On Mon, 26 Oct 2009, Christopher Morrow wrote:
On Mon, Oct 26, 2009 at 12:36 PM, Justin M. Streiner
<strei...@cluebyfour.org> wrote:
On Mon, 26 Oct 2009, Jay Nakamura wrote:
Looking for input on Alcatel-Lucent VPN Firewall Brick. I can look up
spec and other published information but, as always, the devil is in
the detail and you just never know what wall you run into until you
actually try it so I wanted to see if anyone has used this and can
point out good/bad things about this device.
Our other option is Cisco IOS router right now. Are there better
options than these two?
Fair warning: v6 honestly seems to have caught most firewall vendors with
their pants down.
I'm not really sure that in the year 2009 that's a fair thing to still
expect... honestly ipv6 has been in 'production' for ~7 years, for a
CPE deployment it's certainly been to the point where it should be
included by default.
-1 alcalu :(
I don't know about AL's v6 status because I'm in the process of migrating
away from them, and have been in the process of lots of due diligence with
vendors in the past 6-ish months. v6 support is pretty high on our
list of 'must have' items. I've been pretty disappointed with the
response from most vendors. Many of those have been along the lines of:
"Yeah... our v6 code should be out of customer trials in Q2 2010..."
"We do v6 in software today, and the next spin of XYZ hardware will do it
in the ASICs..."
"We're working some kinks out, so the box forwards X pps of v6 today
(let Y = the amount of v4 traffic the box can handle, let X = some
amount significantly lower than Y), but we should have all of that sorted
out in the next major code release and be able to handle Y pps of v6
then."
"The firewall handles v6 today, but v6 support in the management front-end
is still baking. Should be ready to go in the next release."
Vendor responses to my "v6 has been around for about 10 years... why is
all of this only happening *now*?" questions have largely been along the
lines of "Customers only started asking for or requiring v6 support in the
last X months/years...". This gets us back to chicken-and-egg time.
I can understand their position to a degree, i.e. why waste resources on
things that customers aren't requesting (read: won't compel them to buy
more/bigger hardware or renew/upgrade support contracts)? This might have
been a somewhat valid position several years ago, but v6 as a necessity
has been on many customers' radars for several years ago. Frankly, not
having fully baked v6 support today is pretty much inexcusable IMHO.
jms