[c-nsp] 6rd on ASR1k

Ruslan Pustovoytov rus-p at inbox.ru
Tue Nov 1 09:08:29 EDT 2011


Also I move traffic from subinterface .531 to the routed port gi0/0/2
Assuming that tuuneling may not working via subinterface.
Now, trafic in both directions going through the gi0/0/2
In asr1k outbound trafic not visible in access-list matches, so I create 
access list for this traffic in opposite side (4948)

Extended IP access list 100
    10 permit 41 any any
    20 permit ip any any (2825 matches)

cod-gw01#show ip access-lists 114
Extended IP access list 114
    10 permit 41 host 178.140.5.250 any (97 matches)
    20 permit ip any any (1772 matches)

I see packets matched access-list 114, but I dont see any match for 
protocol 41 in access-list 100 for out direction.
The relevant configuration now looks like this

interface Loopback10
 description 6rd_relay
 ip address 192.88.98.127 255.255.255.255

interface Tunnel0
 no ip address
 no ip redirects
 ipv6 address 2XXX:YYYY:206::1/128 anycast
 ipv6 address 2XXX:YYYY:206::2/128
 ipv6 virtual-reassembly in
 tunnel source Loopback10
 tunnel mode ipv6ip 6rd
 tunnel 6rd ipv4 prefix-len 16
 tunnel 6rd prefix 2XXX:YYYY:206::/48
!        

interface GigabitEthernet0/0/2
 description to_nag-sw2,gi1/25,test-6rd
 ip address AA.BB.5.246 255.255.255.252
 ip access-group 114 in
 negotiation auto

ip route AA.BB.5.248 255.255.255.248 AA.BB.5.245

ipv6 route 2XXX:YYYY:206::/48 Tunnel0




cod-gw01#show ip access-lists 114
Extended IP access list 114
    10 permit 41 host 178.140.5.250 any (97 matches)
    20 permit ip any any (1766 matches)
cod-gw01#
cod-gw01#
cod-gw01#
cod-gw01#show ip access-lists 115
Extended IP access list 115
    10 permit 41 any host 178.140.5.250
    20 permit ip any any
cod-gw01#









> No, I cannot.
> But I verify that IPv4 packet with protocol 41 in payload successfully 
> reach ASR1k.
> I create access-list 114 for this and attach it to interface on ASR1k 
> where packets come from the network.
>
> interface Loopback10
> description 6RD
> ip address 192.88.98.127 255.255.255.255
> !
> interface Tunnel0
> no ip address
> no ip redirects
> ipv6 address 2XXX:YYYY:206::1/128 anycast
> tunnel source Loopback10
> tunnel mode ipv6ip 6rd
> tunnel 6rd ipv4 prefix-len 16
> tunnel 6rd prefix 2XXX:YYYY:206::/48
> !
> interface GigabitEthernet0/0/1.531
> encapsulation dot1Q 531
> ip address XX.YY.255.210 255.255.255.252
> ip access-group 114 in
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip virtual-reassembly
>
> ipv6 route 2XXX:YYYY:206::/48 Tunnel0
>
>
>
> cod-gw01#show ip access-lists 114
> Extended IP access list 114
>    10 permit 41 host AA.BB.140.250 any (4 matches)
>    20 permit ip any any (32 matches)
>
>
>
> I ping IPv6 anycast address 2XXX:YYYY:206::1 from 6rd client and got 4 
> matches (default ping packet count), please see output above.
>
> Debug ipv6 icmp show only node advetisment and node solicitation not 
> for my host.
>
>
>
>
> Harold Ritter пишет:
>> Can you at least ping the BR IPv6 Anycast address (2XXX:YYYY:206::/128)?
>>
>> Regards
>>
>>
>> Le 11-10-31 09:19, « Ruslan Pustovoytov » <rus-p at inbox.ru> a écrit :
>>
>>  
>>> I change 6rd relay IPv4 address 192.88.99.127  to 192.88.98.127 in BR
>>> config (loopback10) and windiws 6to4 relay.
>>> The picture is the same, ICMPv6 packet successfully going through the
>>> network and egressing from the last iface directly connected to ASR. 
>>> But
>>> I don't see this packets in debug output.
>>>
>>>
>>>
>>> Harold Ritter (hritter) пишет:
>>>    
>>>> Could you try using a prefix other than 192.88.99.0/24 and see if it
>>>> makes a diffrence.
>>>>
>>>> Envoyé de mon iPhone
>>>>
>>>> Le 2011-10-31 à 02:15, "Ruslan Pustovoytov" <rus-p at inbox.ru> a écrit :
>>>>
>>>>        
>>>>> 1. Ok.
>>>>> 2. Exactly.
>>>>>
>>>>>
>>>>>
>>>>> Harold Ritter пишет:
>>>>>            
>>>>>> Hi Ruslan,
>>>>>>
>>>>>> Two things:
>>>>>>
>>>>>>
>>>>>>   1. It would be safer not to use the 192.88.99/24 prefix for this
>>>>>>      purpose, as this prefix has been reserved for the 6to4 relay
>>>>>>      anycast address (RFC3068).
>>>>>>   2. According to the information below, the BR will try to forward
>>>>>>      the return traffic to 192.88.5.250 (prefix 192.88 + suffix =
>>>>>>      0x5fa = 5.250). Is this the address assigned to the Windows7
>>>>>>      Ethernet interface?
>>>>>>
>>>>>>
>>>>>> Regards
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> *Ruslan Pustovoytov <rus-p at inbox.ru <mailto:rus-p at inbox.ru>>*
>>>>>> Envoyé par : cisco-nsp-bounces at puck.nether.net
>>>>>> <mailto:cisco-nsp-bounces at puck.nether.net>
>>>>>>
>>>>>> 27/10/2011 09:42 AM
>>>>>>
>>>>>>    A
>>>>>>    Harold Ritter <hritter at cisco.com <mailto:hritter at cisco.com>>
>>>>>> cc
>>>>>>    cisco-nsp at puck.nether.net <mailto:cisco-nsp at puck.nether.net>
>>>>>> Objet
>>>>>>    Re: [c-nsp] 6rd on ASR1k
>>>>>>
>>>>>>
>>>>>>
>>>>>>   
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Excuse me for a long delay.
>>>>>>
>>>>>> I check all of my configuration on client and BR.
>>>>>> In my lab I have no native 6RD client so I use Windows machine with
>>>>>> some
>>>>>> hack.
>>>>>>
>>>>>> My client is Windows7 and I use it's 6to4 adapter to emulate 6RD
>>>>>> functionality.
>>>>>> When I assign "real" IPv4 address to Local Area network adapter, 
>>>>>> 6to4
>>>>>> adapter became functional.
>>>>>> Then delete automatic 6to4 IPv6 address (2002:....) and add new IPv6
>>>>>> address accordingly to 6RD rules.
>>>>>> Also change default 6to4 relay to my 6RD relay IPv4 address
>>>>>> (192.88.99.127)
>>>>>>
>>>>>> Tunnel 6TO4 Adapter:
>>>>>>
>>>>>>  IPv6-address. . . . . . . . . . . . : 2XXX:YYYY:206:5fa::abca
>>>>>>  Default gateway. . . . . . . . . : 2002:c058:637f::1
>>>>>>
>>>>>> My prefix-length for 6RD config in BR is 16 bit.
>>>>>> So, only left two octets of IPv4 address coded into 6RD IPv6 
>>>>>> address.
>>>>>>
>>>>>> I add default route for IPv6 family  via command:
>>>>>> netsh interface ipv6>add route ::/0 6to4 2002:0c58:637f::1
>>>>>> Route table looks like this:
>>>>>>
>>>>>> IPv6 таблица маршрута
>>>>>>
>>>>>> ======================================================================= 
>>>>>>
>>>>>> ====
>>>>>> Активные маршруты:
>>>>>> Метрика   Сетевой адрес            Шлюз
>>>>>> 13    281 ::/0                     2002:c058:637f::1
>>>>>> 1    306 ::1/128                 On-link
>>>>>> 12     58 2001::/32                On-link
>>>>>> 12    306 2001:0:5ef5:79fd:8f5:2c30:4d73:fa05/128
>>>>>>                                   On-link
>>>>>> 13   1025 2002::/16                On-link
>>>>>> 13    281 2a02:2168:206:5fa::/64   On-link
>>>>>> 13    281 2a02:2168:206:5fa::abca/128
>>>>>>                                   On-link
>>>>>> 12    306 fe80::/64                On-link
>>>>>> 12    306 fe80::8f5:2c30:4d73:fa05/128
>>>>>>                                   On-link
>>>>>> 1    306 ff00::/8                 On-link
>>>>>> 12    306 ff00::/8                 On-link
>>>>>>
>>>>>> ======================================================================= 
>>>>>>
>>>>>> ====
>>>>>> Постоянные маршруты:
>>>>>> Метрика   Сетевой адрес            Шлюз
>>>>>> 0 4294967295 ::/0                     2002:c058:637f::1
>>>>>>
>>>>>> ======================================================================= 
>>>>>>
>>>>>> ====
>>>>>>
>>>>>> Then I ping 2XXX:YYYY:200:800::2 address.
>>>>>> When I did command "deb ipv6 icmp" on ASR I see some ICMP but its 
>>>>>> did
>>>>>> not relevant for me.
>>>>>> Wireshark on Windows 6RD client show me that all ICMP packet envelop
>>>>>> with right IPv4 header and successfully leaving the host.
>>>>>> Also last interface in my network directly attached to ASR show
>>>>>> increments on egress direction in packet filter with protocol 41 in
>>>>>> payload as mask value when I pinging.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Harold Ritter пишет:
>>>>>>                
>>>>>>> Ruslan,
>>>>>>>
>>>>>>> Just to make sure, do you have a default route on the 6rd client
>>>>>>> pointing
>>>>>>> at the 6rd BR? Since you are pinging the ASR1k itself, could you
>>>>>>> please
>>>>>>> run a "deb ipv6 icmp" on the ASR to see if the ICMP packets are
>>>>>>> received.
>>>>>>>
>>>>>>> Regards
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Le 11-10-14 01:57, « Ruslan Pustovoitov » <rus-p at mostelekom.net
>>>>>>> <mailto:rus-p at mostelekom.net>> a écrit :
>>>>>>>
>>>>>>>  >> Hi Harold !
>>>>>>>                    
>>>>>>>> This is my config relevant to 6rd.
>>>>>>>> Also, I don't know how to debug packets with protocol 41 in IP
>>>>>>>> payload
>>>>>>>> in ASR.
>>>>>>>> Debug in form "debug ip packet #access-list" do not working for 
>>>>>>>> non
>>>>>>>> software routers.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> interface Loopback10
>>>>>>>> description 6RD_Relay
>>>>>>>> ip address 192.88.99.127 255.255.255.255
>>>>>>>> !
>>>>>>>> interface Tunnel0
>>>>>>>> no ip address
>>>>>>>> no ip redirects
>>>>>>>> ipv6 address 2XXX:YYYY:206::/128 anycast
>>>>>>>> tunnel source Loopback10
>>>>>>>> tunnel mode ipv6ip 6rd
>>>>>>>> tunnel 6rd ipv4 prefix-len 16
>>>>>>>> tunnel 6rd prefix 2XXX:YYYY:206::/48
>>>>>>>> !
>>>>>>>> ! Incoming interface for IPv6 encapsulated in IPv4 packets
>>>>>>>> interface GigabitEthernet0/0/1.531
>>>>>>>> encapsulation dot1Q 531
>>>>>>>> ip address ZZZ.ZZZ.255.210 255.255.255.252
>>>>>>>> no ip redirects
>>>>>>>> no ip unreachables
>>>>>>>> no ip proxy-arp
>>>>>>>> !
>>>>>>>> interface GigabitEthernet0/0/0.550
>>>>>>>> encapsulation dot1Q 550
>>>>>>>> ipv6 address 2XXX:YYYY:200:800::2/126
>>>>>>>> ipv6 nd ra suppress
>>>>>>>> !
>>>>>>>> ipv6 route 2XXX:YYYY:206::/48 Tunnel0
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> I try to ping 2XXX:YYYY:200:800::2
>>>>>>>> This is the local IPv6 address for ASR.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Harold Ritter пишет:
>>>>>>>>    >>> Ruslan,
>>>>>>>>                        
>>>>>>>>> Can you provide the BR config and the address you are trying to
>>>>>>>>> ping.
>>>>>>>>>
>>>>>>>>> Regards
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Le 11-10-07 04:40, « Ruslan Pustovoitov » <rus-p at mostelekom.net
>>>>>>>>> <mailto:rus-p at mostelekom.net>> a
>>>>>>>>> écrit :
>>>>>>>>>
>>>>>>>>>  >>>      >>>> Hi all
>>>>>>>>>                           
>>>>>>>>>> I try to setup 6rd on asr1k accordingly to
>>>>>>>>>> http://docwiki.cisco.com/wiki/6rd_Configuration_Example
>>>>>>>>>> Then I ping6 IPv6 host from client and see that IPv6 packet
>>>>>>>>>> envelops in
>>>>>>>>>> IPv4 with right IPv4 destination (6rd relay IPv4 address).
>>>>>>>>>> This IPv4 packet seccessfully reach asr1k and nothing else.
>>>>>>>>>> Packets
>>>>>>>>>> silently disappear.
>>>>>>>>>>
>>>>>>>>>> The output of  "show tunnel 6rd tunnel 0Interface Tunnel0" dont
>>>>>>>>>> show
>>>>>>>>>> any
>>>>>>>>>> counters info:
>>>>>>>>>>  Tunnel Source: 192.88.99.127
>>>>>>>>>>  6RD: Operational, V6 Prefix: 2YYY:ZZZZ:206::/48
>>>>>>>>>>       V4 Prefix, Length: 16, Value: 192.88.0.0
>>>>>>>>>>       V4 Suffix, Length: 0, Value: 0.0.0.0
>>>>>>>>>>  General Prefix: 2YYY:ZZZZ:206:637F::/64
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Also, I don't see any IPv6 packet going from asr1k to IPv6
>>>>>>>>>> directly
>>>>>>>>>> connected host where I run tcpdump.
>>>>>>>>>> Client seccessfully pinging 6rd relay 192.88.99.127
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>>>>>>>> <mailto:cisco-nsp at puck.nether.net>
>>>>>>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>>>>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>>>>>>>    >>>>        >>>
>>>>>>>>>>                             
>>>>>>>>>  >>>      >
>>>>>>>>>                            
>>>>>>> _______________________________________________
>>>>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>>>>> <mailto:cisco-nsp at puck.nether.net>
>>>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>>>>                     
>>>>>> _______________________________________________
>>>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>>>> <mailto:cisco-nsp at puck.nether.net>
>>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>>>
>>>>>>                 
>>
>>
>>
>>
>>   
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list