Re: ipv6 bgp neighbor session using link-local

Aaron

Add to what Rich said, When u ping a linklocal address. The IOS asks for
Outgoing interface .. This shows u that the router doesnt eactly know to
which link this Link Local Address belongs to by default..

So u have to educate the router about the outgoin interface..

But in BGP u just specify the neighbor link local address. but havent
specify the outgoin interface to reach the neighbor

Do one thing ,, Write a new RFC for it :) Forming neighborship using Link
Local

On Sat, Jan 21, 2012 at 3:04 AM, Aaron <aaron1_at_gvtc.com> wrote:

> thanks Rich for the reiterate. Have a nice weekend
>
>
>
> Aaron
>
> -----Original Message-----
> From: Rich Collins [mailto:nilsi2002_at_gmail.com]
> Sent: Friday, January 20, 2012 2:02 PM
> To: Aaron
> Cc: Daniel Kratz; Alberto; marc abel; Cisco certification
> Subject: Re: ipv6 bgp neighbor session using link-local
>
> This is my understanding:
> I would say that you have to compare this configuration (defining the
> peering interface) with any other type of use of link-local such as
> pinging. The link-local ipv6 address fe80::/10 is not subnetted so
> the application does not know which interface (LAN) to use.
>
> -Rich
>
> On Fri, Jan 20, 2012 at 12:31 PM, Aaron <aaron1_at_gvtc.com> wrote:
> > So is that like policy routing (pbr) to the next hop ip address? Like
> > embedding a pbr fix onto the neighbor statement that uses linklocal. ?
> >
> > Aaron
> >
> >
> >
> > -----Original Message-----
> > From: Rich Collins [mailto:nilsi2002_at_gmail.com]
> > Sent: Friday, January 20, 2012 11:42 AM
> > To: Daniel Kratz
> > Cc: Alberto; marc abel; Aaron; Cisco certification
> > Subject: Re: ipv6 bgp neighbor session using link-local
> >
> > From a security point of view that does sound like a valid use case.
> >
> >
> > Here is a configuration that worked for me.
> >
> > Running IOS15
> >
> >
> >
> >
> > hostname R1
> > !
> >
> > !
> > no ip domain lookup
> > ipv6 unicast-routing
> > ipv6 cef
> > !
> >
> > !
> > interface FastEthernet0/0
> > vrf forwarding A
> > ip address 9.9.12.1 255.255.255.0
> > duplex half
> > ipv6 address FE80::11 link-local
> > ipv6 address 2001:10:1:1::1/64
> > mpls traffic-eng tunnels
> > mpls ip
> > !
> >
> > !
> > router bgp 1
> > no synchronization
> > bgp log-neighbor-changes
> > no auto-summary
> > !
> > address-family ipv4 vrf A
> > no synchronization
> > exit-address-family
> > !
> > address-family ipv6 vrf A
> > neighbor FE80::22%FastEthernet0/0 remote-as 1
> > neighbor FE80::22%FastEthernet0/0 activate
> > exit-address-family
> > !
> >
> >
> >
> >
> >
> >
> > hostname R2
> > !
> >
> > !
> > !
> > !
> > !
> > interface Loopback0
> > ip address 2.2.2.2 255.255.255.255
> > ipv6 address 2001:20::2/128
> > !
> > !
> > interface FastEthernet0/0
> > ip address 9.9.12.2 255.255.255.0
> > ip router isis
> > duplex half
> > ipv6 address FE80::22 link-local
> > ipv6 address 2001:10:1:1::2/64
> > mpls traffic-eng tunnels
> > mpls ip
> > !
> >
> > !
> > router bgp 1
> > no synchronization
> > bgp log-neighbor-changes
> > neighbor FE80::11%FastEthernet0/0 remote-as 1
> > no auto-summary
> > !
> > address-family ipv6
> > network 2001:20::2/128
> > neighbor FE80::11%FastEthernet0/0 activate
> > exit-address-family
> > !
> >
> > -----------------------
> >
> > R1#sh ip bgp vpnv6 unicast rd 1:1
> > BGP table version is 2, local router ID is 1.1.1.1
> > Status codes: s suppressed, d damped, h history, * valid, > best, i -
> > internal,
> > r RIB-failure, S Stale
> > Origin codes: i - IGP, e - EGP, ? - incomplete
> >
> > Network Next Hop Metric LocPrf Weight Path
> > Route Distinguisher: 1:1 (default for vrf A)
> > *>i2001:20::2/128 FE80::22 0 100 0 i
> > R1#
> > R1#
> > R1#sh ip bgp vpnv6 unicast rd 1:1 2001:20::2/128
> > BGP routing table entry for [1:1]2001:20::2/128, version 2
> > Paths: (1 available, best #1, table A)
> > Not advertised to any peer
> > Local
> > FE80::22 (FE80::22) from FE80::22%FastEthernet0/0 (2.2.2.2)
> > Origin IGP, metric 0, localpref 100, valid, internal, best
> > Extended Community: RT:1:1
> > R1#
> >
> > On Fri, Jan 20, 2012 at 10:44 AM, Daniel Kratz <dkratz_at_gmail.com> wrote:
> >>
> >> From a security point of view this is great. One remote DDoS will never
> >> reach link-local addresses and this traffic will be discard closest to
> >> source as possible.
> >>
> >> In the scope of R&S Lab, on IOS Advanced Enterprise Services 12.4T, you
> > can
> >> form neighbor relationship using link-local, but you'll need to manually
> >> seting the next-hop. [1]
> >>
> >> In newer IOS you can address your neighbor making reference to output
> >> interface. (Ex: neighbor FE80::3%Serial1/1 remote-as 100). In this case
> > you
> >> don't need to set next-hop manually.
> >>
> >> []4s
> >> Kratz
> >>
> >>
> >> [1] - Implementing Multiprotocol BGP for IPv6
> >>
> >
>
> http://www.cisco.com/en/US/docs/ios/ios_xe/ipv6/configuration/guide/ip6-mptc
> > l_bgp_xe.html#wp1043063
> >>
> >>
> >> 2012/1/20 Alberto <albertofsantos_at_gmail.com>
> >>>
> >>> I dont see the reason either, but why dont u try to config update src
> and
> >>> eBGP mult hop just to see if it will work
> >>>
> >>> BR
> >>> Enviado via iPhone
> >>>
> >>>
> >>> Em 19/01/2012, C s 13:47, marc abel <marcabel_at_gmail.com> escreveu:
> >>>
> >>>
> >
> >
> > -Rich
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
With Warmest Regards,
CCIE KID
CCIE#29992 (Security)
Blogs and organic groups at http://www.ccie.net