Does anyone have any updated router hardening guidelines, some of the sites
I reference have not been updated for some time. e.g. www.team-cymru.org
thanks in advance,
Mike
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
Check out the white paper on terastream
On Thursday, October 11, 2018, harbor235 wrote:
> Gents,
>
> I have a green field IPv6 infrastructure that I am standing up, I plan on
> allocating unique IPv6 net block ranges for infrastructure nets
> (loopbacks/routerid, pt-to-pts), service delivery
Gents,
I have a green field IPv6 infrastructure that I am standing up, I plan on
allocating unique IPv6 net block ranges for infrastructure nets
(loopbacks/routerid, pt-to-pts), service delivery allocations (customer
services), North of the security boundary layer, south of security boundary
Hello,
I'm trying to understand why my ipv6 dhcp server accounting does not work
as I expect. I'm using this on cisco 7301 (ROM: System Bootstrap, Version
12.3(4r)T4, RELEASE SOFTWARE (fc1)
)
Here are the relevant parts of my config :
aa new-model
!
!
aaa group server radius RGROUP
server name
One of the reasons I'm not very keen on using merchant silicon for
high-touch routing.
Mark.
On 24/Feb/18 10:19, Chris Welti wrote:
> Hi David,
>
> uRPF on the NCS5500 is a mess due to limitations of the Jericho
> chipset. It has to do with the TCAM optimizations and twice the number
> of route
Hi David,
uRPF on the NCS5500 is a mess due to limitations of the Jericho chipset.
It has to do with the TCAM optimizations and twice the number of route
lookups needed for uRPF (src/dst)
From what I understand:
On SE-models for uRPF to work you need to disable double-capacity mode
(you
Hi all, curious if anyone has run into issues with IPv6 uRPF on NCS5500 and/or
XR 6.2.3? I have an interface where I added:
Ipv4 verify unicast source reachable-via any
ipv6 verify unicast source reachable-via any
and immediately lost my ability to talk to a BGP peer connected to it using a
Hi,
before I forward this up the chain.
Does anybody have knowledge of IPv6 FHS Etherchannel support for 4506/Sup7LE
We are using the boxes for FTTH access and want to enable ipv6 ldra on the
customer ports.
Our server facing ports are often on Etherchannels which is not compatible with
the
Hi Folks,
I've got a 7609 with a RSP720-3CXL-GE running Version 15.4(3)S6.
IPv6 BGP is sending far too many updates to iBGP neighbors and downstream
customers getting a full BGP feed.
After running 6 days, the tblver is up to 133 million, and 61 million
updates have been sent to full-feed
it ended up being a Port channel issue. the router needed mode on rather
than mode active. IPv4 was able to work without the port channel working
where as IPv6 was seeing a loop. Fixed the port channel issue and
everything worked.
scott
On Mon, Oct 31, 2016 at 8:51 AM, John Kougoulos
Hi,
On Wed, Oct 26, 2016 at 9:06 PM, Scott Voll wrote:
> So I have a 2951 setup with a Port-channel to a set of L3 Nexus 5548's on a
> VPC.
>
>
Well, I don't know specifically about IPv6, but in general, connectivity
between a router and nexus using vPC is not recommended,
So I have a 2951 setup with a Port-channel to a set of L3 Nexus 5548's on a
VPC.
IPv4 seems to work fine.
IPv6 on the other hand I'm getting a loop detected.
%IPV6_ND-4-LOOPBACK: Looped back NS(DAD) packet detected for
on Port-channel XX.yy
What am I missing so that IPv6 will work?
Can
On Mon, 22 Aug 2016, Scott Voll wrote:
I'm not really able to wrap my mind around what best practice would be.
Currently I have two exit points in my network. BGP / iBGP. Two Firewalls
behind those. Each Firewall has a IPv4 Class C to NAT to.
With publicly Routed IPv6 not nat'ing how do I
Gert and Lee, your picking up what I'm putting down.
two geographically dispersed exit points with multiple internal dispersed
sites each with a /48. my over all is a /44. So from a BGP stand point
I'm announcing half my sites out one exit site and the other half out the
other. with iBGP
Hi,
On Mon, Aug 22, 2016 at 10:54:04PM +0100, Tom Hill wrote:
> On 22/08/16 22:34, Gert Doering wrote:
> > Not if you NAT the IPv4 - the NAT part enforces symmetry.
> >
> > Not that I'm a big fan of NAT, but it has its uses :-)
>
> FHRPs aren't just for 'inside' interfaces. You do have to be
On 22/08/16 22:34, Gert Doering wrote:
> Not if you NAT the IPv4 - the NAT part enforces symmetry.
>
> Not that I'm a big fan of NAT, but it has its uses :-)
FHRPs aren't just for 'inside' interfaces. You do have to be sure to
adjust the priorities of 'inside' and 'outside' interfaces together
On 8/22/16, Scott Voll wrote:
> I'm not really able to wrap my mind around what best practice would be.
>
> Currently I have two exit points in my network. BGP / iBGP. Two Firewalls
> behind those. Each Firewall has a IPv4 Class C to NAT to.
>
> With publicly Routed IPv6
Hi,
On Mon, Aug 22, 2016 at 10:31:48PM +0100, Tom Hill wrote:
> On 22/08/16 22:11, Gert Doering wrote:
> > (but in this particular case, the issue is not so much "NAT" as
> > "there are stateful firewalls in the way, that require symmetric
> > traffic return from the Internet" - which makes this
On 22/08/16 22:11, Gert Doering wrote:
> (but in this particular case, the issue is not so much "NAT" as
> "there are stateful firewalls in the way, that require symmetric
> traffic return from the Internet" - which makes this much harder
> than "just plain routing")
This problem exists with
Hi,
On Mon, Aug 22, 2016 at 10:07:44PM +0100, Tom Hill wrote:
> *secretly very happy that IPv6 is teaching ops how to do networking
> without any NAT* ;)
https://www.youtube.com/watch?v=v26BAlfWBm8
(but in this particular case, the issue is not so much "NAT" as
"there are stateful firewalls
On 22/08/16 18:23, Scott Voll wrote:
> Thank for your input. maybe I'm just missing something easy.
OSPFv3, EIGRP, MP-BGP... Static routes? All of these can help your edge
routers find the internal IPv6 networks on your firewalls.
Honestly, I'd suggest starting with 'How would I do IPv4
I'm not really able to wrap my mind around what best practice would be.
Currently I have two exit points in my network. BGP / iBGP. Two Firewalls
behind those. Each Firewall has a IPv4 Class C to NAT to.
With publicly Routed IPv6 not nat'ing how do I setup the firewalls / bgp to
route
On 05/05/16 22:50, Tom Hill wrote:
> but didn't specifics.
*but didn't go into specifics.
--
Tom
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at
On 03/05/16 07:47, Gert Doering wrote:
> I have a feature request to at least add a knob for "please use GUA
> next-hop!" - CSCut26765 - it was opened by a friendly Cisco developer,
> and I have no read access to it, so no idea whether it's proceeding or
> not. But if you have interest in
Hi,
On Tue, May 03, 2016 at 09:30:20AM +0200, Marco Marzetti wrote:
> > I have a feature request to at least add a knob for "please use GUA
> > next-hop!" - CSCut26765 - it was opened by a friendly Cisco developer,
> > and I have no read access to it, so no idea whether it's proceeding or
> >
On 2016-05-03 08:47, Gert Doering wrote:
Hi,
On Mon, May 02, 2016 at 11:39:47PM +0200, Sebastian Ganschow wrote:
There's a feature request open for this.
The whole "use link-local next-hops for peers where the session is via
a global address" is one of the most stupid ideas in this whole
Hi,
On Mon, May 02, 2016 at 11:39:47PM +0200, Sebastian Ganschow wrote:
> There's a feature request open for this.
The whole "use link-local next-hops for peers where the session is via
a global address" is one of the most stupid ideas in this whole IPv6 thing
anyway. There is no benefit, but a
Hi,
Cisco ist interpretting the RFC a little strange...
You need to disable the connected check on that neighnor to make it work.
Neighbor 1.2.3.4 *disable-connected-check*
As ling as it's enabled, they are preferring the link-local and the
route-map doesn't apply.
There's a feature request
Hi Marco.
Some time ago I had to solve similar problem. I used this workaround:
!
router bgp 64512
neighbor 2001:DB8::1 ebgp-multihop 2
!
It is ugly but ...
Can you try it?
Best regards,
Pepa
___
cisco-nsp mailing list
On Mon, May 02, 2016 at 09:44:14PM +0200, Job Snijders wrote:
> On Mon, May 02, 2016 at 07:55:25PM +0200, Marco Marzetti wrote:
> > Do you have any ideas?
>
> ipv6 route 100::1/128 null0
Some testing showed that the above doesn't change the situation.
As discussed on IRC, there are is
On Mon, May 02, 2016 at 07:55:25PM +0200, Marco Marzetti wrote:
> Do you have any ideas?
Have you tried the same setup but with the following more-specific
discard route instead of the /64?
ipv6 route 100::1/128 null0
You also may want to set:
interface null0
no ipv6
Hello,
I am working on RTBH for IPv6 on IOS and i am stuck with the odd
behavior of the OS.
Let's say that i have the following configuration on the router:
!
hostname R2
ipv6 unicast-routing
!
interface Gi1/0
ipv6 address 2001::DB8::2/64
!
router bgp 64512
bgp maxas-limit 30
neighbor
ya
> Sent: Thursday, March 3, 2016 4:17 AM
> To: cisco-nsp@puck.nether.net
> Subject: [c-nsp] IPv6 HSRP Config
>
> Hi list,
>
> I have a couple of Cisco boxes:
>
> 7604 / SUP720-3BXL - IOS 12.2(33)SRE
> 7204 / NPE-G1 - IOS 12.2(33)SRE
>
> Firstly, can you advise
On 03/03/16 09:17, Dario Amaya wrote:
Hi list,
I have a couple of Cisco boxes:
7604 / SUP720-3BXL - IOS 12.2(33)SRE
7204 / NPE-G1 - IOS 12.2(33)SRE
Firstly, can you advise if the config below is correct? Anything I am
It looks about right. A working HSRPv6 config from one of our 6500s:
Hi list,
I have a couple of Cisco boxes:
7604 / SUP720-3BXL - IOS 12.2(33)SRE
7204 / NPE-G1 - IOS 12.2(33)SRE
Firstly, can you advise if the config below is correct? Anything I am
missing? Secondly, I cannot get the ipv6 group 2777 to be
Active/Standby, both are in an Active state as you can
On Mon, Mar 23, 2015 at 09:42:58PM +0300, Samir Abid Al-mahdi wrote:
Hi,
This require a DS-Lite, right ? if yes, the CPE must be DS-Lite enabled,
right ?
Why would it? You could simply dual stack your CPE handing out 100.x.y.z
CGN prefix IPv4 addresses and a public IPv6 address/prefix.
We
Hi all, does anyone know the IPv6 ND capacity on the Nexus 9k line? Or
9300 and 9500 specifically? I found ARP at 90k but can't find anything
for IPv6.
Thanks,
David
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
On 23/09/2014 04:05, Frank Bulk wrote:
Do you happen to have the OIDs or MIB name for that info?
ftp://ftp.cisco.com/pub/mibs/v2/CISCO-BGP4-MIB.my
Nick
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
On 10/27/2012 08:54 PM, Nick Hilliard wrote:
Very disappointing but I guess we'll just go the SSH/scrape route
instead like everybody else is having to do.
2 years later. Wanted to deploy IPv6 on small parts of our network.
Configured IPv6 neighbors and thought to start monitoring does sessions
On 22/09/2014 22:05, chiel wrote:
2 years later. Wanted to deploy IPv6 on small parts of our network.
Configured IPv6 neighbors and thought to start monitoring does sessions
right away before moving on. After an hour Googling I find that in 2014 you
still can't monitor your IPv6 peers with
On 09/22/2014 11:21 PM, Nick Hilliard wrote:
this is now supported on some varieties of IOS - 15.2(3)T and 15.2(4)S.
Also, XR has supported it for some years.
So not yet for a 6500 with sup720? I believe 15.1 is the latest on that.
___
cisco-nsp
On 22/09/14 22:42, chiel wrote:
So not yet for a 6500 with sup720? I believe 15.1 is the latest on that.
Looks to be the case
7600 with SUP720 have 15.2, 15.3 15.4 releases:
Do you happen to have the OIDs or MIB name for that info?
Frank
-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Nick
Hilliard
Sent: Monday, September 22, 2014 4:22 PM
To: chiel; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] IPv6 BGP peers over
On Aug 7, 2014, at 4:42 PM, Nicolas DEFFAYET nicolas...@deffayet.com wrote:
Hello,
The command 'ipv6 tacacs source-interface Loopback0' for select IPv6
address source for Tacacs have no effect on Cisco 6500 12.2(33)SXJ7.
Is it a know issue ?
The command is accepted by the CLI but the
Hello,
The command 'ipv6 tacacs source-interface Loopback0' for select IPv6
address source for Tacacs have no effect on Cisco 6500 12.2(33)SXJ7.
Is it a know issue ?
The command is accepted by the CLI but the packets are sourced with the
IPv6 address of outgoing interface and not the loopback.
On Jul 1, 2014, at 2:53 PM, Mark Tinka mark.ti...@seacom.mu wrote:
I remember this was happening on IOS XR in 3.9 and 4.0.x,
when Ethernet ports were looped for testing, and after the
loop is cleared, DAD keeps IPv6 from working until manual
intervention or a reboot.
Had the same
So following on from a very old thread
https://puck.nether.net/pipermail/cisco-nsp/2008-May/051088.html
I have had an event where an interface got stuck in stalled state for
much longer than is desirable. I tried to fix it using ipv6 nd dad
attempts 5 but no luck. I also tried disabling and
On Tuesday, July 01, 2014 12:57:17 PM Ivan wrote:
I have had an event where an interface got stuck in
stalled state for much longer than is desirable. I
tried to fix it using ipv6 nd dad attempts 5 but no
luck. I also tried disabling and enabling IPv6 on the
interface that also didn't
Hi,
I have two routers r1 and r2 connected to a switch with GigE ports:
r1[Gi] - switch - [Gi]r2
r1 and r2 are in the same broadcast domain. According to sh ipv6
interface command, first router has IPv6 address 2001:10:7::4 and
second one has IPv6 address 2001:10:7::3:
Global unicast
RTR-3#sh run | sec router ospf
router ospf 10
router-id 10.116.0.3
max-metric router-lsa on-startup 300
ispf
auto-cost reference-bandwidth 10
ipv6 router ospf 10
router-id 10.116.0.3
auto-cost reference-bandwidth 10
max-metric router-lsa on-startup 300
end
vs.
RTR-1#sh run | sec
On Tuesday, March 25, 2014 02:32:13 PM Tim Durack wrote:
RTR-1#sh run | sec router ospf
router ospfv3 10
Oh, that's cool.
I didn't know Cisco had implemented the Multi-AF support for
OSPFv3 (Junos had it since Junos 9).
For those interested, this took some digging, but:
On 25/03/14 15:39, Mark Tinka wrote:
On Tuesday, March 25, 2014 02:32:13 PM Tim Durack wrote:
RTR-1#sh run | sec router ospf
router ospfv3 10
Oh, that's cool.
I didn't know Cisco had implemented the Multi-AF support for
OSPFv3 (Junos had it since Junos 9).
Yeah, I spotted this very
On Tuesday, March 25, 2014 05:51:17 PM Phil Mayers wrote:
Yeah, I spotted this very recently too in 15.1 on
6500/sup720. Haven't had time to test it yet beyond
basic confirmation that it works for IPv6-only.
I just checked a 7200 I have and it has the context also.
This is 15.2(4)S3 on an
On 25 March 2014 15:51, Phil Mayers p.may...@imperial.ac.uk wrote:
Almost certainly. Note that some commands e.g. network point-to-point
are not available on some platforms in the ipv6 format, only the ospfv3
one.
Cisco's OSPFv3 seems to have been through at least three different syntax
Hi,
On Tue, Mar 25, 2014 at 06:02:34PM +0200, Mark Tinka wrote:
I'm normally an IS-IS man, but we use OSPF for Anycast since
IS-IS in Quagga is unusable.
We use BGP for that. I just don't trust hosts taking part in my IGP...
(Which, admittedly, needs lots more configuration to do anycast
On Tuesday, March 25, 2014 06:12:52 PM Gert Doering wrote:
We use BGP for that. I just don't trust hosts taking
part in my IGP...
As this is internal, we can reasonably trust the servers,
since they are under the management of the the Network team.
However, we do have strict routing
hi
To get IPV6 to work, you need to load the correct SDM template and reload
the switches.
Then you need to enable ipv6 unicast-routing on all devices.
There is no anything else apart from configuring IPV6 addresses that you
need to do, if all you want to do is to ping.
You should be able to
I am just as dense.
Why would you need to load the SDM template if you only want the switch to
provide L2 connectivity?
Sent from a mobile device
On 28 Nov 2013, at 19:32, Jeyamurali Sivapathasundaram
sjeyamur...@gmail.com wrote:
hi
To get IPV6 to work, you need to load the correct
My experience with Cisco IPv6 is limited but I believe you can't even
configure a v6 address until you have the IPv6 SDM template loaded.
On Nov 28, 2013 12:39 AM, Andrew Miehs and...@2sheds.de wrote:
I am just as dense.
Why would you need to load the SDM template if you only want the switch
On Thu, 28 Nov 2013, Bill Blackford wrote:
My experience with Cisco IPv6 is limited but I believe you can't even
configure a v6 address until you have the IPv6 SDM template loaded.
You don't need to have an IPv6 address on an L2 switch, to L2 switch
0x86dd ethertype frames.
--
Mikael
On Thursday, November 28, 2013 03:00:57 PM Mikael
Abrahamsson wrote:
You don't need to have an IPv6 address on an L2 switch,
to L2 switch 0x86dd ethertype frames.
But you might want one for remote management of the device.
I can see why having to go through the trouble setting up
SDM
So I may be dense or something, but if I have two devices on a Vlan with
IPv6 addresses in the same network, why would I not be able to ping them?
Is there something I have to do on layer 2 switches in order to allow the
icmpv6 to flow?
Switches are 3560's and nexus 5500/2k's
TIA
Scott
If they are on the same L2, and addressed on the same L3, you should be
able to ping unless you have a vACL/pAcL blocking IPv6/ICMPv6 ... can you
ping between their link-locals?
/TJ
/TJ
On Wed, Nov 27, 2013 at 1:06 PM, Scott Voll svoll.v...@gmail.com wrote:
So I may be dense or something,
Have you enabled ipv6 unicast-routing ?
Date: Wed, 27 Nov 2013 10:06:51 -0800
From: svoll.v...@gmail.com
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] IPv6 in the lab..
So I may be dense or something, but if I have two devices on a Vlan with
IPv6 addresses in the same network, why
And you also may need to adjust sdm to support ipv6
From: cisconsp_l...@hotmail.com
To: svoll.v...@gmail.com; cisco-nsp@puck.nether.net
Date: Thu, 28 Nov 2013 08:20:35 +1100
Subject: Re: [c-nsp] IPv6 in the lab..
Have you enabled ipv6 unicast-routing ?
Date: Wed, 27 Nov 2013
, 2013 11:07 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] IPv6 in the lab..
So I may be dense or something, but if I have two devices on a Vlan with
IPv6 addresses in the same network, why would I not be able to ping them?
Is there something I have to do on layer 2 switches in order
| www.viawest.com | LinkedIn |
Twitter
| YouTube
-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
Scott Voll
Sent: Wednesday, November 27, 2013 11:07 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] IPv6 in the lab..
So I may be dense
Hi Everyone,
What is recommended practice when configuring OSPFv3/IPv6 Loopbacks? Do you
assign /128's or /64's - If /64's do you need to enable ipv6 ospf network
point-to-point under the loopback so that the IPv6 address is advertised as a
/64 and not as /128?
And Is it any more
On 21/11/13 08:38, CiscoNSP List wrote:
Hi Everyone,
What is recommended practice when configuring OSPFv3/IPv6
Loopbacks? Do you assign /128's or /64's - If /64's do you need to
enable ipv6 ospf network point-to-point under the loopback so that
the IPv6 address is advertised as a /64 and not
Thanks to everyone who replied - /128 it is.
From: cisconsp_l...@hotmail.com
To: cisco-nsp@puck.nether.net
Date: Thu, 21 Nov 2013 19:38:51 +1100
Subject: [c-nsp] IPv6 / OSPFv3
Hi Everyone,
What is recommended practice when configuring OSPFv3/IPv6 Loopbacks? Do
you assign /128's
/128 for me too.
On Thursday, 21 November 2013, Phil Mayers wrote:
On 21/11/13 08:38, CiscoNSP List wrote:
Hi Everyone,
What is recommended practice when configuring OSPFv3/IPv6
Loopbacks? Do you assign /128's or /64's - If /64's do you need to
enable ipv6 ospf network point-to-point
Same here. We use /128s and configure the loopback interface to be part
of the ospf process and given area.
Jose
On 11/21/2013 5:10 AM, Phil Mayers wrote:
On 21/11/13 08:38, CiscoNSP List wrote:
Hi Everyone,
What is recommended practice when configuring OSPFv3/IPv6
Loopbacks? Do you
On Thursday, November 21, 2013 10:38:51 AM CiscoNSP List
wrote:
What is recommended practice when configuring
OSPFv3/IPv6 Loopbacks? Do you assign /128's or /64's -
/128.
Mark.
signature.asc
Description: This is a digitally signed message part.
On Thursday, November 21, 2013 04:06:31 PM Lobo wrote:
Same here. We use /128s and configure the loopback
interface to be part of the ospf process and given area.
I'd normally just make it passive (although passive-
interface for OSPF in IOS behaves different than passive-
interface for
On 21/11/13 14:29, Pete Lumbis wrote:
Take a look at the NANOG best common practices for IPv6 addressing
http://bcop.nanog.org/images/6/62/BCOP-IPv6_Subnetting.pdf
The suggestion is to carve out the first /64 for loopbacks and then assign
them all as /128s
This is a good strategy. FWIW we
Take a look at the NANOG best common practices for IPv6 addressing
http://bcop.nanog.org/images/6/62/BCOP-IPv6_Subnetting.pdf
The suggestion is to carve out the first /64 for loopbacks and then assign
them all as /128s
On Thu, Nov 21, 2013 at 3:38 AM, CiscoNSP List
On Tuesday, November 19, 2013 05:48:56 PM Nick Hilliard
wrote:
unless you configured no bgp default ipv4-unicast on ios, older
versions of ios will default to exchanging
ipv4 prefixes over ipv6. I don't even know if this is still the
default because I've been using no bgp default
On Friday, November 15, 2013 02:56:39 PM Tony Tauber wrote:
Depending on your OS, you may have to explicitly disable
v6 routes being sent over a v4 session.
That's possible to do but I don't know why one would want
to in a truly dual-stack deployment.
In v6 the only v4 artifact will be that
So how do you keep IPv6 off of IPv4? if you are running dual stack
shouldn't it just go out it's native protocol?
Scott
On Tue, Nov 19, 2013 at 6:42 AM, Mark Tinka mark.ti...@seacom.mu wrote:
On Friday, November 15, 2013 02:56:39 PM Tony Tauber wrote:
Depending on your OS, you may have to
On 19/11/2013 15:23, Scott Voll wrote:
So how do you keep IPv6 off of IPv4? if you are running dual stack
shouldn't it just go out it's native protocol?
unless you configured no bgp default ipv4-unicast on ios, older versions
of ios will default to exchanging ipv4 prefixes over ipv6. I don't
On Tuesday, November 19, 2013 05:48:56 PM Nick Hilliard
wrote:
unless you configured no bgp default ipv4-unicast on
ios, older versions of ios will default to exchanging
ipv4 prefixes over ipv6. I don't even know if this is
still the default because I've been using no bgp
default
Then mark all your and your customers prefixes with community and
announce only these marked.
On 15/11/13 09:49, Mikael Abrahamsson wrote:
Just using prefix-lists has drawbacks as well, since customers who are
no longer customers can end up being transited to your network because
you now
Hi,
On Fri, Nov 15, 2013 at 06:49:43AM +0100, Mikael Abrahamsson wrote:
On Thu, 14 Nov 2013, Gert Doering wrote:
Easier on CPU load but more maintenance if prefixes keep being added is
to filter by prefix-list... so it depends a bit on how fast your
router's CPU is, how often prefixes
Yes, explicitly filtering prefixes outbound if you're an edge site and
inbound if you're a service provider is the right way to do it, whether
it's v4 or v6.
For BGP particularly, IPv6 is really nothing special at all; just mirror
your configurations and policies.
Depending on your OS, you may
New to IPv6 so sorry if this is a very basic question:
I currently am dual homed with ipv4
I'm currently using a filter list:
ip as-path access-list 1 permit ^$
ip as-path access-list 1 deny .*
to make sure I'm not a transit provider.
in my googleing around I'm not seeing that done in IPv6
On 14/11/2013 15:58, Scott Voll wrote:
in my googleing around I'm not seeing that done in IPv6
You shouldn't use them for ipv4 either. You should use ip prefix lists (or
non regexp-based bgp communities if your bgp policy is anything more than
trivially complicated) for controlling prefix
Hi,
On Thu, Nov 14, 2013 at 07:58:26AM -0800, Scott Voll wrote:
I'm currently using a filter list:
ip as-path access-list 1 permit ^$
ip as-path access-list 1 deny .*
to make sure I'm not a transit provider.
in my googleing around I'm not seeing that done in IPv6
Besides the CPU
On Thu, 14 Nov 2013, Gert Doering wrote:
Easier on CPU load but more maintenance if prefixes keep being added is
to filter by prefix-list... so it depends a bit on how fast your
router's CPU is, how often prefixes change, etc.
Just using prefix-lists has drawbacks as well, since customers
Hi Scott
My 2 cents.
I guess you could advertise two /44s through eBGP sessions (one per each
site). In case one uplink goes down, you would advertise locally generated
/44 and /44 route learned through iBGP from another site. Basically,
router may advertise /44 from the neighboring site as soon
I'm trying to wrap my head around the best way to setup BGP with IPv6
We currently have two different ISP's connected to two different sites.
then we run iBGP between the sites.
so in an IPv4 world have a class C at each location. then at each location
my Firewalls NAT to the correct Class C
This is kind of a long shot since a large part of the network in question is
not under my control, but I'm hoping I can get a little input that can give me
a direction to go in here.
We have a number of DSL customers that come in from a wholesaler. The setup
basically looks like this:
Our
Previously there was a bug that effected the 6500s.
In this bug if you had a route that covered 0::/96, it would cause the
TestFibDevices fail.
This bug is back in the 15.2 code for the 7600.
Specifically: 15.2(4)S3a
I am guessing this is a result of the re-merge of the 7600/6500 code trains.
Hi Guys,
I am using Cisco 7200 and 3745 for configuring ipv6 network. Netflow from
edge router can be exported either from Client facing interface or from
core facing interface.
when I set the direction as ingress netflow is being generated from both
interface but when I set the direction as
Nitin Jain nitin.jain@gmail.com wrote:
Any pointers on which IOS should I try ?
NetFlow is primarily an edge technology. Enable it ingress on your
customer-facing peer-/transit-facing interfaces on the relevant edge
router(s).
---
Roland Dobbins
Hello Experts,
I'm trying to configure the same link local adddress (fe80::1) as glbp
address at all SVIs, but the switch (Sup2T with 15.1(1)SY1) refuse
this:
#sh run int vl 1
Building configuration...
Current configuration : 100 bytes
!
interface Vlan1
no ip address
glbp 0 ipv6 FE80::1
Hi,
On Mon, Aug 05, 2013 at 09:06:44AM +0200, Friedemann Stoyan wrote:
(config-if)#glbp 2 ipv6 FE80::1
% Address FE80::1 in group 0 - interface Vlan1
(config-if)#
Why? What kind of limitation causes this behavior?
Developers with lack of exposure to real world networks
And sorry, can't
Tim Durack tdur...@gmail.com wrote:
Can anyone explain: ipv6 nd prefix prefix no-onlink
Does this mean nodes using this prefix should send all traffic to the
router, even if the traffic might really be onlink? (This is an Ethernet
segment.)
Correct. Watch out that 6500 (SXJ) also drops the
Documentation says:
- no-onlink L=0 A=1 In Routing Table
15.1(SY) does the right thing, keeping the connected route.
NX-OS is broken for ipv6 nd prefix, not including the connected/direct
route when it should. (This is supposed to be fixed in 6.2.)
On Wed, Jul 17, 2013 at 5:03 AM,
Can anyone explain: ipv6 nd prefix prefix no-onlink
Does this mean nodes using this prefix should send all traffic to the
router, even if the traffic might really be onlink? (This is an Ethernet
segment.)
--
Tim:
___
cisco-nsp mailing list
On Tue, Jul 16, 2013 at 1:16 PM, Tim Durack tdur...@gmail.com wrote:
Can anyone explain: ipv6 nd prefix prefix no-onlink
Does this mean nodes using this prefix should send all traffic to the
router, even if the traffic might really be onlink? (This is an Ethernet
segment.)
That is the
1 - 100 of 687 matches
Mail list logo