Mailing List Archive

IPv6 OSPFv3 Brocade to Cisco
I’m having trouble getting OSPFv3 up between a Brocade ICX7750 and a Cisco 4500X. I’ve found on cisco-nsp where someone else found a working config using the following:

Brocade side:

ipv6 ospf authentication ipsec spi #### esp sha1 KEY

Cisco side:

ipv6 ospf authentication null
ipv6 ospf encryption ipsec spi #### esp null sha1 KEY

Well, I’m already doing OSPFv3 between Brocades using the exact line in the example, which is good. I also have OSPFv3 neighbors up with our firewall (not Cisco). However, when I use the Cisco side of the example I don’t get a successful neighbor. On the Brocade side, I see a neighbor in the neighbor table, but it’s stuck in INIT state. On the Cisco side, the neighbor table is empty.

Normally when it’s stuck in INIT state, I’d check MTU sizes and general connectivity between both sides. Both are 1500 bytes and both sides can ping each other.

Does any one have any ideas as to what I can look at next, or if they have a working config that’s different from mine? I can’t remove the authentication without having to clear that out of my network everywhere.

-Christopher
Re: IPv6 OSPFv3 Brocade to Cisco [ In reply to ]
I’ve got some MLXe’s talking to ASR’s with ospf/ospfv3. I do seem to have a hard coded MTU in there but can’t remember why. On the brocade side, ve interface:

ip mtu 1500
ip ospf area 0
ip ospf md5-authentication key-id 111 key 1 yyyyyyy
ipv6 mtu 1500
ipv6 ospf area 0
ipv6 ospf authentication ipsec spi 222 esp sha1 encryptb64 xxxxxxx


And on the cisco side vlan interface:

ip ospf authentication message-digest
ip ospf message-digest-key 111 md5 7 yyyyyyy
ip ospf 65535 area 0
ipv6 ospf authentication null
ipv6 ospf 65535 area 0
ipv6 ospf encryption ipsec spi 222 esp null sha1 7 xxxxxx



From: foundry-nsp <foundry-nsp-bounces@puck.nether.net<mailto:foundry-nsp-bounces@puck.nether.net>> on behalf of "Howard, Christopher" <Christopher-Howard@utc.edu<mailto:Christopher-Howard@utc.edu>>
Date: Monday, March 21, 2016 at 8:40 PM
To: foundry-nsp <foundry-nsp@puck.nether.net<mailto:foundry-nsp@puck.nether.net>>
Subject: [f-nsp] IPv6 OSPFv3 Brocade to Cisco

I’m having trouble getting OSPFv3 up between a Brocade ICX7750 and a Cisco 4500X. I’ve found on cisco-nsp where someone else found a working config using the following:

Brocade side:

ipv6 ospf authentication ipsec spi #### esp sha1 KEY

Cisco side:

ipv6 ospf authentication null
ipv6 ospf encryption ipsec spi #### esp null sha1 KEY

Well, I’m already doing OSPFv3 between Brocades using the exact line in the example, which is good. I also have OSPFv3 neighbors up with our firewall (not Cisco). However, when I use the Cisco side of the example I don’t get a successful neighbor. On the Brocade side, I see a neighbor in the neighbor table, but it’s stuck in INIT state. On the Cisco side, the neighbor table is empty.

Normally when it’s stuck in INIT state, I’d check MTU sizes and general connectivity between both sides. Both are 1500 bytes and both sides can ping each other.

Does any one have any ideas as to what I can look at next, or if they have a working config that’s different from mine? I can’t remove the authentication without having to clear that out of my network everywhere.

-Christopher
Re: IPv6 OSPFv3 Brocade to Cisco [ In reply to ]
Thanks for the reply and confirmation. I tried the mtu settings on the Brocade side, but because they are default they don’t show in the running config (this is an ICX).

I'm using vrf-lite in this instance. I started on a vrf, which maybe I shouldn’t have. I tried the exact same config in the default vrf and it works perfectly. However, in a non-default vrf it doesn’t. Maybe I’m overlooking something, I’ll keep digging.

-Christopher

On Mar 21, 2016, at 9:05 PM, David Hubbard <dhubbard@dino.hostasaurus.com<mailto:dhubbard@dino.hostasaurus.com>> wrote:

I’ve got some MLXe’s talking to ASR’s with ospf/ospfv3. I do seem to have a hard coded MTU in there but can’t remember why. On the brocade side, ve interface:

ip mtu 1500
ip ospf area 0
ip ospf md5-authentication key-id 111 key 1 yyyyyyy
ipv6 mtu 1500
ipv6 ospf area 0
ipv6 ospf authentication ipsec spi 222 esp sha1 encryptb64 xxxxxxx


And on the cisco side vlan interface:

ip ospf authentication message-digest
ip ospf message-digest-key 111 md5 7 yyyyyyy
ip ospf 65535 area 0
ipv6 ospf authentication null
ipv6 ospf 65535 area 0
ipv6 ospf encryption ipsec spi 222 esp null sha1 7 xxxxxx



From: foundry-nsp <foundry-nsp-bounces@puck.nether.net<mailto:foundry-nsp-bounces@puck.nether.net>> on behalf of "Howard, Christopher" <Christopher-Howard@utc.edu<mailto:Christopher-Howard@utc.edu>>
Date: Monday, March 21, 2016 at 8:40 PM
To: foundry-nsp <foundry-nsp@puck.nether.net<mailto:foundry-nsp@puck.nether.net>>
Subject: [f-nsp] IPv6 OSPFv3 Brocade to Cisco

I’m having trouble getting OSPFv3 up between a Brocade ICX7750 and a Cisco 4500X. I’ve found on cisco-nsp where someone else found a working config using the following:

Brocade side:

ipv6 ospf authentication ipsec spi #### esp sha1 KEY

Cisco side:

ipv6 ospf authentication null
ipv6 ospf encryption ipsec spi #### esp null sha1 KEY

Well, I’m already doing OSPFv3 between Brocades using the exact line in the example, which is good. I also have OSPFv3 neighbors up with our firewall (not Cisco). However, when I use the Cisco side of the example I don’t get a successful neighbor. On the Brocade side, I see a neighbor in the neighbor table, but it’s stuck in INIT state. On the Cisco side, the neighbor table is empty.

Normally when it’s stuck in INIT state, I’d check MTU sizes and general connectivity between both sides. Both are 1500 bytes and both sides can ping each other.

Does any one have any ideas as to what I can look at next, or if they have a working config that’s different from mine? I can’t remove the authentication without having to clear that out of my network everywhere.

-Christopher
Re: IPv6 OSPFv3 Brocade to Cisco [ In reply to ]
ip/ipv6 mtu on the interface doesn’t have any impact on the OSPF frames since they’re purely layer 2. Check

default-max-frame-size 9216

in your config. I’m not sure if there’s a way to specifically limit the OSPF frame size.


Regards,
Mike


> On Mar 21, 2016, at 7:24 PM, Howard, Christopher <Christopher-Howard@utc.edu> wrote:
>
> Thanks for the reply and confirmation. I tried the mtu settings on the Brocade side, but because they are default they don’t show in the running config (this is an ICX).
>
> I'm using vrf-lite in this instance. I started on a vrf, which maybe I shouldn’t have. I tried the exact same config in the default vrf and it works perfectly. However, in a non-default vrf it doesn’t. Maybe I’m overlooking something, I’ll keep digging.
>
> -Christopher
>
>> On Mar 21, 2016, at 9:05 PM, David Hubbard <dhubbard@dino.hostasaurus.com <mailto:dhubbard@dino.hostasaurus.com>> wrote:
>>
>> I’ve got some MLXe’s talking to ASR’s with ospf/ospfv3. I do seem to have a hard coded MTU in there but can’t remember why. On the brocade side, ve interface:
>>
>> ip mtu 1500
>> ip ospf area 0
>> ip ospf md5-authentication key-id 111 key 1 yyyyyyy
>> ipv6 mtu 1500
>> ipv6 ospf area 0
>> ipv6 ospf authentication ipsec spi 222 esp sha1 encryptb64 xxxxxxx
>>
>>
>> And on the cisco side vlan interface:
>>
>> ip ospf authentication message-digest
>> ip ospf message-digest-key 111 md5 7 yyyyyyy
>> ip ospf 65535 area 0
>> ipv6 ospf authentication null
>> ipv6 ospf 65535 area 0
>> ipv6 ospf encryption ipsec spi 222 esp null sha1 7 xxxxxx
>>
>>
>>
>> From: foundry-nsp <foundry-nsp-bounces@puck.nether.net <mailto:foundry-nsp-bounces@puck.nether.net>> on behalf of "Howard, Christopher" <Christopher-Howard@utc.edu <mailto:Christopher-Howard@utc.edu>>
>> Date: Monday, March 21, 2016 at 8:40 PM
>> To: foundry-nsp <foundry-nsp@puck.nether.net <mailto:foundry-nsp@puck.nether.net>>
>> Subject: [f-nsp] IPv6 OSPFv3 Brocade to Cisco
>>
>> I’m having trouble getting OSPFv3 up between a Brocade ICX7750 and a Cisco 4500X. I’ve found on cisco-nsp where someone else found a working config using the following:
>> Brocade side:
>>
>> ipv6 ospf authentication ipsec spi #### esp sha1 KEY
>>
>> Cisco side:
>>
>> ipv6 ospf authentication null
>> ipv6 ospf encryption ipsec spi #### esp null sha1 KEY
>> Well, I’m already doing OSPFv3 between Brocades using the exact line in the example, which is good. I also have OSPFv3 neighbors up with our firewall (not Cisco). However, when I use the Cisco side of the example I don’t get a successful neighbor. On the Brocade side, I see a neighbor in the neighbor table, but it’s stuck in INIT state. On the Cisco side, the neighbor table is empty.
>>
>> Normally when it’s stuck in INIT state, I’d check MTU sizes and general connectivity between both sides. Both are 1500 bytes and both sides can ping each other.
>>
>> Does any one have any ideas as to what I can look at next, or if they have a working config that’s different from mine? I can’t remove the authentication without having to clear that out of my network everywhere.
>>
>> -Christopher
>>
>
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp@puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp

*----------- H U R R I C A N E - E L E C T R I C ---------->>
| Mike Tindle | Senior Network Engineer | mtindle@he.net
| ASN 6939 | http://www.he.net | 510-580-4126
*--------------------------------------------------->>
Re: IPv6 OSPFv3 Brocade to Cisco [ In reply to ]
Some more testing reveals that ospfv3 neighbors come up fine in the non-default vrf if I remove the authentication.

To summarize:
In default vrf, ospfv3 neighbors all come up with authentication enabled
In non-default vrf, ospfv3 neighbors never come up unless authentication is disabled. Cisco side appears it's ignoring any hellos received.
Both the default vrf and the non-default vrf are tagged across the same link between units (not using native vlan).

I'm considering a software upgrade on the Cisco, but release notes don't mention anything to do with resolved issues with ospfv3.

-Christopher

On Mar 21, 2016, at 10:24 PM, Howard, Christopher <Christopher-Howard@utc.edu<mailto:Christopher-Howard@utc.edu>> wrote:

Thanks for the reply and confirmation. I tried the mtu settings on the Brocade side, but because they are default they don’t show in the running config (this is an ICX).

I'm using vrf-lite in this instance. I started on a vrf, which maybe I shouldn’t have. I tried the exact same config in the default vrf and it works perfectly. However, in a non-default vrf it doesn’t. Maybe I’m overlooking something, I’ll keep digging.

-Christopher

On Mar 21, 2016, at 9:05 PM, David Hubbard <dhubbard@dino.hostasaurus.com<mailto:dhubbard@dino.hostasaurus.com>> wrote:

I’ve got some MLXe’s talking to ASR’s with ospf/ospfv3. I do seem to have a hard coded MTU in there but can’t remember why. On the brocade side, ve interface:

ip mtu 1500
ip ospf area 0
ip ospf md5-authentication key-id 111 key 1 yyyyyyy
ipv6 mtu 1500
ipv6 ospf area 0
ipv6 ospf authentication ipsec spi 222 esp sha1 encryptb64 xxxxxxx


And on the cisco side vlan interface:

ip ospf authentication message-digest
ip ospf message-digest-key 111 md5 7 yyyyyyy
ip ospf 65535 area 0
ipv6 ospf authentication null
ipv6 ospf 65535 area 0
ipv6 ospf encryption ipsec spi 222 esp null sha1 7 xxxxxx



From: foundry-nsp <foundry-nsp-bounces@puck.nether.net<mailto:foundry-nsp-bounces@puck.nether.net>> on behalf of "Howard, Christopher" <Christopher-Howard@utc.edu<mailto:Christopher-Howard@utc.edu>>
Date: Monday, March 21, 2016 at 8:40 PM
To: foundry-nsp <foundry-nsp@puck.nether.net<mailto:foundry-nsp@puck.nether.net>>
Subject: [f-nsp] IPv6 OSPFv3 Brocade to Cisco

I’m having trouble getting OSPFv3 up between a Brocade ICX7750 and a Cisco 4500X. I’ve found on cisco-nsp where someone else found a working config using the following:

Brocade side:

ipv6 ospf authentication ipsec spi #### esp sha1 KEY

Cisco side:

ipv6 ospf authentication null
ipv6 ospf encryption ipsec spi #### esp null sha1 KEY

Well, I’m already doing OSPFv3 between Brocades using the exact line in the example, which is good. I also have OSPFv3 neighbors up with our firewall (not Cisco). However, when I use the Cisco side of the example I don’t get a successful neighbor. On the Brocade side, I see a neighbor in the neighbor table, but it’s stuck in INIT state. On the Cisco side, the neighbor table is empty.

Normally when it’s stuck in INIT state, I’d check MTU sizes and general connectivity between both sides. Both are 1500 bytes and both sides can ping each other.

Does any one have any ideas as to what I can look at next, or if they have a working config that’s different from mine? I can’t remove the authentication without having to clear that out of my network everywhere.

-Christopher


_______________________________________________
foundry-nsp mailing list
foundry-nsp@puck.nether.net<mailto:foundry-nsp@puck.nether.net>
http://puck.nether.net/mailman/listinfo/foundry-nsp