Re: Weird IPv6 problem passing Layer3 traffic

[Imtiaz sajid]

I have faced almost same kind of issue with HE, as I was able to ping IPv4 and IPv6 ips but was not been able to establish bgp with HE, as it was shut at their side due to flapping. So for testing you should try to establish BGP whith any other destination ip. It could be HE on tunnel as well. Regards Imtiaz Sajid IP transport engineer Mobilink, Pakistan From: Phil Mayers Sent: Friday, June 28, 2013 7:49 PM To: ipv6-ops@lists.cluenet.de Subject: Re: Weird IPv6 problem passing Layer3 traffic On 28/06/13 15:33, Matthew Huff wrote: > We have a Cisco 7204VXR with NPE-G2, running 15.2(4)S1. I have an > identical router with same version connected to another ISP and a > tunnel to HE.net. It's not my first time at the rodeo. We are > connected via metro Ethernet to a sub-interface on a JunOS box (model > and version unknown). My suspicion is that either they have an ACL > that's blocking it, or their BGP process isn't listening on that > sub-interface. But they claim that it isn't their problem. I have > zero JunOS experience and they seem to be flopping around. If you can ping it, but not telnet to port 179, it seems pretty clear that port 179 is blocked or not listening, unless they have some kind of TTL-based security going. In Catalyst-land I'd suggest getting a SPAN of your output port showing the SYN going out but no ACK coming back - the tcpdump/pcap evidence is hard to argue. Most likely, they have a filter on lo0 (which is the JunOS way of protecting the control plane) that doesn't allow IPv6 or BGP/IPv6. First guess, ask them to check the input filter on lo0 of their JunOS box. FWIW a working JunOS IPv6 eBGP config looks a little like this: interfaces { ge-0/0/0 { unit 0 { family inet { address x.x.x.x/31; } family inet6 { address 2001:y::1/112; } } } lo0 { unit 0 { family inet { filter { input router-protect; } address x.x.x./32; } family inet6 { filter { input ipv6-router-protect; } address 2001:x.x.x/128; } } } } protocols { bgp { group Customerv6 { type external; local-address 2001:y::1; family inet6 { unicast; } peer-as 65000; neighbor 2001:y::2; } } } firewall { family inet6 { filter ipv6-router-protect { term BGP_NEIGHS_1 { from { source-address { 2001:y::/64; } next-header tcp; destination-port bgp; } then accept; } term BGP_NEIGHS_2 { from { source-address { 2001:y::/64; } next-header tcp; source-port bgp; } then accept; } .... } } }