[c-nsp] IPv6 hardening

Does anyone have any updated router hardening guidelines, some of the sites I reference have not been updated for some time. e.g. www.team-cymru.org thanks in advance, Mike ___ cisco-nsp mailing list cisco-nsp@puck.nether.net

Re: [c-nsp] Ipv6 address plan

Check out the white paper on terastream On Thursday, October 11, 2018, harbor235 wrote: > Gents, > > I have a green field IPv6 infrastructure that I am standing up, I plan on > allocating unique IPv6 net block ranges for infrastructure nets > (loopbacks/routerid, pt-to-pts), service delivery

[c-nsp] Ipv6 address plan

Gents, I have a green field IPv6 infrastructure that I am standing up, I plan on allocating unique IPv6 net block ranges for infrastructure nets (loopbacks/routerid, pt-to-pts), service delivery allocations (customer services), North of the security boundary layer, south of security boundary

[c-nsp] ipv6 dhcp server accounting not working

Hello, I'm trying to understand why my ipv6 dhcp server accounting does not work as I expect. I'm using this on cisco 7301 (ROM: System Bootstrap, Version 12.3(4r)T4, RELEASE SOFTWARE (fc1) ) Here are the relevant parts of my config : aa new-model ! ! aaa group server radius RGROUP server name

Re: [c-nsp] IPv6 uRPF broken on NCS5500 XR 6.2.3?

One of the reasons I'm not very keen on using merchant silicon for high-touch routing. Mark. On 24/Feb/18 10:19, Chris Welti wrote: > Hi David, > > uRPF on the NCS5500 is a mess due to limitations of the Jericho > chipset. It has to do with the TCAM optimizations and twice the number > of route

Re: [c-nsp] IPv6 uRPF broken on NCS5500 XR 6.2.3?

Hi David, uRPF on the NCS5500 is a mess due to limitations of the Jericho chipset. It has to do with the TCAM optimizations and twice the number of route lookups needed for uRPF (src/dst) From what I understand: On SE-models for uRPF to work you need to disable double-capacity mode (you

[c-nsp] IPv6 uRPF broken on NCS5500 XR 6.2.3?

Hi all, curious if anyone has run into issues with IPv6 uRPF on NCS5500 and/or XR 6.2.3? I have an interface where I added: Ipv4 verify unicast source reachable-via any ipv6 verify unicast source reachable-via any and immediately lost my ability to talk to a BGP peer connected to it using a

[c-nsp] IPv6 FHS Etherchannel support for 4506/Sup7LE

Hi, before I forward this up the chain. Does anybody have knowledge of IPv6 FHS Etherchannel support for 4506/Sup7LE We are using the boxes for FTTH access and want to enable ipv6 ldra on the customer ports. Our server facing ports are often on Etherchannels which is not compatible with the

[c-nsp] IPv6 tblver incrementing quickly on RSP720-3CXL

Hi Folks, I've got a 7609 with a RSP720-3CXL-GE running Version 15.4(3)S6. IPv6 BGP is sending far too many updates to iBGP neighbors and downstream customers getting a full BGP feed. After running 6 days, the tblver is up to 133 million, and 61 million updates have been sent to full-feed

Re: [c-nsp] IPv6 VPC Port channel Nexus -- 2951

it ended up being a Port channel issue. the router needed mode on rather than mode active. IPv4 was able to work without the port channel working where as IPv6 was seeing a loop. Fixed the port channel issue and everything worked. scott On Mon, Oct 31, 2016 at 8:51 AM, John Kougoulos

Re: [c-nsp] IPv6 VPC Port channel Nexus -- 2951

Hi, On Wed, Oct 26, 2016 at 9:06 PM, Scott Voll wrote: > So I have a 2951 setup with a Port-channel to a set of L3 Nexus 5548's on a > VPC. > > Well, I don't know specifically about IPv6, but in general, connectivity between a router and nexus using vPC is not recommended,

[c-nsp] IPv6 VPC Port channel Nexus -- 2951

So I have a 2951 setup with a Port-channel to a set of L3 Nexus 5548's on a VPC. IPv4 seems to work fine. IPv6 on the other hand I'm getting a loop detected. %IPV6_ND-4-LOOPBACK: Looped back NS(DAD) packet detected for on Port-channel XX.yy What am I missing so that IPv6 will work? Can

Re: [c-nsp] IPv6 routing vs IPv4 Nating

On Mon, 22 Aug 2016, Scott Voll wrote: I'm not really able to wrap my mind around what best practice would be. Currently I have two exit points in my network. BGP / iBGP. Two Firewalls behind those. Each Firewall has a IPv4 Class C to NAT to. With publicly Routed IPv6 not nat'ing how do I

Re: [c-nsp] IPv6 routing vs IPv4 Nating

Gert and Lee, your picking up what I'm putting down. two geographically dispersed exit points with multiple internal dispersed sites each with a /48. my over all is a /44. So from a BGP stand point I'm announcing half my sites out one exit site and the other half out the other. with iBGP

Re: [c-nsp] IPv6 routing vs IPv4 Nating

Hi, On Mon, Aug 22, 2016 at 10:54:04PM +0100, Tom Hill wrote: > On 22/08/16 22:34, Gert Doering wrote: > > Not if you NAT the IPv4 - the NAT part enforces symmetry. > > > > Not that I'm a big fan of NAT, but it has its uses :-) > > FHRPs aren't just for 'inside' interfaces. You do have to be

Re: [c-nsp] IPv6 routing vs IPv4 Nating

On 22/08/16 22:34, Gert Doering wrote: > Not if you NAT the IPv4 - the NAT part enforces symmetry. > > Not that I'm a big fan of NAT, but it has its uses :-) FHRPs aren't just for 'inside' interfaces. You do have to be sure to adjust the priorities of 'inside' and 'outside' interfaces together

Re: [c-nsp] IPv6 routing vs IPv4 Nating

On 8/22/16, Scott Voll wrote: > I'm not really able to wrap my mind around what best practice would be. > > Currently I have two exit points in my network. BGP / iBGP. Two Firewalls > behind those. Each Firewall has a IPv4 Class C to NAT to. > > With publicly Routed IPv6

Re: [c-nsp] IPv6 routing vs IPv4 Nating

Hi, On Mon, Aug 22, 2016 at 10:31:48PM +0100, Tom Hill wrote: > On 22/08/16 22:11, Gert Doering wrote: > > (but in this particular case, the issue is not so much "NAT" as > > "there are stateful firewalls in the way, that require symmetric > > traffic return from the Internet" - which makes this

Re: [c-nsp] IPv6 routing vs IPv4 Nating

On 22/08/16 22:11, Gert Doering wrote: > (but in this particular case, the issue is not so much "NAT" as > "there are stateful firewalls in the way, that require symmetric > traffic return from the Internet" - which makes this much harder > than "just plain routing") This problem exists with

Re: [c-nsp] IPv6 routing vs IPv4 Nating

Hi, On Mon, Aug 22, 2016 at 10:07:44PM +0100, Tom Hill wrote: > *secretly very happy that IPv6 is teaching ops how to do networking > without any NAT* ;) https://www.youtube.com/watch?v=v26BAlfWBm8 (but in this particular case, the issue is not so much "NAT" as "there are stateful firewalls

Re: [c-nsp] IPv6 routing vs IPv4 Nating

On 22/08/16 18:23, Scott Voll wrote: > Thank for your input. maybe I'm just missing something easy. OSPFv3, EIGRP, MP-BGP... Static routes? All of these can help your edge routers find the internal IPv6 networks on your firewalls. Honestly, I'd suggest starting with 'How would I do IPv4

[c-nsp] IPv6 routing vs IPv4 Nating

I'm not really able to wrap my mind around what best practice would be. Currently I have two exit points in my network. BGP / iBGP. Two Firewalls behind those. Each Firewall has a IPv4 Class C to NAT to. With publicly Routed IPv6 not nat'ing how do I setup the firewalls / bgp to route

Re: [c-nsp] IPV6 RTBH on IOS

On 05/05/16 22:50, Tom Hill wrote: > but didn't specifics. *but didn't go into specifics. -- Tom ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at

Re: [c-nsp] IPV6 RTBH on IOS

On 03/05/16 07:47, Gert Doering wrote: > I have a feature request to at least add a knob for "please use GUA > next-hop!" - CSCut26765 - it was opened by a friendly Cisco developer, > and I have no read access to it, so no idea whether it's proceeding or > not. But if you have interest in

Re: [c-nsp] IPV6 RTBH on IOS

Hi, On Tue, May 03, 2016 at 09:30:20AM +0200, Marco Marzetti wrote: > > I have a feature request to at least add a knob for "please use GUA > > next-hop!" - CSCut26765 - it was opened by a friendly Cisco developer, > > and I have no read access to it, so no idea whether it's proceeding or > >

Re: [c-nsp] IPV6 RTBH on IOS

On 2016-05-03 08:47, Gert Doering wrote: Hi, On Mon, May 02, 2016 at 11:39:47PM +0200, Sebastian Ganschow wrote: There's a feature request open for this. The whole "use link-local next-hops for peers where the session is via a global address" is one of the most stupid ideas in this whole

Re: [c-nsp] IPV6 RTBH on IOS

Hi, On Mon, May 02, 2016 at 11:39:47PM +0200, Sebastian Ganschow wrote: > There's a feature request open for this. The whole "use link-local next-hops for peers where the session is via a global address" is one of the most stupid ideas in this whole IPv6 thing anyway. There is no benefit, but a

Re: [c-nsp] IPV6 RTBH on IOS

Hi, Cisco ist interpretting the RFC a little strange... You need to disable the connected check on that neighnor to make it work. Neighbor 1.2.3.4 *disable-connected-check* As ling as it's enabled, they are preferring the link-local and the route-map doesn't apply. There's a feature request

Re: [c-nsp] IPV6 RTBH on IOS

Hi Marco. Some time ago I had to solve similar problem. I used this workaround: ! router bgp 64512 neighbor 2001:DB8::1 ebgp-multihop 2 ! It is ugly but ... Can you try it? Best regards, Pepa ___ cisco-nsp mailing list

Re: [c-nsp] IPV6 RTBH on IOS

On Mon, May 02, 2016 at 09:44:14PM +0200, Job Snijders wrote: > On Mon, May 02, 2016 at 07:55:25PM +0200, Marco Marzetti wrote: > > Do you have any ideas? > > ipv6 route 100::1/128 null0 Some testing showed that the above doesn't change the situation. As discussed on IRC, there are is

Re: [c-nsp] IPV6 RTBH on IOS

On Mon, May 02, 2016 at 07:55:25PM +0200, Marco Marzetti wrote: > Do you have any ideas? Have you tried the same setup but with the following more-specific discard route instead of the /64? ipv6 route 100::1/128 null0 You also may want to set: interface null0 no ipv6

[c-nsp] IPV6 RTBH on IOS

Hello, I am working on RTBH for IPv6 on IOS and i am stuck with the odd behavior of the OS. Let's say that i have the following configuration on the router: ! hostname R2 ipv6 unicast-routing ! interface Gi1/0 ipv6 address 2001::DB8::2/64 ! router bgp 64512 bgp maxas-limit 30 neighbor

Re: [c-nsp] IPv6 HSRP Config

ya > Sent: Thursday, March 3, 2016 4:17 AM > To: cisco-nsp@puck.nether.net > Subject: [c-nsp] IPv6 HSRP Config > > Hi list, > > I have a couple of Cisco boxes: > > 7604 / SUP720-3BXL - IOS 12.2(33)SRE > 7204 / NPE-G1 - IOS 12.2(33)SRE > > Firstly, can you advise

Re: [c-nsp] IPv6 HSRP Config

On 03/03/16 09:17, Dario Amaya wrote: Hi list, I have a couple of Cisco boxes: 7604 / SUP720-3BXL - IOS 12.2(33)SRE 7204 / NPE-G1 - IOS 12.2(33)SRE Firstly, can you advise if the config below is correct? Anything I am It looks about right. A working HSRPv6 config from one of our 6500s:

[c-nsp] IPv6 HSRP Config

Hi list, I have a couple of Cisco boxes: 7604 / SUP720-3BXL - IOS 12.2(33)SRE 7204 / NPE-G1 - IOS 12.2(33)SRE Firstly, can you advise if the config below is correct? Anything I am missing? Secondly, I cannot get the ipv6 group 2777 to be Active/Standby, both are in an Active state as you can

[c-nsp] IPv6 Deployment Was: Facebook Abuse Tracing

On Mon, Mar 23, 2015 at 09:42:58PM +0300, Samir Abid Al-mahdi wrote: Hi, This require a DS-Lite, right ? if yes, the CPE must be DS-Lite enabled, right ? Why would it? You could simply dual stack your CPE handing out 100.x.y.z CGN prefix IPv4 addresses and a public IPv6 address/prefix. We

[c-nsp] IPv6 ND cache size on NX9k?

Hi all, does anyone know the IPv6 ND capacity on the Nexus 9k line? Or 9300 and 9500 specifically? I found ARP at 90k but can't find anything for IPv6. Thanks, David ___ cisco-nsp mailing list cisco-nsp@puck.nether.net

Re: [c-nsp] IPv6 BGP peers over SNMP

On 23/09/2014 04:05, Frank Bulk wrote: Do you happen to have the OIDs or MIB name for that info? ftp://ftp.cisco.com/pub/mibs/v2/CISCO-BGP4-MIB.my Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net

Re: [c-nsp] IPv6 BGP peers over SNMP

On 10/27/2012 08:54 PM, Nick Hilliard wrote: Very disappointing but I guess we'll just go the SSH/scrape route instead like everybody else is having to do. 2 years later. Wanted to deploy IPv6 on small parts of our network. Configured IPv6 neighbors and thought to start monitoring does sessions

Re: [c-nsp] IPv6 BGP peers over SNMP

On 22/09/2014 22:05, chiel wrote: 2 years later. Wanted to deploy IPv6 on small parts of our network. Configured IPv6 neighbors and thought to start monitoring does sessions right away before moving on. After an hour Googling I find that in 2014 you still can't monitor your IPv6 peers with

Re: [c-nsp] IPv6 BGP peers over SNMP

On 09/22/2014 11:21 PM, Nick Hilliard wrote: this is now supported on some varieties of IOS - 15.2(3)T and 15.2(4)S. Also, XR has supported it for some years. So not yet for a 6500 with sup720? I believe 15.1 is the latest on that. ___ cisco-nsp

Re: [c-nsp] IPv6 BGP peers over SNMP

On 22/09/14 22:42, chiel wrote: So not yet for a 6500 with sup720? I believe 15.1 is the latest on that. Looks to be the case 7600 with SUP720 have 15.2, 15.3 15.4 releases:

Re: [c-nsp] IPv6 BGP peers over SNMP

Do you happen to have the OIDs or MIB name for that info? Frank -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Nick Hilliard Sent: Monday, September 22, 2014 4:22 PM To: chiel; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] IPv6 BGP peers over

Re: [c-nsp] ipv6 tacacs source-interface issue

On Aug 7, 2014, at 4:42 PM, Nicolas DEFFAYET nicolas...@deffayet.com wrote: Hello, The command 'ipv6 tacacs source-interface Loopback0' for select IPv6 address source for Tacacs have no effect on Cisco 6500 12.2(33)SXJ7. Is it a know issue ? The command is accepted by the CLI but the

[c-nsp] ipv6 tacacs source-interface issue

Hello, The command 'ipv6 tacacs source-interface Loopback0' for select IPv6 address source for Tacacs have no effect on Cisco 6500 12.2(33)SXJ7. Is it a know issue ? The command is accepted by the CLI but the packets are sourced with the IPv6 address of outgoing interface and not the loopback.

Re: [c-nsp] IPv6 duplicate address

On Jul 1, 2014, at 2:53 PM, Mark Tinka mark.ti...@seacom.mu wrote: I remember this was happening on IOS XR in 3.9 and 4.0.x, when Ethernet ports were looped for testing, and after the loop is cleared, DAD keeps IPv6 from working until manual intervention or a reboot. Had the same

[c-nsp] IPv6 duplicate address

So following on from a very old thread https://puck.nether.net/pipermail/cisco-nsp/2008-May/051088.html I have had an event where an interface got stuck in stalled state for much longer than is desirable. I tried to fix it using ipv6 nd dad attempts 5 but no luck. I also tried disabling and

Re: [c-nsp] IPv6 duplicate address

On Tuesday, July 01, 2014 12:57:17 PM Ivan wrote: I have had an event where an interface got stuck in stalled state for much longer than is desirable. I tried to fix it using ipv6 nd dad attempts 5 but no luck. I also tried disabling and enabling IPv6 on the interface that also didn't

[c-nsp] IPv6 connectivity on global unicast addresses between two directly connected interfaces if VRRPv3 is enabled

Hi, I have two routers r1 and r2 connected to a switch with GigE ports: r1[Gi] - switch - [Gi]r2 r1 and r2 are in the same broadcast domain. According to sh ipv6 interface command, first router has IPv6 address 2001:10:7::4 and second one has IPv6 address 2001:10:7::3: Global unicast

[c-nsp] ipv6 router ospf vs router ospfv3

RTR-3#sh run | sec router ospf router ospf 10 router-id 10.116.0.3 max-metric router-lsa on-startup 300 ispf auto-cost reference-bandwidth 10 ipv6 router ospf 10 router-id 10.116.0.3 auto-cost reference-bandwidth 10 max-metric router-lsa on-startup 300 end vs. RTR-1#sh run | sec

Re: [c-nsp] ipv6 router ospf vs router ospfv3

On Tuesday, March 25, 2014 02:32:13 PM Tim Durack wrote: RTR-1#sh run | sec router ospf router ospfv3 10 Oh, that's cool. I didn't know Cisco had implemented the Multi-AF support for OSPFv3 (Junos had it since Junos 9). For those interested, this took some digging, but:

Re: [c-nsp] ipv6 router ospf vs router ospfv3

On 25/03/14 15:39, Mark Tinka wrote: On Tuesday, March 25, 2014 02:32:13 PM Tim Durack wrote: RTR-1#sh run | sec router ospf router ospfv3 10 Oh, that's cool. I didn't know Cisco had implemented the Multi-AF support for OSPFv3 (Junos had it since Junos 9). Yeah, I spotted this very

Re: [c-nsp] ipv6 router ospf vs router ospfv3

On Tuesday, March 25, 2014 05:51:17 PM Phil Mayers wrote: Yeah, I spotted this very recently too in 15.1 on 6500/sup720. Haven't had time to test it yet beyond basic confirmation that it works for IPv6-only. I just checked a 7200 I have and it has the context also. This is 15.2(4)S3 on an

Re: [c-nsp] ipv6 router ospf vs router ospfv3

On 25 March 2014 15:51, Phil Mayers p.may...@imperial.ac.uk wrote: Almost certainly. Note that some commands e.g. network point-to-point are not available on some platforms in the ipv6 format, only the ospfv3 one. Cisco's OSPFv3 seems to have been through at least three different syntax

Re: [c-nsp] ipv6 router ospf vs router ospfv3

Hi, On Tue, Mar 25, 2014 at 06:02:34PM +0200, Mark Tinka wrote: I'm normally an IS-IS man, but we use OSPF for Anycast since IS-IS in Quagga is unusable. We use BGP for that. I just don't trust hosts taking part in my IGP... (Which, admittedly, needs lots more configuration to do anycast

Re: [c-nsp] ipv6 router ospf vs router ospfv3

On Tuesday, March 25, 2014 06:12:52 PM Gert Doering wrote: We use BGP for that. I just don't trust hosts taking part in my IGP... As this is internal, we can reasonably trust the servers, since they are under the management of the the Network team. However, we do have strict routing

Re: [c-nsp] IPv6 in the lab......

hi To get IPV6 to work, you need to load the correct SDM template and reload the switches. Then you need to enable ipv6 unicast-routing on all devices. There is no anything else apart from configuring IPV6 addresses that you need to do, if all you want to do is to ping. You should be able to

Re: [c-nsp] IPv6 in the lab......

I am just as dense. Why would you need to load the SDM template if you only want the switch to provide L2 connectivity? Sent from a mobile device On 28 Nov 2013, at 19:32, Jeyamurali Sivapathasundaram sjeyamur...@gmail.com wrote: hi To get IPV6 to work, you need to load the correct

Re: [c-nsp] IPv6 in the lab......

My experience with Cisco IPv6 is limited but I believe you can't even configure a v6 address until you have the IPv6 SDM template loaded. On Nov 28, 2013 12:39 AM, Andrew Miehs and...@2sheds.de wrote: I am just as dense. Why would you need to load the SDM template if you only want the switch

Re: [c-nsp] IPv6 in the lab......

On Thu, 28 Nov 2013, Bill Blackford wrote: My experience with Cisco IPv6 is limited but I believe you can't even configure a v6 address until you have the IPv6 SDM template loaded. You don't need to have an IPv6 address on an L2 switch, to L2 switch 0x86dd ethertype frames. -- Mikael

Re: [c-nsp] IPv6 in the lab......

On Thursday, November 28, 2013 03:00:57 PM Mikael Abrahamsson wrote: You don't need to have an IPv6 address on an L2 switch, to L2 switch 0x86dd ethertype frames. But you might want one for remote management of the device. I can see why having to go through the trouble setting up SDM

[c-nsp] IPv6 in the lab......

So I may be dense or something, but if I have two devices on a Vlan with IPv6 addresses in the same network, why would I not be able to ping them? Is there something I have to do on layer 2 switches in order to allow the icmpv6 to flow? Switches are 3560's and nexus 5500/2k's TIA Scott

Re: [c-nsp] IPv6 in the lab......

If they are on the same L2, and addressed on the same L3, you should be able to ping unless you have a vACL/pAcL blocking IPv6/ICMPv6 ... can you ping between their link-locals? /TJ /TJ On Wed, Nov 27, 2013 at 1:06 PM, Scott Voll svoll.v...@gmail.com wrote: So I may be dense or something,

Re: [c-nsp] IPv6 in the lab......

Have you enabled ipv6 unicast-routing ? Date: Wed, 27 Nov 2013 10:06:51 -0800 From: svoll.v...@gmail.com To: cisco-nsp@puck.nether.net Subject: [c-nsp] IPv6 in the lab.. So I may be dense or something, but if I have two devices on a Vlan with IPv6 addresses in the same network, why

Re: [c-nsp] IPv6 in the lab......

And you also may need to adjust sdm to support ipv6 From: cisconsp_l...@hotmail.com To: svoll.v...@gmail.com; cisco-nsp@puck.nether.net Date: Thu, 28 Nov 2013 08:20:35 +1100 Subject: Re: [c-nsp] IPv6 in the lab.. Have you enabled ipv6 unicast-routing ? Date: Wed, 27 Nov 2013

Re: [c-nsp] IPv6 in the lab......

, 2013 11:07 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] IPv6 in the lab.. So I may be dense or something, but if I have two devices on a Vlan with IPv6 addresses in the same network, why would I not be able to ping them? Is there something I have to do on layer 2 switches in order

Re: [c-nsp] IPv6 in the lab......

| www.viawest.com | LinkedIn | Twitter | YouTube -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Scott Voll Sent: Wednesday, November 27, 2013 11:07 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] IPv6 in the lab.. So I may be dense

[c-nsp] IPv6 / OSPFv3

Hi Everyone, What is recommended practice when configuring OSPFv3/IPv6 Loopbacks? Do you assign /128's or /64's - If /64's do you need to enable ipv6 ospf network point-to-point under the loopback so that the IPv6 address is advertised as a /64 and not as /128? And Is it any more

Re: [c-nsp] IPv6 / OSPFv3

On 21/11/13 08:38, CiscoNSP List wrote: Hi Everyone, What is recommended practice when configuring OSPFv3/IPv6 Loopbacks? Do you assign /128's or /64's - If /64's do you need to enable ipv6 ospf network point-to-point under the loopback so that the IPv6 address is advertised as a /64 and not

Re: [c-nsp] IPv6 / OSPFv3

Thanks to everyone who replied - /128 it is. From: cisconsp_l...@hotmail.com To: cisco-nsp@puck.nether.net Date: Thu, 21 Nov 2013 19:38:51 +1100 Subject: [c-nsp] IPv6 / OSPFv3 Hi Everyone, What is recommended practice when configuring OSPFv3/IPv6 Loopbacks? Do you assign /128's

Re: [c-nsp] IPv6 / OSPFv3

/128 for me too. On Thursday, 21 November 2013, Phil Mayers wrote: On 21/11/13 08:38, CiscoNSP List wrote: Hi Everyone, What is recommended practice when configuring OSPFv3/IPv6 Loopbacks? Do you assign /128's or /64's - If /64's do you need to enable ipv6 ospf network point-to-point

Re: [c-nsp] IPv6 / OSPFv3

Same here. We use /128s and configure the loopback interface to be part of the ospf process and given area. Jose On 11/21/2013 5:10 AM, Phil Mayers wrote: On 21/11/13 08:38, CiscoNSP List wrote: Hi Everyone, What is recommended practice when configuring OSPFv3/IPv6 Loopbacks? Do you

Re: [c-nsp] IPv6 / OSPFv3

On Thursday, November 21, 2013 10:38:51 AM CiscoNSP List wrote: What is recommended practice when configuring OSPFv3/IPv6 Loopbacks? Do you assign /128's or /64's - /128. Mark. signature.asc Description: This is a digitally signed message part.

Re: [c-nsp] IPv6 / OSPFv3

On Thursday, November 21, 2013 04:06:31 PM Lobo wrote: Same here. We use /128s and configure the loopback interface to be part of the ospf process and given area. I'd normally just make it passive (although passive- interface for OSPF in IOS behaves different than passive- interface for

Re: [c-nsp] IPv6 / OSPFv3

On 21/11/13 14:29, Pete Lumbis wrote: Take a look at the NANOG best common practices for IPv6 addressing http://bcop.nanog.org/images/6/62/BCOP-IPv6_Subnetting.pdf The suggestion is to carve out the first /64 for loopbacks and then assign them all as /128s This is a good strategy. FWIW we

Re: [c-nsp] IPv6 / OSPFv3

Take a look at the NANOG best common practices for IPv6 addressing http://bcop.nanog.org/images/6/62/BCOP-IPv6_Subnetting.pdf The suggestion is to carve out the first /64 for loopbacks and then assign them all as /128s On Thu, Nov 21, 2013 at 3:38 AM, CiscoNSP List

Re: [c-nsp] IPv6 filters

On Tuesday, November 19, 2013 05:48:56 PM Nick Hilliard wrote: unless you configured no bgp default ipv4-unicast on ios, older versions of ios will default to exchanging ipv4 prefixes over ipv6. I don't even know if this is still the default because I've been using no bgp default

Re: [c-nsp] IPv6 filters

On Friday, November 15, 2013 02:56:39 PM Tony Tauber wrote: Depending on your OS, you may have to explicitly disable v6 routes being sent over a v4 session. That's possible to do but I don't know why one would want to in a truly dual-stack deployment. In v6 the only v4 artifact will be that

Re: [c-nsp] IPv6 filters

So how do you keep IPv6 off of IPv4? if you are running dual stack shouldn't it just go out it's native protocol? Scott On Tue, Nov 19, 2013 at 6:42 AM, Mark Tinka mark.ti...@seacom.mu wrote: On Friday, November 15, 2013 02:56:39 PM Tony Tauber wrote: Depending on your OS, you may have to

Re: [c-nsp] IPv6 filters

On 19/11/2013 15:23, Scott Voll wrote: So how do you keep IPv6 off of IPv4? if you are running dual stack shouldn't it just go out it's native protocol? unless you configured no bgp default ipv4-unicast on ios, older versions of ios will default to exchanging ipv4 prefixes over ipv6. I don't

Re: [c-nsp] IPv6 filters

On Tuesday, November 19, 2013 05:48:56 PM Nick Hilliard wrote: unless you configured no bgp default ipv4-unicast on ios, older versions of ios will default to exchanging ipv4 prefixes over ipv6. I don't even know if this is still the default because I've been using no bgp default

Re: [c-nsp] IPv6 filters

Then mark all your and your customers prefixes with community and announce only these marked. On 15/11/13 09:49, Mikael Abrahamsson wrote: Just using prefix-lists has drawbacks as well, since customers who are no longer customers can end up being transited to your network because you now

Re: [c-nsp] IPv6 filters

Hi, On Fri, Nov 15, 2013 at 06:49:43AM +0100, Mikael Abrahamsson wrote: On Thu, 14 Nov 2013, Gert Doering wrote: Easier on CPU load but more maintenance if prefixes keep being added is to filter by prefix-list... so it depends a bit on how fast your router's CPU is, how often prefixes

Re: [c-nsp] IPv6 filters

Yes, explicitly filtering prefixes outbound if you're an edge site and inbound if you're a service provider is the right way to do it, whether it's v4 or v6. For BGP particularly, IPv6 is really nothing special at all; just mirror your configurations and policies. Depending on your OS, you may

[c-nsp] IPv6 filters

New to IPv6 so sorry if this is a very basic question: I currently am dual homed with ipv4 I'm currently using a filter list: ip as-path access-list 1 permit ^$ ip as-path access-list 1 deny .* to make sure I'm not a transit provider. in my googleing around I'm not seeing that done in IPv6

Re: [c-nsp] IPv6 filters

On 14/11/2013 15:58, Scott Voll wrote: in my googleing around I'm not seeing that done in IPv6 You shouldn't use them for ipv4 either. You should use ip prefix lists (or non regexp-based bgp communities if your bgp policy is anything more than trivially complicated) for controlling prefix

Re: [c-nsp] IPv6 filters

Hi, On Thu, Nov 14, 2013 at 07:58:26AM -0800, Scott Voll wrote: I'm currently using a filter list: ip as-path access-list 1 permit ^$ ip as-path access-list 1 deny .* to make sure I'm not a transit provider. in my googleing around I'm not seeing that done in IPv6 Besides the CPU

Re: [c-nsp] IPv6 filters

On Thu, 14 Nov 2013, Gert Doering wrote: Easier on CPU load but more maintenance if prefixes keep being added is to filter by prefix-list... so it depends a bit on how fast your router's CPU is, how often prefixes change, etc. Just using prefix-lists has drawbacks as well, since customers

Re: [c-nsp] IPv6 BGP Dual Homed dual site

Hi Scott My 2 cents. I guess you could advertise two /44s through eBGP sessions (one per each site). In case one uplink goes down, you would advertise locally generated /44 and /44 route learned through iBGP from another site. Basically, router may advertise /44 from the neighboring site as soon

[c-nsp] IPv6 BGP Dual Homed dual site

I'm trying to wrap my head around the best way to setup BGP with IPv6 We currently have two different ISP's connected to two different sites. then we run iBGP between the sites. so in an IPv4 world have a class C at each location. then at each location my Firewalls NAT to the correct Class C

[c-nsp] IPv6 ND and ATM internetworking

This is kind of a long shot since a large part of the network in question is not under my control, but I'm hoping I can get a little input that can give me a direction to go in here. We have a number of DSL customers that come in from a wholesaler. The setup basically looks like this: Our

[c-nsp] IPv6 bug back for the 7600

Previously there was a bug that effected the 6500s. In this bug if you had a route that covered 0::/96, it would cause the TestFibDevices fail. This bug is back in the 15.2 code for the 7600. Specifically: 15.2(4)S3a I am guessing this is a result of the re-merge of the 7600/6500 code trains.

[c-nsp] ipv6 Netflow and Direction

Hi Guys, I am using Cisco 7200 and 3745 for configuring ipv6 network. Netflow from edge router can be exported either from Client facing interface or from core facing interface. when I set the direction as ingress netflow is being generated from both interface but when I set the direction as

Re: [c-nsp] ipv6 Netflow and Direction

Nitin Jain nitin.jain@gmail.com wrote: Any pointers on which IOS should I try ? NetFlow is primarily an edge technology. Enable it ingress on your customer-facing peer-/transit-facing interfaces on the relevant edge router(s). --- Roland Dobbins

[c-nsp] IPv6: GLBP Address

Hello Experts, I'm trying to configure the same link local adddress (fe80::1) as glbp address at all SVIs, but the switch (Sup2T with 15.1(1)SY1) refuse this: #sh run int vl 1 Building configuration... Current configuration : 100 bytes ! interface Vlan1 no ip address glbp 0 ipv6 FE80::1

Re: [c-nsp] IPv6: GLBP Address

Hi, On Mon, Aug 05, 2013 at 09:06:44AM +0200, Friedemann Stoyan wrote: (config-if)#glbp 2 ipv6 FE80::1 % Address FE80::1 in group 0 - interface Vlan1 (config-if)# Why? What kind of limitation causes this behavior? Developers with lack of exposure to real world networks And sorry, can't

Re: [c-nsp] ipv6 nd prefix prefix no-onlink

Tim Durack tdur...@gmail.com wrote: Can anyone explain: ipv6 nd prefix prefix no-onlink Does this mean nodes using this prefix should send all traffic to the router, even if the traffic might really be onlink? (This is an Ethernet segment.) Correct. Watch out that 6500 (SXJ) also drops the

Re: [c-nsp] ipv6 nd prefix prefix no-onlink

Documentation says: - no-onlink L=0 A=1 In Routing Table 15.1(SY) does the right thing, keeping the connected route. NX-OS is broken for ipv6 nd prefix, not including the connected/direct route when it should. (This is supposed to be fixed in 6.2.) On Wed, Jul 17, 2013 at 5:03 AM,

[c-nsp] ipv6 nd prefix prefix no-onlink

Can anyone explain: ipv6 nd prefix prefix no-onlink Does this mean nodes using this prefix should send all traffic to the router, even if the traffic might really be onlink? (This is an Ethernet segment.) -- Tim: ___ cisco-nsp mailing list

Re: [c-nsp] ipv6 nd prefix prefix no-onlink

On Tue, Jul 16, 2013 at 1:16 PM, Tim Durack tdur...@gmail.com wrote: Can anyone explain: ipv6 nd prefix prefix no-onlink Does this mean nodes using this prefix should send all traffic to the router, even if the traffic might really be onlink? (This is an Ethernet segment.) That is the

  1   2   3   4   5   6   7   >