[c-nsp] Cat6500 ipv6 nd raguard feature

Andrew Yourtchenko ayourtch at cisco.com
Fri Nov 19 12:08:10 CET 2010


excellent, thanks a lot for the info - I've updated the bug record so the others 
can benefit from this finding.


On Fri, 19 Nov 2010, Daniel Verlouw wrote:

> (apologies for duplicates, thought this might be interesting for folks
> on both lists):
> Hi,
> In case anyone is looking into deploying the 'ipv6 nd raguard' feature
> introduced in SXI4 on Cat6.5k: I suggest you don't (for now, at least).
> We found an issue with it causing it to intermittently drop neighbor
> solicits from the access port resulting in a complete IPv6 'meltdown'
> for the attached host (*sigh*)
> Bug ID: CSCtk05146 - IPv6 Solicit dropped by RAguard
> Verified by issuing:
> sh tcam interface <interface> acl in ipv6
> Cisco suggests disabling it all together as a workaround, however, we
> found that IPv6 PACLs (also introduced in SXI4) do work fine in our
> limited testing so far, e.g.:
> ipv6 access-list block-rogue-ipv6
> remark Block DHCPv6 server messages
> deny udp any eq 547 any eq 546
> remark Block Router Advertisements
> deny icmp any any router-advertisement
> permit ipv6 any any
> int <interface>
> ipv6 traffic-filter block-rogue-ipv6 in
> Cheers,
>   Daniel.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the ipv6-ops mailing list