[c-nsp] Cat6500 ipv6 nd raguard feature

Andrew Yourtchenko ayourtch at cisco.com
Fri Nov 19 06:08:10 EST 2010


Daniel,

excellent, thanks a lot for the info - I've updated the bug record so the others 
can benefit from this finding.

cheers,
andrew

On Fri, 19 Nov 2010, Daniel Verlouw wrote:

> (apologies for duplicates, thought this might be interesting for folks
> on both lists):
>
> Hi,
>
> In case anyone is looking into deploying the 'ipv6 nd raguard' feature
> introduced in SXI4 on Cat6.5k: I suggest you don't (for now, at least).
> We found an issue with it causing it to intermittently drop neighbor
> solicits from the access port resulting in a complete IPv6 'meltdown'
> for the attached host (*sigh*)
>
> Bug ID: CSCtk05146 - IPv6 Solicit dropped by RAguard
>
> Verified by issuing:
> sh tcam interface <interface> acl in ipv6
>
> Cisco suggests disabling it all together as a workaround, however, we
> found that IPv6 PACLs (also introduced in SXI4) do work fine in our
> limited testing so far, e.g.:
>
> ipv6 access-list block-rogue-ipv6
> remark Block DHCPv6 server messages
> deny udp any eq 547 any eq 546
> remark Block Router Advertisements
> deny icmp any any router-advertisement
> permit ipv6 any any
>
> int <interface>
> ipv6 traffic-filter block-rogue-ipv6 in
>
>
>
> Cheers,
>   Daniel.
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list