Sunday, November 2, 2008

IPv6: RIPng, traffic filters and split horizon

R5, R6 and R7 all sit on the same LAN. R6 is also connected to R9. R5 must see this network between R6 and R9 with a next hop of R7, not R6. How can we do it?

Well first we need to disable split horizon on R7. For IPv6 RIP, this is done under the routing process:

IPeR7(config)#ipv6 router rip RIP6
IPeR7(config-rtr)#no split-horizon


Next we need to filter routing updates from R6. What do these RIPng packets look like? We can see through "debug ipv6 rip."

IPeR5#debug ipv6 rip
RIP Routing Protocol debugging is on
IPeR5#
*Nov 3 00:45:44.453: RIPng: response received from FE80::6 on FastEthernet0/0 for RIP6
*Nov 3 00:45:44.453: src=FE80::6 (FastEthernet0/0)
*Nov 3 00:45:44.453: dst=FF02::9
*Nov 3 00:45:44.453: sport=521, dport=521, length=52
*Nov 3 00:45:44.453: command=2, version=1, mbz=0, #rte=2
*Nov 3 00:45:44.453: tag=0, metric=1, prefix=2001:200::/64
*Nov 3 00:45:44.453: tag=0, metric=1, prefix=2001:96::/64


Now we know the source and destination, we can create our filter:

IPeR5(config)#ipv6 access-list RIP-FILTER
IPeR5(config-ipv6-acl)#deny ipv6 FE80::6/128 FF02::9/128
IPeR5(config-ipv6-acl)#permit ipv6 any any
IPeR5(config-ipv6-acl)#int f0/0
IPeR5(config-if)#ipv6 access-group RIP-FILTER in
^
% Invalid input detected at '^' marker.


Whoa! what gives!? This stupid things doesn't let me apply my ACL.

IPeR5(config-if)#ipv6 acc?
% Unrecognized command


Well that's because traffic filtering in IPv6 uses a whole different syntax:

IPeR5(config-if)#ipv6 traffic-filter RIP-FILTER in
IPeR5(config-if)#


BAM!

Let's clear the route table then check our next hop:

IPeR5#show ipv6 route rip | sec exclude Codes:
IPv6 Routing Table - 7 entries
R 2001:96::/64 [120/3]
via FE80::7, FastEthernet0/0
IPeR5#

2 comments:

  1. Hi Would you mind posting a diagram of this. I am struggling to understand why you would do this?

    ReplyDelete
  2. |-----R5
    |
    switch-----R6----R9
    |
    |-----R7

    ReplyDelete

Note: Only a member of this blog may post a comment.