Re: ipv6 bgp neighbor session using link-local from Daniel Kratz on 2012-01-20 (Ccielab archives 01/2012)

From: Daniel Kratz <dkratz_at_gmail.com>
Date: Fri, 20 Jan 2012 14:44:32 -0200

From a security point of view this is great. One remote DDoS will never
reach link-local addresses and this traffic will be discard closest to
source as possible.

In the scope of R&S Lab, on IOS Advanced Enterprise Services 12.4T, you can
form neighbor relationship using link-local, but you'll need to manually
seting the next-hop. [1]

In newer IOS you can address your neighbor making reference to output
interface. (Ex: neighbor FE80::3%Serial1/1 remote-as 100). In this case you
don't need to set next-hop manually.

[]4s
Kratz

[1] - Implementing Multiprotocol BGP for IPv6
http://www.cisco.com/en/US/docs/ios/ios_xe/ipv6/configuration/guide/ip6-mptcl
_bgp_xe.html#wp1043063

2012/1/20 Alberto <albertofsantos_at_gmail.com>

> I dont see the reason either, but why dont u try to config update src and
> eBGP mult hop just to see if it will work
>
> BR
> Enviado via iPhone
>
>
> Em 19/01/2012, C s 13:47, marc abel <marcabel_at_gmail.com> escreveu:
>
> > I don't see how this would work, how would the router know which
> interface
> > the link local address was on? Like when you ping a link local address,
> the
> > router asks which interface you want to send the ping on.
> >
> > On Thu, Jan 19, 2012 at 8:25 AM, Rich Collins <nilsi2002_at_gmail.com>
> wrote:
> >
> >> Just curious if there would be any advantage to this if you were able
> >> to get it working?
> >>
> >> On Mon, Jan 16, 2012 at 9:29 AM, Aaron <aaron1_at_gvtc.com> wrote:
> >>> How do you establish ipv6 bgp neighbor session using link local
> (fe80.)?
> >>>
> >>>
> >>>
> >>> I tried this way, then see the following console log messages on r1 and
> >>> r3.then I followed something I read about adding a "%" at the end of
> the
> >>> link local address, but that didn't seem to work either.
> >>>
> >>>
> >>>
> >>> Rack1R1#conf t
> >>>
> >>> Enter configuration commands, one per line. End with CNTL/Z.
> >>>
> >>> Rack1R1(config)#router bgp 200
> >>>
> >>> Rack1R1(config-router)#no bgp default ipv4-unicast
> >>>
> >>> Rack1R1(config-router)#neighbor FE80::13 remote-as 300
> >>>
> >>> Rack1R1(config-router)#neighbor FE80::13 update-source s2/0
> >>>
> >>> Rack1R1(config-router)#address-family ipv6 unicast
> >>>
> >>> Rack1R1(config-router-af)#neighbor FE80::13 activate
> >>>
> >>>
> >>>
> >>> Rack1R1#
> >>>
> >>> *Jan 16 14:04:57.119: BGP: FE80::13 open active, local address FE80::11
> >>>
> >>> *Jan 16 14:04:57.139: BGP: FE80::13 open failed: Connection refused by
> >>> remote host
> >>>
> >>>
> >>>
> >>> Rack1R3#
> >>>
> >>> *Jan 16 16:25:55.814: BGP: FE80::11 open active, local address FE80::13
> >>>
> >>> *Jan 16 16:25:55.814: BGP: FE80::11 read request no-op
> >>>
> >>> *Jan 16 16:25:55.814: BGP: FE80::11 open failed: Connection refused by
> >>> remote host, open active delayed 23432ms (35000ms max, 60% jitter)
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> Rack1R1(config)#router bgp 200
> >>>
> >>> Rack1R1(config-router)#no bgp default ipv4-unicast
> >>>
> >>> Rack1R1(config-router)#no neighbor FE80::13 remote-as 300
> >>>
> >>> Rack1R1(config-router)#no neighbor FE80::13 update-source s2/0
> >>>
> >>> Rack1R1(config-router)#address-family ipv6 unicast
> >>>
> >>> Rack1R1(config-router-af)#no neighbor FE80::13 activate
> >>>
> >>> Rack1R1(config-router-af)#
> >>>
> >>> Rack1R1(config-router-af)#neighbor FE80::13% remote-as 300
> >>>
> >>> % Create the peer-group first
> >>>
> >>> Rack1R1(config-router-af)#neighbor FE80::13% update-source s2/0
> >>>
> >>> % Specify remote-as or peer-group commands first
> >>>
> >>> Rack1R1(config-router-af)#address-family ipv6 unicast
> >>>
> >>> Rack1R1(config-router-af)#neighbor FE80::13% activate
> >>>
> >>> % Specify remote-as or peer-group commands first
> >>>
> >>> Rack1R1(config-router-af)#
> >>>
> >>>
> >>>
> >>> Aaron
> >>>
> >>>
> >>> Blogs and organic groups at http://www.ccie.net
> >>>
> >>> _______________________________________________________________________
> >>> Subscription information may be found at:
> >>> http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

--
"Any fool can know. The point is to understand."
                                                Albert Einstein
Blogs and organic groups at http://www.ccie.net

Received on Fri Jan 20 2012 - 14:44:32 ART

This archive was generated by hypermail 2.2.0 : Thu Feb 02 2012 - 11:52:51 ART