will benefit?

The technologies that will benefit from these major trends are:

  • Fiber access, including FTTH and FTTN, because access providers will continue to fight speed wars with one another as they look to leverage their role in the new ecosystem.
  • Metro Ethernet and optics, since all of the recent bandwidth created will be within metro areas. Look for new interest in hybrid Ethernet/optics products as well.
  • Femtocells and FMC, which will probably benefit IMS. Mobile service competition and the need to integrate mobile and wireline features will be a big boost to this area.
  • Operations software, particularly service management, abstraction, componentization, composition and third-party access via APIs.

The broadest impact of the trend on vendors will be promoting a more integrated product strategy that offers telecoms a link from revenue to investment. For many, this will involve partnerships supplemented by selective development or acquisitions that are intended to make each vendor's offerings unique and thus more likely to be accepted by buyers.

---News and Reviews from http://searchcloudprovider.techtarget.com/feature/Next-generation-network-convergence-Transforming-the-business-model

 

More Related:

Next Generation Networks: Key Features & Advantages

Read more

A Basic ASA Setup for a Native IPv6 Network

September 3 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

For the ASA firewall, IPv6 feature support has been available and can be set up quickly. In this article it focuses on a basic ASA setup for a native IPv6 network.   As you will see, there are very few commands required to have your ASA firewall join an IPv6 ready network.

Here is a quick way to configure up your ASA firewall for IPv6 connectivity. 

BASIC CONFIGURATION

STEP#1-Enable IPv6 on the interface and configure up the global IPv6 address.

interface vlan 2

ipv6 enable

ipv6 address 2001:db8:2:3::1/64

 

This will assign the IPv6 global address to the interface.  When you enter IPv6 enable, a link local address is automatically generated (this is based on your mac address).  With the IPv6 address command above, you are manually specifying the global, however the ASA also allows for autoconfig which will receive stateless configurations based on RA router advertisement messages. 

 

For more details, you can review the following reference guide document:

http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/i3.html#wp1897428

 

STEP#2-Verify IPv6 configuration.

show ipv6 interface

Example:

outside is up, line protocol is up

  IPv6 is enabled, link-local address is fe80::21e:7aff:fe11:45c 

  Global unicast address(es):

            2001:db8:2:3::1, subnet is 2001:db8:2:3::/64 

  Joined group address(es):

            ff02::1

            ff02::2

            ff02::1:ff00:1

            ff02::1:ff11:45c

  ICMP error messages limited to one every 100 milliseconds

  ICMP redirects are enabled

  ND DAD is enabled, number of DAD attempts: 1

  ND reachable time is 30000 milliseconds

  ND advertised reachable time is 0 milliseconds

  ND advertised retransmit interval is 1000 milliseconds

  ND router advertisements are sent every 200 seconds

  ND router advertisements live for 1800 seconds

  Hosts use stateless autoconfig for addresses

 

STEP#3-Define an IPv6 default route.

ipv6 route outside ::/0 next_hop_ipv6_addr

Using ::/0 is equivelant to “any”.  The IPv6 route command is functionally similar to the IPv4 route.

 

STEP#4-Define IPv6 access-lists (optional).

IPv6 access-lists are functionally the same as IPv4.  They are parsed sequentially and have an implicit deny at the end.

 

Example:

ipv6 access-list test permit tcp any host 2001:db8::203:A0FF:FED6:162D

access-group test in interface outside

 

The above is permitting traffic to a specific server 2001:db8::203:A0FF:FED6:162D.

 

Securing the Firewall:

If you plan to configure auto-config for the IPv6 global address on the ASA, you should limit the amount of router advertisements (RA) to known routers in your network.  This will help prevent the ASA from being auto configured from unknown routers.

 

ipv6 access-list outsideACL permit icmp6 host fe80::21e:7bff:fe10:10c any router-advertisement

ipv6 access-list outsideACL deny icmp6 any any router-advertisement

access-group outsideACL in interface outside

interface vlan2

nameif outside

security-level 0

ipv6 address autoconfig

ipv6 enable 

The above access-list when applied on the ASA will limit receiving router advertisements (RA) from only the router specified.  All other RAs will be denied.

 

If you wish to prevent the ASA from sending out router advertisements (RA) on a specific interface, you may suppress them with the following interface command:

interface vlan2

ipv6 nd suppress-ra 

Neighbor discovery will continue to be operational even though RA suppression has been configured.

 

For further information, please check out the following documentation on cisco.com:

ASA 8.3 IPv6 configuration guide:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/config.html

ASA 8.3 IPv6 command reference:

http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/i3.html

Reference from https://supportforums.cisco.com/docs/DOC-15973

More Related:

How to Enable IPv6 Support on a Cisco Catalyst 3560 Switch?

First Hop Redundancy Protocols in IPv6 HSRP + GLBP

What Hardware Vendor IPv6 Support

IPv6 OSPF/v3: Case Study

Cisco IPv6 Static Address Configuration Tech Tips

Read more