[c-nsp] RESOLVED: Weird IPv6 problem passing Layer3 traffic

Mack McBride mack.mcbride at viawest.com
Fri Jul 5 12:33:30 EDT 2013 

People running CoPP usually think of CoPP.
People that have run GSRs will also think of receive access lists.
Most right thinking ISPs should have rules that rate limit rather than drop the connection.
CoPP is not a receive access list and should not be treated like one.

LR Mack McBride
Network Architect

-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of John Neiberger
Sent: Friday, June 28, 2013 10:15 AM
To: Matthew Huff
Cc: ipv6-ops at lists.cluenet.de; cisco-nsp (cisco-nsp at puck.nether.net)
Subject: Re: [c-nsp] RESOLVED: Weird IPv6 problem passing Layer3 traffic

Sweet! I've had CoPP filters bite me many times. Everything else will look right but the dang thing just won't work. It can be pretty frustrating to troubleshoot since CoPP usually isn't the first thing people think of.

John


On Fri, Jun 28, 2013 at 9:20 AM, Matthew Huff <mhuff at ox.com> wrote:

> The issue was a CoPP filter on the ISP side. The session is up now.
>
> Been working on them with them for 3 days, and each engineer kept 
> coming back to our BGP configuration.
>
> ----
> Matthew Huff             | 1 Manhattanville Rd
> Director of Operations   | Purchase, NY 10577
> OTA Management LLC       | Phone: 914-460-4039
>
>
> > -----Original Message-----
> > From: Matthew Huff
> > Sent: Friday, June 28, 2013 10:34 AM
> > To: 'cisco-nsp (cisco-nsp at puck.nether.net)'; 'ipv6-ops at lists.cluenet.de'
> > Subject: Weird IPv6 problem passing Layer3 traffic
> >
> > Trying to bring up a new BGP peering session with a ISP. IPv4 
> > peering is
> working fine on the same
> > interface. The BGP peering fails early in trying to go active. Using
> "debug tcp transactions", I see
> > the SYN going out, but no ACK ever returning. I can't telnet to 
> > their
> box on port 179 either (debug
> > packet shows it doing the same, SYN begin sent, but no packets,
> including ACK). However, I can ping
> > their interface.
> >
> > The interface config has been stripped, and still doesn't work. I've
> reset the interface, and even
> > rebooted our router, with no change in behavior.
> >
> > We have a Cisco 7204VXR with NPE-G2, running 15.2(4)S1. I have an
> identical router with same version
> > connected to another ISP and a tunnel to HE.net. It's not my first 
> > time
> at the rodeo. We are connected
> > via metro Ethernet to a sub-interface on a JunOS box (model and 
> > version
> unknown). My suspicion is that
> > either they have an ACL that's blocking it, or their BGP process 
> > isn't
> listening on that sub-
> > interface. But they claim that it isn't their problem. I have zero 
> > JunOS
> experience and they seem to
> > be flopping around.
> >
> > Anyone have any idea what else the problem might be?
> >
> > From our side (simplied config to test):
> >
> >
> > interface FastEthernet2/1
> >  ip address 162.211.110.2 255.255.255.252  speed auto  duplex auto
> >  ipv6 address 2607:F518:15F::2/126
> >  ipv6 enable
> > end
> >
> > rtr-inet2#show ipv6 cef 2607:F518:15F::1
> > 2607:F518:15F::1/128
> >   attached to FastEthernet2/1
> >
> > rtr-inet2#show ipv6 cef exact-route 2607:F518:15F::2 
> > 2607:F518:15F::1
> > 2607:F518:15F::2 -> 2607:F518:15F::1 => IPV6 adj out of 
> > FastEthernet2/1,
> addr 2607:F518:15F::1
> >
> > rtr-inet2#show ipv6 neighbors
> > IPv6 Address                              Age Link-layer Addr State
> Interface
> > 2607:F518:15F::1                            0 0021.5903.1367  REACH Fa2/1
> >
> > rtr-inet2#ping  2607:F518:15F::1
> > Type escape sequence to abort.
> > Sending 5, 100-byte ICMP Echos to 2607:F518:15F::1, timeout is 2 seconds:
> > !!!!!
> > Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
> >
> > ----
> > Matthew Huff             | 1 Manhattanville Rd
> > Director of Operations   | Purchase, NY 10577
> > OTA Management LLC       | Phone: 914-460-4039
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list