[c-nsp] ME3600X IPv6 ND Control & Data Plane Problems
Gert Doering
gert at greenie.muc.de
Sun Mar 1 07:27:00 EST 2015
Hi,
On Sun, Mar 01, 2015 at 12:47:43PM +0100, Gert Doering wrote:
> > ipv6 access-list filter-outgoing6
> > deny ipv6 any 3FFE::/16
> > deny ipv6 any 2001:DB8::/32
> > deny ipv6 any FE00::/9
> > deny ipv6 any FF00::/8
> > sequence 65535 permit ipv6 any any
>
> This should be perfectly fine for ND. ND is done using fe80:: addresses,
> which are *not* matched by "deny any fe00::/9" (fe80 is in the other half
> of that /8). So fall through to the "permit any any" line.
Awwww... indeed, Dumitru nailed it. While they are talking *from* fe80,
they are sending the *initial* NS packets *to* multicast addresses -> ff02::
(refreshes are sent to unicast)
13:25:00.476742 IP6 fe80::250:43ff:fe01:dc37 > ff02::1:ff88:2dd0: ICMP6, neighbor solicitation, who has 2001:608:xx:xx:fad1:11ff:abcd:2dd0, length 32
So it works when you have the ND cache populated, and the devices are
only refreshing - but if the entry isn't there yet, it fails.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 291 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20150301/1407b3a2/attachment.sig>
More information about the cisco-nsp
mailing list