Re: ipv6 bgp neighbor session using link-local

This is my understanding:
I would say that you have to compare this configuration (defining the
peering interface) with any other type of use of link-local such as
pinging. The link-local ipv6 address fe80::/10 is not subnetted so
the application does not know which interface (LAN) to use.

-Rich

On Fri, Jan 20, 2012 at 12:31 PM, Aaron <aaron1_at_gvtc.com> wrote:
> So is that like policy routing (pbr) to the next hop ip address? Like
> embedding a pbr fix onto the neighbor statement that uses linklocal. ?
>
> Aaron
>
>
>
> -----Original Message-----
> From: Rich Collins [mailto:nilsi2002_at_gmail.com]
> Sent: Friday, January 20, 2012 11:42 AM
> To: Daniel Kratz
> Cc: Alberto; marc abel; Aaron; Cisco certification
> Subject: Re: ipv6 bgp neighbor session using link-local
>
> From a security point of view that does sound like a valid use case.
>
>
> Here is a configuration that worked for me.
>
> Running IOS15
>
>
>
>
> hostname R1
> !
>
> !
> no ip domain lookup
> ipv6 unicast-routing
> ipv6 cef
> !
>
> !
> interface FastEthernet0/0
> vrf forwarding A
> ip address 9.9.12.1 255.255.255.0
> duplex half
> ipv6 address FE80::11 link-local
> ipv6 address 2001:10:1:1::1/64
> mpls traffic-eng tunnels
> mpls ip
> !
>
> !
> router bgp 1
> no synchronization
> bgp log-neighbor-changes
> no auto-summary
> !
> address-family ipv4 vrf A
> no synchronization
> exit-address-family
> !
> address-family ipv6 vrf A
> neighbor FE80::22%FastEthernet0/0 remote-as 1
> neighbor FE80::22%FastEthernet0/0 activate
> exit-address-family
> !
>
>
>
>
>
>
> hostname R2
> !
>
> !
> !
> !
> !
> interface Loopback0
> ip address 2.2.2.2 255.255.255.255
> ipv6 address 2001:20::2/128
> !
> !
> interface FastEthernet0/0
> ip address 9.9.12.2 255.255.255.0
> ip router isis
> duplex half
> ipv6 address FE80::22 link-local
> ipv6 address 2001:10:1:1::2/64
> mpls traffic-eng tunnels
> mpls ip
> !
>
> !
> router bgp 1
> no synchronization
> bgp log-neighbor-changes
> neighbor FE80::11%FastEthernet0/0 remote-as 1
> no auto-summary
> !
> address-family ipv6
> network 2001:20::2/128
> neighbor FE80::11%FastEthernet0/0 activate
> exit-address-family
> !
>
> -----------------------
>
> R1#sh ip bgp vpnv6 unicast rd 1:1
> BGP table version is 2, local router ID is 1.1.1.1
> Status codes: s suppressed, d damped, h history, * valid, > best, i -
> internal,
> r RIB-failure, S Stale
> Origin codes: i - IGP, e - EGP, ? - incomplete
>
> Network Next Hop Metric LocPrf Weight Path
> Route Distinguisher: 1:1 (default for vrf A)
> *>i2001:20::2/128 FE80::22 0 100 0 i
> R1#
> R1#
> R1#sh ip bgp vpnv6 unicast rd 1:1 2001:20::2/128
> BGP routing table entry for [1:1]2001:20::2/128, version 2
> Paths: (1 available, best #1, table A)
> Not advertised to any peer
> Local
> FE80::22 (FE80::22) from FE80::22%FastEthernet0/0 (2.2.2.2)
> Origin IGP, metric 0, localpref 100, valid, internal, best
> Extended Community: RT:1:1
> R1#
>
> On Fri, Jan 20, 2012 at 10:44 AM, Daniel Kratz <dkratz_at_gmail.com> wrote:
>>
>> From a security point of view this is great. One remote DDoS will never
>> reach link-local addresses and this traffic will be discard closest to
>> source as possible.
>>
>> In the scope of R&S Lab, on IOS Advanced Enterprise Services 12.4T, you
> can
>> form neighbor relationship using link-local, but you'll need to manually
>> seting the next-hop. [1]
>>
>> In newer IOS you can address your neighbor making reference to output
>> interface. (Ex: neighbor FE80::3%Serial1/1 remote-as 100). In this case
> you
>> don't need to set next-hop manually.
>>
>> []4s
>> Kratz
>>
>>
>> [1] - Implementing Multiprotocol BGP for IPv6
>>
> http://www.cisco.com/en/US/docs/ios/ios_xe/ipv6/configuration/guide/ip6-mptc
> l_bgp_xe.html#wp1043063
>>
>>
>> 2012/1/20 Alberto <albertofsantos_at_gmail.com>
>>>
>>> I dont see the reason either, but why dont u try to config update src and
>>> eBGP mult hop just to see if it will work
>>>
>>> BR
>>> Enviado via iPhone
>>>
>>>
>>> Em 19/01/2012, C s 13:47, marc abel <marcabel_at_gmail.com> escreveu:
>>>
>>>
>
>
> -Rich

Blogs and organic groups at http://www.ccie.net
Received on Fri Jan 20 2012 - 14:01:54 ART