Mailing List Archive

v6 vrrp
r0.sea(config)#fhrp version vrrp v3
r0.sea(config)#interface GigabitEthernet0/0/0
r0.sea(config-if)# vrrp 1 address-family ipv4
r0.sea(config-if-vrrp)# description ipv4 vrrp
r0.sea(config-if-vrrp)# address 147.28.0.1 primary
r0.sea(config-if-vrrp)# priority 120
r0.sea(config-if-vrrp)# vrrp 2 address-family ipv6
r0.sea(config-if-vrrp)# description ipv6 vrrp
r0.sea(config-if-vrrp)# address 2001:418:1::1 primary
% You must specify a prefix for a non link-local address.
r0.sea(config-if-vrrp)#

clue bat?

randy
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: v6 vrrp [ In reply to ]
Randy Bush writes:
> r0.sea(config)#fhrp version vrrp v3
> r0.sea(config)#interface GigabitEthernet0/0/0
> r0.sea(config-if)# vrrp 1 address-family ipv4
> r0.sea(config-if-vrrp)# description ipv4 vrrp
> r0.sea(config-if-vrrp)# address 147.28.0.1 primary
> r0.sea(config-if-vrrp)# priority 120
> r0.sea(config-if-vrrp)# vrrp 2 address-family ipv6
> r0.sea(config-if-vrrp)# description ipv6 vrrp
> r0.sea(config-if-vrrp)# address 2001:418:1::1 primary
> % You must specify a prefix for a non link-local address.
> r0.sea(config-if-vrrp)#

> clue bat?

For a global IPv6 address, it wants a prefix length. Here's an example
of a (presumably working) IPv6 VRRP setup on one of our routers:

interface GigabitEthernet1/2
! ...
vrrp 254 address-family ipv6
priority 110
address FE80::254 primary
address 2001:620:F1FF:F2F0::254/64
exit-vrrp

I don't claim to understand this (or the reason why the prefix length is
required for non-link-local addresses. I'm sure my teammates know! Can
ask them on Monday...

Cheers,
--
Simon.
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: v6 vrrp [ In reply to ]
someone i will not uncloak, as they chose not to cc: the list,
gave me the clue

vrrp 1 address-family ipv4
description ipv4 vrrp
priority 120
vrrpv2
address 147.28.0.1 primary
exit-vrrp
vrrp 2 address-family ipv6
description ipv6 vrrp
address FE80::10 primary
address 2001:418:1::1/64
exit-vrrp

now to make the matching junos. for a junos facing an xr, i
did not have to do this link local stuff.

randy
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: v6 vrrp [ In reply to ]
On Sat, Jul 09, 2022 at 01:44:28PM -0700, Randy Bush wrote:
> now to make the matching junos. for a junos facing an xr, i
> did not have to do this link local stuff.

The standard states that the first address in VRRP v3 IPv6 needs to be
an IPv6 link-local address.
https://datatracker.ietf.org/doc/html/rfc5798

> In the IPv6 case (that is, IPvX is IPv6 everywhere in the figure),
> each router has a link-local IPv6 address on the LAN interface (Rtr1
> is assigned IPv6 Link-Local A and Rtr2 is assigned IPv6 Link-
> Local B), and each host learns a default route from Router
> Advertisements through one of the routers (in this example, they all
> use Rtr1's IPv6 Link-Local A).

Due to RA.

Some vendors force or interpret the standard different than others.






_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: v6 vrrp [ In reply to ]
Junos automatically assigns LL as 1st. IOS-XR can be made to do this
auto-assign, and will use the same policy to generate it.

SROS validates that the set of virtuals are identical, so having SROS
in the network forces you to look a little bit deeper, if you want
VRRP to actually work.

It is easy to come up with a config which does not interoperate, and
possible to find two implementations which won't, business as usually
in IPv6, as no one uses it, edges are rough.


On Sun, 10 Jul 2022 at 00:20, Doug McIntyre <merlyn@geeks.org> wrote:
>
> On Sat, Jul 09, 2022 at 01:44:28PM -0700, Randy Bush wrote:
> > now to make the matching junos. for a junos facing an xr, i
> > did not have to do this link local stuff.
>
> The standard states that the first address in VRRP v3 IPv6 needs to be
> an IPv6 link-local address.
> https://datatracker.ietf.org/doc/html/rfc5798
>
> > In the IPv6 case (that is, IPvX is IPv6 everywhere in the figure),
> > each router has a link-local IPv6 address on the LAN interface (Rtr1
> > is assigned IPv6 Link-Local A and Rtr2 is assigned IPv6 Link-
> > Local B), and each host learns a default route from Router
> > Advertisements through one of the routers (in this example, they all
> > use Rtr1's IPv6 Link-Local A).
>
> Due to RA.
>
> Some vendors force or interpret the standard different than others.
>
>
>
>
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



--
++ytti
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: v6 vrrp [ In reply to ]
> The standard states that the first address in VRRP v3 IPv6 needs to be
> an IPv6 link-local address.
> https://datatracker.ietf.org/doc/html/rfc5798

yup. but as saku says, both xr and junos create the link local
automagically. and that is what i had in a differen pop. so i
mistakenly assumed xe would do the dirty. my error.

randy
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: v6 vrrp [ In reply to ]
On 7/10/22 11:56, Randy Bush wrote:
>> The standard states that the first address in VRRP v3 IPv6 needs to be
>> an IPv6 link-local address.
>> https://datatracker.ietf.org/doc/html/rfc5798
> yup. but as saku says, both xr and junos create the link local
> automagically. and that is what i had in a differen pop. so i
> mistakenly assumed xe would do the dirty. my error.

As we've seen many times before, IOS XE and IOS XR may, just as well, be
from two very different companies.

We've hit a few issues with VRRP for IPv6, in the past, where it would
simply stop working for no apparent reason, while VRRP for IPv4 is
working just fine, on the same interface. In the end, a reboot of the
router fixed the issue. Seems to be a hardware programming issue, that
is very intermittent.

Look out for this, on the ASR1000 family.

Mark.
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: v6 vrrp [ In reply to ]
On 7/10/22 11:56, Randy Bush wrote:
>> The standard states that the first address in VRRP v3 IPv6 needs to be
>> an IPv6 link-local address.
>> https://datatracker.ietf.org/doc/html/rfc5798
> yup. but as saku says, both xr and junos create the link local
> automagically. and that is what i had in a differen pop. so i
> mistakenly assumed xe would do the dirty. my error.

As we've seen many times before, IOS XE and IOS XR may, just as well, be
from two very different companies.

We've hit a few issues with VRRP for IPv6, in the past, where it would
simply stop working for no apparent reason, while VRRP for IPv4 is
working just fine, on the same interface. In the end, a reboot of the
router fixed the issue. Seems to be a hardware programming issue, that
is very intermittent.

Look out for this, on the ASR1000 family.

Mark.

_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: v6 vrrp [ In reply to ]
> On Jul 14, 2022, at 8:34 AM, Mark Tinka <mark@tinka.africa> wrote:
>
>
>
> On 7/10/22 11:56, Randy Bush wrote:
>>> The standard states that the first address in VRRP v3 IPv6 needs to be
>>> an IPv6 link-local address.
>>> https://datatracker.ietf.org/doc/html/rfc5798
>> yup. but as saku says, both xr and junos create the link local
>> automagically. and that is what i had in a differen pop. so i
>> mistakenly assumed xe would do the dirty. my error.
>
> As we've seen many times before, IOS XE and IOS XR may, just as well, be from two very different companies.
>
> We've hit a few issues with VRRP for IPv6, in the past, where it would simply stop working for no apparent reason, while VRRP for IPv4 is working just fine, on the same interface. In the end, a reboot of the router fixed the issue. Seems to be a hardware programming issue, that is very intermittent.
>
> Look out for this, on the ASR1000 family.

I’m doing much less work with Cisco these last few years, and you reminded me I do have some folks with ASR-1000 series that are way, way, way overdue for some work. I have literally no idea about how the current licensing scheme works, nor the whole split/change to IOS. I think that’s all too basic for this list, but if anyone here has some pointers to resources outside of cisco’s own site that could get me up to speed a bit, I’d really appreciate it.

Thanks,

Charles

>
> Mark.
> _______________________________________________
> cisco-nsp mailing list cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: v6 vrrp [ In reply to ]
On Fri, 15 Jul 2022 at 03:09, Charles Sprickman <spork@bway.net> wrote:

> I’m doing much less work with Cisco these last few years, and you reminded me I do have some folks with ASR-1000 series that are way, way, way overdue for some work. I have literally no idea about how the current licensing scheme works, nor the whole split/change to IOS. I think that’s all too basic for this list, but if anyone here has some pointers to resources outside of cisco’s own site that could get me up to speed a bit, I’d really appreciate it.

I would suggest to use this:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/smart-licensing/qsg/b_Smart_Licensing_QuickStart/b_Smart_Licensing_QuickStart_chapter_01000.html

With it you never need to phone home after initial install and you'll
never expire your license.

Technical license enforcement is an entirely non-workable idea, we've
had HTTPS for almost 30 years and regularly serious, well resourced
companies fail to re-up their licenses before they expire. In HTTPS we
can probably justify the benefits of expiry outweigh the harm, but in
licensing we cannot, and we must not accept technical enforcement from
any vendor.

Juniper is coming up with licensing but have strategically decided not
to do technical enforcement. I am not against licensing wholesale, but
I want it to be a commercial problem, not a technical one. I'm fine
calling home and reporting non-compliance.

--
++ytti
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: v6 vrrp [ In reply to ]
On 7/15/22 07:56, Saku Ytti wrote:

>
> Juniper is coming up with licensing but have strategically decided not
> to do technical enforcement. I am not against licensing wholesale, but
> I want it to be a commercial problem, not a technical one. I'm fine
> calling home and reporting non-compliance.

Agreed, I also like the Juniper model. The licensing is more commercial
and support, than technical (except for PPPoE session scaling in BNG
applications, IIRC).

But like Charles, we are also doing less and less work on Cisco. The
last time we did an IOS XE upgrade on the ASR1002-X and ASR1006, it was
anywhere between 21 - 42 steps to move from 3.x to 17.x :-(.

Mark.
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: v6 vrrp [ In reply to ]
> On Jul 15, 2022, at 4:12 AM, Mark Tinka <mark@tinka.africa> wrote:
>
>
>
> On 7/15/22 07:56, Saku Ytti wrote:
>
>>
>> Juniper is coming up with licensing but have strategically decided not
>> to do technical enforcement. I am not against licensing wholesale, but
>> I want it to be a commercial problem, not a technical one. I'm fine
>> calling home and reporting non-compliance.
>
> Agreed, I also like the Juniper model. The licensing is more commercial and support, than technical (except for PPPoE session scaling in BNG applications, IIRC).
>
> But like Charles, we are also doing less and less work on Cisco. The last time we did an IOS XE upgrade on the ASR1002-X and ASR1006, it was anywhere between 21 - 42 steps to move from 3.x to 17.x :-(.

Oh my god… I’m going to be consultant shopping. That’s well above my pay grade.

If you’re not looking for any new features from IOS and simply want to have a secure/patched version, is there any option at all to park in XE and stay there? There’s a handful of these that have become pretty dumb big routers w/very simple BGP and not much else due to the world moving to metro-e as the go-to access option.

Thanks,

Charles

>
> Mark.
> _______________________________________________
> cisco-nsp mailing list cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: v6 vrrp [ In reply to ]
On 7/15/22 21:16, Charles Sprickman wrote:

> If you’re not looking for any new features from IOS and simply want to have a secure/patched version, is there any option at all to park in XE and stay there? There’s a handful of these that have become pretty dumb big routers w/very simple BGP and not much else due to the world moving to metro-e as the go-to access option.

From what I can see, 3.16.9S(MD) is the latest release from that era.
It is from March of 2019, though.

Mark.
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/