[c-nsp] 6500 CoPP + IPv6 fragments

Bernhard Schmidt berni at birkenwald.de
Wed Jun 29 17:22:36 EDT 2011


Grzegorz Janoszka <Grzegorz at Janoszka.pl> wrote:

Hi,

> On 29-06-11 23:08, Bernhard Schmidt wrote:
>> FWIW, "platform ipv6 acl fragment hardware forward" fixed the drop for
>> me as well. But I still cannot see why it dropped before, since CoPP was
>> not dropping a single packet according to "show policy-map
>> control-plane".
> According to Wikipedia there can be no fragmented packets on IPv6. So
> what is the whole issue about? What can be the source of v6 fragments?
> Can they be safely dropped?

You either misunderstood the Wikipedia article or it is wrong (haven't
checked).

There is no in-transit fragmentation in routers in IPv6. Which basically
means the DF-bit is implicitly set and path-mtu-discovery is mandatory.
If the packet is too big, the router will return an ICMP error message
and the sending host may fragment the packet. If your network drops it,
you might get into trouble. For example see my case about DNSSEC, DNS
answers regularly get > 1500 bytes with DNSSEC.

The difference here is, in IPv4 the load issue is actually fragmenting
the packet, in IPv6 there is apparently some shortcoming in PFC3B and
ACL checking on already fragmented packets.

Bernhard



More information about the cisco-nsp mailing list