[c-nsp] Cat6500 ipv6 nd raguard feature

Daniel Verlouw daniel at bit.nl
Fri Nov 19 03:39:00 EST 2010


(apologies for duplicates, thought this might be interesting for folks
on both lists):

Hi,

In case anyone is looking into deploying the 'ipv6 nd raguard' feature
introduced in SXI4 on Cat6.5k: I suggest you don't (for now, at least).
We found an issue with it causing it to intermittently drop neighbor
solicits from the access port resulting in a complete IPv6 'meltdown'
for the attached host (*sigh*)

Bug ID: CSCtk05146 - IPv6 Solicit dropped by RAguard

Verified by issuing:
sh tcam interface <interface> acl in ipv6

Cisco suggests disabling it all together as a workaround, however, we
found that IPv6 PACLs (also introduced in SXI4) do work fine in our
limited testing so far, e.g.:

ipv6 access-list block-rogue-ipv6
 remark Block DHCPv6 server messages
 deny udp any eq 547 any eq 546
 remark Block Router Advertisements
 deny icmp any any router-advertisement
 permit ipv6 any any

int <interface>
 ipv6 traffic-filter block-rogue-ipv6 in



Cheers,
   Daniel.



More information about the cisco-nsp mailing list