[c-nsp] Specification of RA that responds to RS (applied RA?suppress I/F)

[Alexander Clouter]

Brandon Applegate <brandon at burn.net> wrote:
>
> [snipped]
> 
> The message from last month said that:
> 
>  ipv6 nd ra suppress
>  ipv6 nd prefix default no-advertise
> 
> Would stop machines from accidentially lighting up ipv6.  This makes sense 
> to me, and I really like that solution for a pure static / 'server' 
> segment.  However, it seems HSRP hooks into ND/RA so that it can advertise 
> the HSRP address in the RA's.  These commands above seem to tangle this 
> up, and unexpected results come from that.  I'll try to summarize:
> 
We opted for a slightly different approach, embracing that hosts can 
have multiple IP's, if not encouraged to do so, hanging off the same 
interface.  I let our servers do stateless config and add the static 
IP's I want to hang services (SSH, DNS, etc) off using the following to 
pick the address to assign:

http://www.digriz.org.uk/misc#GeneratingaUniqueIPv6Address

The box will use it's stateless address for chatting to the other hosts 
(unless you are using 'ip rule' of course) but quite happily serve off 
the services you run off the box the static addresses you give it; 
obviously it is those static addresses that go into DNS.

> So it looks like I can't have my cake (HSRP) and eat it too (no RA + no 
> autoconfig).  I'm currently using the middle solution.  What got my 
> attention to begin with, is after statically defining the default gateway 
> on the linux machine, I had two default gateways, one obviously from an 
> RA:
> 
> default via fe80::5:73ff:fea0:1 dev eth0  metric 1  mtu 1500 advmss 1440 hoplimit 4294967295
> default via fe80::5:73ff:fea0:1 dev eth0  proto kernel  metric 1024  expires 0sec mtu 1500 advmss 1440 hoplimit 64
>
We use 'fe80::' as the HSRP address, plus additionally marking the 
router preference as 'high', which seems to (on a Linux box at least) 
mean it appears as the first match in the routing table to get out of 
the subnet.  The idea being that if something else was to start spitting 
out RA's on the subnet I hope this strategy mitigates against any 
misconfigurations of servers.

So, the vlan config snippet we use is:
----
interface Vlan123
 ip address 1.2.3.6 255.255.255.248
 ip pim sparse-mode
 ip igmp version 3
 ipv6 address SOAS 0:0:0:1234::/64 anycast
 ipv6 nd router-preference High
 standby version 2
 standby 123 ip 1.2.3.1
 standby 123 preempt delay minimum 120
 standby 123 authentication md5 key-string 7 <ahem>
 standby 2123 ipv6 FE80::
 standby 2123 preempt delay minimum 120
 standby 2123 authentication md5 key-string 7 <ahem>
----
 
The result on the server:
----
ac56 at ipserv0:~$ ip -6 route show default
default via fe80:: dev bond0  proto kernel  metric 1024  expires 1678sec mtu 1500 advmss 1440 hoplimit 64
----

The advantage for us with using 'fe80::' is that that is the default
gateway on *all* our VLAN's.

I thought it was neat anyway, hope you do :)

If anyone can see any problems, or make any further recommendations on 
our standard config, I would be interested to hear them.

> PPPS: 12.4T says it supports a global address for the HSRP ip ?  I only 
> have the option of autoconfig or link-local on my 6500.  Is this something 
> coming for Catalyst ?
> 
I personally cannot think of a single reason why anyone would want to 
configure a router gateway address with anything other than link-local. 
As far as I am aware there are no advantages in using global address 
although I am happy to be proved wrong and learn something new.

Cheers

-- 
Alexander Clouter
.sigmonster says: Am I SHOPLIFTING?