Weird IPv6 problem passing Layer3 traffic
Phil Mayers
p.mayers at imperial.ac.uk
Fri Jun 28 16:48:42 CEST 2013
On 28/06/13 15:33, Matthew Huff wrote:
> We have a Cisco 7204VXR with NPE-G2, running 15.2(4)S1. I have an
> identical router with same version connected to another ISP and a
> tunnel to HE.net. It's not my first time at the rodeo. We are
> connected via metro Ethernet to a sub-interface on a JunOS box (model
> and version unknown). My suspicion is that either they have an ACL
> that's blocking it, or their BGP process isn't listening on that
> sub-interface. But they claim that it isn't their problem. I have
> zero JunOS experience and they seem to be flopping around.
If you can ping it, but not telnet to port 179, it seems pretty clear
that port 179 is blocked or not listening, unless they have some kind of
TTL-based security going.
In Catalyst-land I'd suggest getting a SPAN of your output port showing
the SYN going out but no ACK coming back - the tcpdump/pcap evidence is
hard to argue.
Most likely, they have a filter on lo0 (which is the JunOS way of
protecting the control plane) that doesn't allow IPv6 or BGP/IPv6. First
guess, ask them to check the input filter on lo0 of their JunOS box.
FWIW a working JunOS IPv6 eBGP config looks a little like this:
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address x.x.x.x/31;
}
family inet6 {
address 2001:y::1/112;
}
}
}
lo0 {
unit 0 {
family inet {
filter {
input router-protect;
}
address x.x.x./32;
}
family inet6 {
filter {
input ipv6-router-protect;
}
address 2001:x.x.x/128;
}
}
}
}
protocols {
bgp {
group Customerv6 {
type external;
local-address 2001:y::1;
family inet6 {
unicast;
}
peer-as 65000;
neighbor 2001:y::2;
}
}
}
firewall {
family inet6 {
filter ipv6-router-protect {
term BGP_NEIGHS_1 {
from {
source-address {
2001:y::/64;
}
next-header tcp;
destination-port bgp;
}
then accept;
}
term BGP_NEIGHS_2 {
from {
source-address {
2001:y::/64;
}
next-header tcp;
source-port bgp;
}
then accept;
}
....
}
}
}
More information about the ipv6-ops
mailing list