Cat6500 ipv6 nd raguard feature
Daniel Verlouw
daniel at bit.nl
Fri Nov 19 09:39:00 CET 2010
(apologies for duplicates, thought this might be interesting for folks
on both lists):
Hi,
In case anyone is looking into deploying the 'ipv6 nd raguard' feature
introduced in SXI4 on Cat6.5k: I suggest you don't (for now, at least).
We found an issue with it causing it to intermittently drop neighbor
solicits from the access port resulting in a complete IPv6 'meltdown'
for the attached host (*sigh*)
Bug ID: CSCtk05146 - IPv6 Solicit dropped by RAguard
Verified by issuing:
sh tcam interface <interface> acl in ipv6
Cisco suggests disabling it all together as a workaround, however, we
found that IPv6 PACLs (also introduced in SXI4) do work fine in our
limited testing so far, e.g.:
ipv6 access-list block-rogue-ipv6
remark Block DHCPv6 server messages
deny udp any eq 547 any eq 546
remark Block Router Advertisements
deny icmp any any router-advertisement
permit ipv6 any any
int <interface>
ipv6 traffic-filter block-rogue-ipv6 in
Cheers,
Daniel.
More information about the ipv6-ops
mailing list