RE: ipv6 bgp neighbor session using link-local

So is that like policy routing (pbr) to the next hop ip address? Like
embedding a pbr fix onto the neighbor statement that uses linklocal. ?

Aaron

-----Original Message-----
From: Rich Collins [mailto:nilsi2002_at_gmail.com]
Sent: Friday, January 20, 2012 11:42 AM
To: Daniel Kratz
Cc: Alberto; marc abel; Aaron; Cisco certification
Subject: Re: ipv6 bgp neighbor session using link-local

From a security point of view that does sound like a valid use case.

Here is a configuration that worked for me.

Running IOS15

hostname R1
!

!
no ip domain lookup
ipv6 unicast-routing
ipv6 cef
!

!
interface FastEthernet0/0
 vrf forwarding A
 ip address 9.9.12.1 255.255.255.0
 duplex half
 ipv6 address FE80::11 link-local
 ipv6 address 2001:10:1:1::1/64
 mpls traffic-eng tunnels
 mpls ip
 !

!
router bgp 1
 no synchronization
 bgp log-neighbor-changes
 no auto-summary
 !
 address-family ipv4 vrf A
  no synchronization
 exit-address-family
 !
 address-family ipv6 vrf A
  neighbor FE80::22%FastEthernet0/0 remote-as 1
  neighbor FE80::22%FastEthernet0/0 activate
 exit-address-family
!

hostname R2
!

!
!
!
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
 ipv6 address 2001:20::2/128
 !
!
interface FastEthernet0/0
 ip address 9.9.12.2 255.255.255.0
 ip router isis
 duplex half
 ipv6 address FE80::22 link-local
 ipv6 address 2001:10:1:1::2/64
 mpls traffic-eng tunnels
 mpls ip
 !

!
router bgp 1
 no synchronization
 bgp log-neighbor-changes
 neighbor FE80::11%FastEthernet0/0 remote-as 1
 no auto-summary
 !
 address-family ipv6
  network 2001:20::2/128
  neighbor FE80::11%FastEthernet0/0 activate
 exit-address-family
!

-----------------------

R1#sh ip bgp vpnv6 unicast rd 1:1
BGP table version is 2, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i -
internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 1:1 (default for vrf A)
*>i2001:20::2/128 FE80::22 0 100 0 i
R1#
R1#
R1#sh ip bgp vpnv6 unicast rd 1:1 2001:20::2/128
BGP routing table entry for [1:1]2001:20::2/128, version 2
Paths: (1 available, best #1, table A)
  Not advertised to any peer
  Local
    FE80::22 (FE80::22) from FE80::22%FastEthernet0/0 (2.2.2.2)
      Origin IGP, metric 0, localpref 100, valid, internal, best
      Extended Community: RT:1:1
R1#

On Fri, Jan 20, 2012 at 10:44 AM, Daniel Kratz <dkratz_at_gmail.com> wrote:
>
> From a security point of view this is great. One remote DDoS will never
> reach link-local addresses and this traffic will be discard closest to
> source as possible.
>
> In the scope of R&S Lab, on IOS Advanced Enterprise Services 12.4T, you
can
> form neighbor relationship using link-local, but you'll need to manually
> seting the next-hop. [1]
>
> In newer IOS you can address your neighbor making reference to output
> interface. (Ex: neighbor FE80::3%Serial1/1 remote-as 100). In this case
you
> don't need to set next-hop manually.
>
> []4s
> Kratz
>
>
> [1] - Implementing Multiprotocol BGP for IPv6
>
http://www.cisco.com/en/US/docs/ios/ios_xe/ipv6/configuration/guide/ip6-mptc
l_bgp_xe.html#wp1043063
>
>
> 2012/1/20 Alberto <albertofsantos_at_gmail.com>
>>
>> I dont see the reason either, but why dont u try to config update src and
>> eBGP mult hop just to see if it will work
>>
>> BR
>> Enviado via iPhone
>>
>>
>> Em 19/01/2012, C s 13:47, marc abel <marcabel_at_gmail.com> escreveu:
>>
>>

-Rich

Blogs and organic groups at http://www.ccie.net
Received on Fri Jan 20 2012 - 12:31:14 ART