[c-nsp] ASR9001 ASR9901 IOS-XR IPv6 filtering

Saku Ytti saku at ytti.fi
Wed Jun 10 11:10:54 EDT 2020


On Wed, 10 Jun 2020 at 16:04, Gert Doering <gert at greenie.muc.de> wrote:

> You should be able to filter ND/NS by matching on TTL 255, but when
> we did this, we saw peer routers send out NS with lower TTLs - which is
> a violation of RFCs, but nobody seems to care...

We match hop-limit 255, and not any addr globally in every market
against diverse set of implementations and have not had a single
issue. I suspect you may have attributed the problem incorrectly.

Please add a new rule before existing ones which is just hop-limit 255
match, and observe if counters move to that rule. It is normal to see
non-255 due to random internet trash.

We regularly do have IPv6 ND problems, sometimes IPv6 BGP to customer
breaks when _WE_ change device in our end, and the customer does
nothing. Because the customer is filtering ND address based and allows
only LL or only GUA and our end changed from LL to GUA or from GUA to
LL and is no longer allowed by the customer. Not always easy task
convincing customer their filters are wrong, when they changed nothing
and it broke, thanks IPv6!


-- 
  ++ytti


More information about the cisco-nsp mailing list