[c-nsp] IPv6 CoPP
Nick Hilliard
nick at foobar.org
Sat Dec 29 16:26:57 EST 2012
On 29/12/2012 14:15, Randy wrote:
> Any caveats in ipv6? (The routers use sup7203bxl supervisors).
oh man, sup720 + ipv6. what a world of pain.
You could start out here:
http://www.cesnet.cz/doc/techzpravy/2010/ipv6-copp/
Just be aware that some of their configurations don't actually work because
(as ++ytti has previously noted on this mailing list) they haven't taken
sup720 ipv6 acl address compression into account:
http://goo.gl/TTzkw
i.e. you can have either layer 4 port information in your acl and choose to
lose bits 24-39 in the ipv6 address, or else you can have all ipv6 bits,
but no ports specified.
Beware also:
- ipv6 multicast (pain++ on sup720)
- ipv6 fragments (not supported in sup720 acls)
- ipv6 urpf
All things considered, it's not really a good idea to run ipv6 on a
production pfc3 based box (e.g. sup720 / rsp720). It opens up too many DoS
/ performance vectors.
Nick
More information about the cisco-nsp
mailing list