[c-nsp] Need help with IPv6 CoPP

"Rolf Hanßen" nsp at rhanssen.de
Tue May 7 08:05:49 EDT 2013


Hello Nick,

that does not help if I cannot filter using the protocoll number.
Maybe I described not exactly.
Whatever OSPF sends, it is not protocol number 89 or CoPP is not able to
filter the protocoll number.

I did further testing and chnaged everything to a Sup2T compatible way
(only one ACL each class).

Those 3 rules were part of my initial config, only the first seams to match:
permit 89 FE80::/10 any
permit 89 any FE80::/10
permit ipv6 any FE02::/16

That rule makes it working (state changes to FULL):
permit ipv6 FE80::/10 FE80::/10

That rules does not work (replacing the above one):
permit 89 FE80::/10 FE80::/10

That rule works but the "log" does not log anmything:
permit ipv6 FE80::/10 FE80::/10 log

On Sup720 "permit ipv6 FE80::/10 FE80::/10" matches and seams to be
needed, on Sup2T it does not match and the ACL is not needed to make OSPF
reach FULL.

So as far as I testet Sup2T only needs:
permit 89 FE80::/10 any

Sup720 needs:
permit 89 FE80::/10 any
permit ipv6 FE80::/10 FE80::/10

Also no matter which router becomes DR / BDR.


debug ipv6 ospf packet on the Sup720 shows:

The second after "clear ipv6 ospf process"
1w5d: %OSPFv3-5-ADJCHG: Process 1, Nbr 123.123.123.123 on Vlan25 from FULL
to DOWN, Neighbor Down: Interface down or detached
1w5d: OSPFv3: rcv. v:3 t:1 l:40 rid:123.123.123.123
      aid:0.0.0.123 chk:5A51 inst:0 from Vlan25
1w5d: OSPFv3: rcv. v:3 t:2 l:28 rid:123.123.123.123
      aid:0.0.0.123 chk:634D inst:0 from Vlan25
1w5d: OSPFv3: rcv. v:3 t:2 l:108 rid:123.123.123.123
      aid:0.0.0.123 chk:81C3 inst:0 from Vlan25
1w5d: OSPFv3: rcv. v:3 t:4 l:192 rid:123.123.123.123
      aid:0.0.0.123 chk:594C inst:0 from Vlan25
1w5d: %OSPFv3-5-ADJCHG: Process 1, Nbr 123.123.123.123 on Vlan25 from
LOADING to FULL, Loading Done

Every few seconds:
1w5d: OSPFv3: rcv. v:3 t:1 l:40 rid:123.123.123.123
      aid:0.0.0.123 chk:C24C inst:0 from Vlan25

"clear ipv6 ospf process" without "permit ipv6 FE80::/10 FE80::/10"
1w5d: %OSPFv3-5-ADJCHG: Process 1, Nbr 123.123.123.123 on Vlan25 from FULL
to DOWN, Neighbor Down: Interface down or detached
1w5d: OSPFv3: rcv. v:3 t:1 l:40 rid:123.123.123.123
      aid:0.0.0.123 chk:59F7 inst:0 from Vlan25

Some minutes later:
1w5d: %OSPFv3-5-ADJCHG: Process 1, Nbr 123.123.123.123 on Vlan25 from
EXSTART to DOWN, Neighbor Down: Too many retransmits

kind regards
Rolf


> On 07/05/2013 08:31, Adam Vitkovsky wrote:
>> OSPFv3 should be using addresses from FF02 Multicast link-local address
>> sub-range:
>> FF02::5 all OSPF routers
>> FF02::6 all OSPF designated routers
>> So you should be able to limit the permit range to these two.
>
> No, multicast is only used for hello and LSA transmission on broadcast
> medium networks.  Outside this, unicast can be used and and will usually
> use addresses from the standard fe80::/10 range, but if you're using
> virtual links they can be global addresses.
>
> It's a more sensible idea to filter protocol 89 to your core address
> ranges
> using an iACL and then permit all 89 in the CoPP policy.
>
> Nick
>
>>
>> adam
>>
>> -----Original Message-----
>> From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
>> Dobbins, Roland
>> Sent: Monday, May 06, 2013 6:51 PM
>> To: cisco-nsp NSP
>> Subject: Re: [c-nsp] Need help with IPv6 CoPP
>>
>>
>> On May 6, 2013, at 11:11 PM, Rogelio Gamino wrote:
>>
>>> At that stage, neighbors agree on Master/Slave relationship before
>>> moving
>> to "exchange" DBD's.
>>
>> Unless you're doing OSPF with an external organization and anticipate an
>> attack (either deliberate or inadvertent) from the adjacent router(s),
>> why
>> not leave OSPF out of it entirely, and instead concentrate on traffic
>> which
>> is layer-3-agile?
>>
>> -----------------------------------------------------------------------
>> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
>>
>> 	  Luck is the residue of opportunity and design.
>>
>> 		       -- John Milton
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>




More information about the cisco-nsp mailing list