[c-nsp] ME3600X IPv6 ND Control & Data Plane Problems
Nick Hilliard
nick at foobar.org
Sat Feb 28 12:38:24 EST 2015
On 28/02/2015 13:17, Mark Tinka wrote:
> Once the IPv6 ACL is re-applied, subsequent ND exchanges and
> data plane IPv6 traffic works. If the switch reboots or the ND cache is
> cleared, the problem resurfaces.
I wonder is this a screwup with the implicit ND permit? Do your ipv6 ACLs
contain explicit denys at the end? If so, you'll need something like this
before the end:
permit icmp any any nd-ns
permit icmp any any nd-na
Easy to check if this fixes the problem. You might want to add a
destination address of fe80::/16 to the filter to make sure that you don't
open up a security hole.
> 2. On a particular ME3600X device, ND does not seem to work. So the
> switch only discovers link-local IPv6 addresses. The unicast global
> addresses are never discovered.
is this box definitely running either 15.4(3)S1 or 15.3(3)S4 or later?
This is to rule out CSCuo31527, which I've been bitten with extensively.
Nick
More information about the cisco-nsp
mailing list