[c-nsp] Need help with IPv6 CoPP

Nick Hilliard nick at foobar.org
Tue May 7 06:17:40 EDT 2013


On 07/05/2013 08:31, Adam Vitkovsky wrote:
> OSPFv3 should be using addresses from FF02 Multicast link-local address
> sub-range: 
> FF02::5 all OSPF routers
> FF02::6 all OSPF designated routers
> So you should be able to limit the permit range to these two. 

No, multicast is only used for hello and LSA transmission on broadcast
medium networks.  Outside this, unicast can be used and and will usually
use addresses from the standard fe80::/10 range, but if you're using
virtual links they can be global addresses.

It's a more sensible idea to filter protocol 89 to your core address ranges
using an iACL and then permit all 89 in the CoPP policy.

Nick

> 
> adam
> 
> -----Original Message-----
> From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
> Dobbins, Roland
> Sent: Monday, May 06, 2013 6:51 PM
> To: cisco-nsp NSP
> Subject: Re: [c-nsp] Need help with IPv6 CoPP
> 
> 
> On May 6, 2013, at 11:11 PM, Rogelio Gamino wrote:
> 
>> At that stage, neighbors agree on Master/Slave relationship before moving
> to "exchange" DBD's.
> 
> Unless you're doing OSPF with an external organization and anticipate an
> attack (either deliberate or inadvertent) from the adjacent router(s), why
> not leave OSPF out of it entirely, and instead concentrate on traffic which
> is layer-3-agile?
> 
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
> 
> 	  Luck is the residue of opportunity and design.
> 
> 		       -- John Milton



More information about the cisco-nsp mailing list