[c-nsp] 6rd on ASR1k
Ruslan Pustovoytov
rus-p at inbox.ru
Tue Nov 1 09:08:29 EDT 2011
Also I move traffic from subinterface .531 to the routed port gi0/0/2
Assuming that tuuneling may not working via subinterface.
Now, trafic in both directions going through the gi0/0/2
In asr1k outbound trafic not visible in access-list matches, so I create
access list for this traffic in opposite side (4948)
Extended IP access list 100
10 permit 41 any any
20 permit ip any any (2825 matches)
cod-gw01#show ip access-lists 114
Extended IP access list 114
10 permit 41 host 178.140.5.250 any (97 matches)
20 permit ip any any (1772 matches)
I see packets matched access-list 114, but I dont see any match for
protocol 41 in access-list 100 for out direction.
The relevant configuration now looks like this
interface Loopback10
description 6rd_relay
ip address 192.88.98.127 255.255.255.255
interface Tunnel0
no ip address
no ip redirects
ipv6 address 2XXX:YYYY:206::1/128 anycast
ipv6 address 2XXX:YYYY:206::2/128
ipv6 virtual-reassembly in
tunnel source Loopback10
tunnel mode ipv6ip 6rd
tunnel 6rd ipv4 prefix-len 16
tunnel 6rd prefix 2XXX:YYYY:206::/48
!
interface GigabitEthernet0/0/2
description to_nag-sw2,gi1/25,test-6rd
ip address AA.BB.5.246 255.255.255.252
ip access-group 114 in
negotiation auto
ip route AA.BB.5.248 255.255.255.248 AA.BB.5.245
ipv6 route 2XXX:YYYY:206::/48 Tunnel0
cod-gw01#show ip access-lists 114
Extended IP access list 114
10 permit 41 host 178.140.5.250 any (97 matches)
20 permit ip any any (1766 matches)
cod-gw01#
cod-gw01#
cod-gw01#
cod-gw01#show ip access-lists 115
Extended IP access list 115
10 permit 41 any host 178.140.5.250
20 permit ip any any
cod-gw01#
> No, I cannot.
> But I verify that IPv4 packet with protocol 41 in payload successfully
> reach ASR1k.
> I create access-list 114 for this and attach it to interface on ASR1k
> where packets come from the network.
>
> interface Loopback10
> description 6RD
> ip address 192.88.98.127 255.255.255.255
> !
> interface Tunnel0
> no ip address
> no ip redirects
> ipv6 address 2XXX:YYYY:206::1/128 anycast
> tunnel source Loopback10
> tunnel mode ipv6ip 6rd
> tunnel 6rd ipv4 prefix-len 16
> tunnel 6rd prefix 2XXX:YYYY:206::/48
> !
> interface GigabitEthernet0/0/1.531
> encapsulation dot1Q 531
> ip address XX.YY.255.210 255.255.255.252
> ip access-group 114 in
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip virtual-reassembly
>
> ipv6 route 2XXX:YYYY:206::/48 Tunnel0
>
>
>
> cod-gw01#show ip access-lists 114
> Extended IP access list 114
> 10 permit 41 host AA.BB.140.250 any (4 matches)
> 20 permit ip any any (32 matches)
>
>
>
> I ping IPv6 anycast address 2XXX:YYYY:206::1 from 6rd client and got 4
> matches (default ping packet count), please see output above.
>
> Debug ipv6 icmp show only node advetisment and node solicitation not
> for my host.
>
>
>
>
> Harold Ritter пишет:
>> Can you at least ping the BR IPv6 Anycast address (2XXX:YYYY:206::/128)?
>>
>> Regards
>>
>>
>> Le 11-10-31 09:19, « Ruslan Pustovoytov » <rus-p at inbox.ru> a écrit :
>>
>>
>>> I change 6rd relay IPv4 address 192.88.99.127 to 192.88.98.127 in BR
>>> config (loopback10) and windiws 6to4 relay.
>>> The picture is the same, ICMPv6 packet successfully going through the
>>> network and egressing from the last iface directly connected to ASR.
>>> But
>>> I don't see this packets in debug output.
>>>
>>>
>>>
>>> Harold Ritter (hritter) пишет:
>>>
>>>> Could you try using a prefix other than 192.88.99.0/24 and see if it
>>>> makes a diffrence.
>>>>
>>>> Envoyé de mon iPhone
>>>>
>>>> Le 2011-10-31 à 02:15, "Ruslan Pustovoytov" <rus-p at inbox.ru> a écrit :
>>>>
>>>>
>>>>> 1. Ok.
>>>>> 2. Exactly.
>>>>>
>>>>>
>>>>>
>>>>> Harold Ritter пишет:
>>>>>
>>>>>> Hi Ruslan,
>>>>>>
>>>>>> Two things:
>>>>>>
>>>>>>
>>>>>> 1. It would be safer not to use the 192.88.99/24 prefix for this
>>>>>> purpose, as this prefix has been reserved for the 6to4 relay
>>>>>> anycast address (RFC3068).
>>>>>> 2. According to the information below, the BR will try to forward
>>>>>> the return traffic to 192.88.5.250 (prefix 192.88 + suffix =
>>>>>> 0x5fa = 5.250). Is this the address assigned to the Windows7
>>>>>> Ethernet interface?
>>>>>>
>>>>>>
>>>>>> Regards
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> *Ruslan Pustovoytov <rus-p at inbox.ru <mailto:rus-p at inbox.ru>>*
>>>>>> Envoyé par : cisco-nsp-bounces at puck.nether.net
>>>>>> <mailto:cisco-nsp-bounces at puck.nether.net>
>>>>>>
>>>>>> 27/10/2011 09:42 AM
>>>>>>
>>>>>> A
>>>>>> Harold Ritter <hritter at cisco.com <mailto:hritter at cisco.com>>
>>>>>> cc
>>>>>> cisco-nsp at puck.nether.net <mailto:cisco-nsp at puck.nether.net>
>>>>>> Objet
>>>>>> Re: [c-nsp] 6rd on ASR1k
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Excuse me for a long delay.
>>>>>>
>>>>>> I check all of my configuration on client and BR.
>>>>>> In my lab I have no native 6RD client so I use Windows machine with
>>>>>> some
>>>>>> hack.
>>>>>>
>>>>>> My client is Windows7 and I use it's 6to4 adapter to emulate 6RD
>>>>>> functionality.
>>>>>> When I assign "real" IPv4 address to Local Area network adapter,
>>>>>> 6to4
>>>>>> adapter became functional.
>>>>>> Then delete automatic 6to4 IPv6 address (2002:....) and add new IPv6
>>>>>> address accordingly to 6RD rules.
>>>>>> Also change default 6to4 relay to my 6RD relay IPv4 address
>>>>>> (192.88.99.127)
>>>>>>
>>>>>> Tunnel 6TO4 Adapter:
>>>>>>
>>>>>> IPv6-address. . . . . . . . . . . . : 2XXX:YYYY:206:5fa::abca
>>>>>> Default gateway. . . . . . . . . : 2002:c058:637f::1
>>>>>>
>>>>>> My prefix-length for 6RD config in BR is 16 bit.
>>>>>> So, only left two octets of IPv4 address coded into 6RD IPv6
>>>>>> address.
>>>>>>
>>>>>> I add default route for IPv6 family via command:
>>>>>> netsh interface ipv6>add route ::/0 6to4 2002:0c58:637f::1
>>>>>> Route table looks like this:
>>>>>>
>>>>>> IPv6 таблица маршрута
>>>>>>
>>>>>> =======================================================================
>>>>>>
>>>>>> ====
>>>>>> Ðктивные маршруты:
>>>>>> Метрика Сетевой Ð°Ð´Ñ€ÐµÑ Ð¨Ð»ÑŽÐ·
>>>>>> 13 281 ::/0 2002:c058:637f::1
>>>>>> 1 306 ::1/128 On-link
>>>>>> 12 58 2001::/32 On-link
>>>>>> 12 306 2001:0:5ef5:79fd:8f5:2c30:4d73:fa05/128
>>>>>> On-link
>>>>>> 13 1025 2002::/16 On-link
>>>>>> 13 281 2a02:2168:206:5fa::/64 On-link
>>>>>> 13 281 2a02:2168:206:5fa::abca/128
>>>>>> On-link
>>>>>> 12 306 fe80::/64 On-link
>>>>>> 12 306 fe80::8f5:2c30:4d73:fa05/128
>>>>>> On-link
>>>>>> 1 306 ff00::/8 On-link
>>>>>> 12 306 ff00::/8 On-link
>>>>>>
>>>>>> =======================================================================
>>>>>>
>>>>>> ====
>>>>>> ПоÑтоÑнные маршруты:
>>>>>> Метрика Сетевой Ð°Ð´Ñ€ÐµÑ Ð¨Ð»ÑŽÐ·
>>>>>> 0 4294967295 ::/0 2002:c058:637f::1
>>>>>>
>>>>>> =======================================================================
>>>>>>
>>>>>> ====
>>>>>>
>>>>>> Then I ping 2XXX:YYYY:200:800::2 address.
>>>>>> When I did command "deb ipv6 icmp" on ASR I see some ICMP but its
>>>>>> did
>>>>>> not relevant for me.
>>>>>> Wireshark on Windows 6RD client show me that all ICMP packet envelop
>>>>>> with right IPv4 header and successfully leaving the host.
>>>>>> Also last interface in my network directly attached to ASR show
>>>>>> increments on egress direction in packet filter with protocol 41 in
>>>>>> payload as mask value when I pinging.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Harold Ritter пишет:
>>>>>>
>>>>>>> Ruslan,
>>>>>>>
>>>>>>> Just to make sure, do you have a default route on the 6rd client
>>>>>>> pointing
>>>>>>> at the 6rd BR? Since you are pinging the ASR1k itself, could you
>>>>>>> please
>>>>>>> run a "deb ipv6 icmp" on the ASR to see if the ICMP packets are
>>>>>>> received.
>>>>>>>
>>>>>>> Regards
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Le 11-10-14 01:57, « Ruslan Pustovoitov » <rus-p at mostelekom.net
>>>>>>> <mailto:rus-p at mostelekom.net>> a écrit :
>>>>>>>
>>>>>>> >> Hi Harold !
>>>>>>>
>>>>>>>> This is my config relevant to 6rd.
>>>>>>>> Also, I don't know how to debug packets with protocol 41 in IP
>>>>>>>> payload
>>>>>>>> in ASR.
>>>>>>>> Debug in form "debug ip packet #access-list" do not working for
>>>>>>>> non
>>>>>>>> software routers.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> interface Loopback10
>>>>>>>> description 6RD_Relay
>>>>>>>> ip address 192.88.99.127 255.255.255.255
>>>>>>>> !
>>>>>>>> interface Tunnel0
>>>>>>>> no ip address
>>>>>>>> no ip redirects
>>>>>>>> ipv6 address 2XXX:YYYY:206::/128 anycast
>>>>>>>> tunnel source Loopback10
>>>>>>>> tunnel mode ipv6ip 6rd
>>>>>>>> tunnel 6rd ipv4 prefix-len 16
>>>>>>>> tunnel 6rd prefix 2XXX:YYYY:206::/48
>>>>>>>> !
>>>>>>>> ! Incoming interface for IPv6 encapsulated in IPv4 packets
>>>>>>>> interface GigabitEthernet0/0/1.531
>>>>>>>> encapsulation dot1Q 531
>>>>>>>> ip address ZZZ.ZZZ.255.210 255.255.255.252
>>>>>>>> no ip redirects
>>>>>>>> no ip unreachables
>>>>>>>> no ip proxy-arp
>>>>>>>> !
>>>>>>>> interface GigabitEthernet0/0/0.550
>>>>>>>> encapsulation dot1Q 550
>>>>>>>> ipv6 address 2XXX:YYYY:200:800::2/126
>>>>>>>> ipv6 nd ra suppress
>>>>>>>> !
>>>>>>>> ipv6 route 2XXX:YYYY:206::/48 Tunnel0
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> I try to ping 2XXX:YYYY:200:800::2
>>>>>>>> This is the local IPv6 address for ASR.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Harold Ritter пишет:
>>>>>>>> >>> Ruslan,
>>>>>>>>
>>>>>>>>> Can you provide the BR config and the address you are trying to
>>>>>>>>> ping.
>>>>>>>>>
>>>>>>>>> Regards
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Le 11-10-07 04:40, « Ruslan Pustovoitov » <rus-p at mostelekom.net
>>>>>>>>> <mailto:rus-p at mostelekom.net>> a
>>>>>>>>> écrit :
>>>>>>>>>
>>>>>>>>> >>> >>>> Hi all
>>>>>>>>>
>>>>>>>>>> I try to setup 6rd on asr1k accordingly to
>>>>>>>>>> http://docwiki.cisco.com/wiki/6rd_Configuration_Example
>>>>>>>>>> Then I ping6 IPv6 host from client and see that IPv6 packet
>>>>>>>>>> envelops in
>>>>>>>>>> IPv4 with right IPv4 destination (6rd relay IPv4 address).
>>>>>>>>>> This IPv4 packet seccessfully reach asr1k and nothing else.
>>>>>>>>>> Packets
>>>>>>>>>> silently disappear.
>>>>>>>>>>
>>>>>>>>>> The output of "show tunnel 6rd tunnel 0Interface Tunnel0" dont
>>>>>>>>>> show
>>>>>>>>>> any
>>>>>>>>>> counters info:
>>>>>>>>>> Tunnel Source: 192.88.99.127
>>>>>>>>>> 6RD: Operational, V6 Prefix: 2YYY:ZZZZ:206::/48
>>>>>>>>>> V4 Prefix, Length: 16, Value: 192.88.0.0
>>>>>>>>>> V4 Suffix, Length: 0, Value: 0.0.0.0
>>>>>>>>>> General Prefix: 2YYY:ZZZZ:206:637F::/64
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Also, I don't see any IPv6 packet going from asr1k to IPv6
>>>>>>>>>> directly
>>>>>>>>>> connected host where I run tcpdump.
>>>>>>>>>> Client seccessfully pinging 6rd relay 192.88.99.127
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>>>>>>>>>> <mailto:cisco-nsp at puck.nether.net>
>>>>>>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>>>>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>>>>>>> >>>> >>>
>>>>>>>>>>
>>>>>>>>> >>> >
>>>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>>>>>>> <mailto:cisco-nsp at puck.nether.net>
>>>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>>>>
>>>>>> _______________________________________________
>>>>>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>>>>>> <mailto:cisco-nsp at puck.nether.net>
>>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>>>
>>>>>>
>>
>>
>>
>>
>>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list