02-02-2022 07:42 AM
Hello,
we have a dot1q tunnel to our co-location
and can ping the servers in the co-location
over IPv4, but not over IPv6. The servers
get an IPv6 address through the dot1q tunnel
from the router interface per stateless
address autoconfiguration, but I can't reach
the servers over IPv6. Between the servers
on each site of the tunnel IPv6 is working.
I was thinking dot1q tunnel is layer 2 and
IPv4/IPv6 doesn't matter ?
Is there something special to configure for
IPv6 through a dot1q tunnel ?
Regards
Ralf
02-03-2022 04:11 AM
Hello,
in theory, the dot1q tunnel should be layer 2 only, and IPv6 traffic should pass. Can you post the configs of both tunnel endpoints ?
02-03-2022 05:50 AM
Here the configs..
Head Office:
-----------------
interface Port-channel4
description DOT1Q Tunnel FB4
switchport access vlan 446
switchport mode dot1q-tunnel
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel vtp
interface TenGigabitEthernet1/1/7
description Po4 DOT1Q Tunnel FB4
switchport access vlan 446
switchport mode dot1q-tunnel
no cdp enable
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel vtp
channel-group 4 mode active
interface TenGigabitEthernet2/1/7
description Po4 DOT1Q Tunnel FB4
switchport access vlan 446
switchport mode dot1q-tunnel
no cdp enable
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel vtp
channel-group 4 mode active
Co-Location:
-----------------
interface Port-channel1
description Dot1Q_Tunnel_Huck
switchport
switchport mode dot1q-tunnel
switchport access vlan 446
mtu 9216
logging event spanning-tree status
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel vtp
spanning-tree bpdufilter enable
interface TenGigabitEthernet7/11
description DV2SP 1-G3/4 R.E42.U004
switchport
switchport mode dot1q-tunnel
switchport access vlan 446
mtu 9216
logging event spanning-tree status
no cdp enable
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel vtp
channel-group 1 mode active
interface TenGigabitEthernet7/12
description DV2SP 1-G5/6 R.E42.U004
switchport
switchport mode dot1q-tunnel
switchport access vlan 446
mtu 9216
logging event spanning-tree status
no cdp enable
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel vtp
channel-group 1 mode active
02-08-2022 02:08 PM
Hello,
sorry for the late response. Maybe changing the sdm prefer template helps:
sdm prefer dual-ipv4-and-ipv6 default
02-09-2022 12:11 AM
Hello,
where should this be configured.. on the customer switches, on the tunnel switches or on all ?
C --- T ... T --- C
My customer side switches don't know sdm. One side is an old cat6509 with sup2t-10g and
ios 15.2 and the other side is a sx550x. If this should be configured on the tunnel switches,
then i have to ask a college for doing this. What if the tunnel switches don't support sdm too ?
Regards
Ralf
02-09-2022 02:58 AM
Hello,
if at all, this preferred template should be configured on both T switches. I have no idea if this makes any difference, but it was the only thing I could think of. It is rather strange that a layer 2 link blocks any sort of layer 3 (IPv6 in this case ) traffic.
02-09-2022 06:14 AM
The one tunnel switch is a cat6800 and don't know sdm and the other tunnel switch is a cat9300 which only knows the access template. So we can't configure this option on the tunnel switches and try it out.
Regards
Ralf
02-09-2022 06:34 AM
Hello,
I was reading through your initial post:
--> The servers get an IPv6 address through the dot1q tunnel from the router interface per stateless address autoconfiguration,
What does the router configuration look like ? The problem might be elsewhere, meaning: not with the dot1q tunnel..
02-09-2022 06:54 AM
I searched in the config and found that here.. I never configured this.. that must be autogenerated.
Maybe this is somehow relevant ? But it's not attached to an interface..
!
class-map match-any class-copp-icmp-redirect-unreachable
class-map match-all class-copp-glean
class-map match-all class-copp-receive
class-map match-all class-copp-options
class-map match-all class-copp-broadcast
class-map match-all class-copp-mcast-acl-bridged
class-map match-all class-copp-slb
class-map match-all class-copp-mtu-fail
class-map match-all class-copp-ttl-fail
class-map match-all class-copp-arp-snooping
class-map match-any class-copp-mcast-copy
class-map match-any class-copp-ip-connected
class-map match-any class-copp-match-igmp
match access-group name acl-copp-match-igmp
class-map match-all class-copp-unknown-protocol
class-map match-any class-copp-vacl-log
class-map match-all class-copp-mcast-ipv6-control
class-map match-any class-copp-match-pimv6-data
match access-group name acl-copp-match-pimv6-data
class-map match-any class-copp-mcast-punt
class-map match-all class-copp-unsupp-rewrite
class-map match-all class-copp-ucast-egress-acl-bridged
class-map match-all class-copp-ip-admission
class-map match-any class-copp-dpss-divert
class-map match-all class-copp-service-insertion
class-map match-all class-copp-mac-pbf
class-map match-any class-copp-match-mld
match access-group name acl-copp-match-mld
class-map match-all class-copp-ucast-ingress-acl-bridged
class-map match-all class-copp-dhcp-snooping
class-map match-all class-copp-wccp
class-map match-all class-copp-nd
class-map match-any class-copp-ipv6-connected
class-map match-all class-copp-mcast-rpf-fail
class-map match-any class-copp-match-ndv6hl
match access-group name acl-copp-match-ndv6hl
class-map match-any class-copp-ucast-rpf-fail
class-map match-all class-copp-mcast-ip-control
class-map match-any class-copp-match-pim-data
match access-group name acl-copp-match-pim-data
class-map match-any class-copp-match-ndv6
match access-group name acl-copp-match-ndv6
class-map match-any class-copp-mcast-v4-data-on-routedPort
class-map match-any class-copp-mcast-v6-data-on-routedPort
!
policy-map policy-default-autocopp
class class-copp-mcast-v4-data-on-routedPort
police rate 10 pps burst 1 packets conform-action drop exceed-action drop
class class-copp-mcast-v6-data-on-routedPort
police rate 10 pps burst 1 packets conform-action drop exceed-action drop
class class-copp-match-mld
police rate 10000 pps burst 10000 packets conform-action set-discard-class-transmit 48 exceed-action transmit
class class-copp-match-igmp
police rate 10000 pps burst 10000 packets conform-action set-discard-class-transmit 48 exceed-action transmit
class class-copp-icmp-redirect-unreachable
police rate 100 pps burst 10 packets conform-action transmit exceed-action drop
class class-copp-ucast-rpf-fail
police rate 100 pps burst 10 packets conform-action transmit exceed-action drop
class class-copp-vacl-log
police rate 2000 pps burst 1 packets conform-action transmit exceed-action drop
class class-copp-mcast-punt
police rate 1000 pps burst 256 packets conform-action transmit exceed-action drop
class class-copp-mcast-copy
police rate 1000 pps burst 256 packets conform-action transmit exceed-action drop
class class-copp-ip-connected
police rate 1000 pps burst 256 packets conform-action transmit exceed-action drop
class class-copp-ipv6-connected
police rate 1000 pps burst 256 packets conform-action transmit exceed-action drop
class class-copp-match-pim-data
police rate 1000 pps burst 1000 packets conform-action transmit exceed-action drop
class class-copp-match-pimv6-data
police rate 1000 pps burst 1000 packets conform-action transmit exceed-action drop
class class-copp-match-ndv6
police rate 1000 pps burst 1000 packets conform-action set-discard-class-transmit 48 exceed-action drop
!
ipv6 access-list acl-copp-match-mld
permit icmp any any mld-report
permit icmp any any mld-query
permit icmp any any mld-reduction
permit icmp any any 143
!
ipv6 access-list acl-copp-match-ndv6
permit icmp any any nd-na
permit icmp any any nd-ns
permit icmp any any router-advertisement
permit icmp any any router-solicitation
permit icmp any any redirect
!
ipv6 access-list acl-copp-match-ndv6hl
permit icmp any any nd-na hoplimit
permit icmp any any nd-ns hoplimit
permit icmp any any router-advertisement hoplimit
permit icmp any any router-solicitation hoplimit
permit icmp any any redirect hoplimit
!
ipv6 access-list acl-copp-match-pimv6-data
deny 103 any host FF02::D
permit 103 any any
!
02-09-2022 07:03 AM
Hello,
interesting...that is the control plane policy. What device is this configured on (e.g. Cisco ISR 4431) ?
02-09-2022 07:07 AM
That's a WS-C6509-E switch with a VS-SUP2T-10G supervisor engine with IOS Version 15.2..
02-09-2022 07:16 AM
Hello,
you could try and change the copp, especially this class, change it to:
class class-copp-ipv6-connected
police rate 100000 pps burst 25600 packets conform-action transmit exceed-action drop
The link below describes how to edit the copp:
02-09-2022 07:36 AM
I changed it in the policy-default-autocopp map, but seems not to help.
I can't ping from the server on the one side to the router interface on
the other side of the tunnel. If I look with "show policy-map control-plane"
at the counter there is no traffic..
Hardware Counters:
class-map: class-copp-ipv6-connected (match-any)
Match: none
police :
100000 pps 25600 limit 25600 extended limit
Earl in slot 2 :
0 packets
5 minute offered rate 0 pps
aggregate-forwarded 0 packets
action: transmit
exceeded 0 packets action: drop
aggregate-forward 0 pps exceed 0 pps
Earl in slot 3 :
0 packets
5 minute offered rate 0 pps
aggregate-forwarded 0 packets
action: transmit
exceeded 0 packets action: drop
aggregate-forward 0 pps exceed 0 pps
Earl in slot 4 :
0 packets
5 minute offered rate 0 pps
aggregate-forwarded 0 packets
action: transmit
exceeded 0 packets action: drop
aggregate-forward 0 pps exceed 0 pps
Earl in slot 5 :
0 packets
5 minute offered rate 0 pps
aggregate-forwarded 0 packets
action: transmit
exceeded 0 packets action: drop
aggregate-forward 0 pps exceed 0 pps
Earl in slot 6 :
0 packets
5 minute offered rate 0 pps
aggregate-forwarded 0 packets
action: transmit
exceeded 0 packets action: drop
aggregate-forward 0 pps exceed 0 pps
Earl in slot 7 :
0 packets
5 minute offered rate 0 pps
aggregate-forwarded 0 packets
action: transmit
exceeded 0 packets action: drop
aggregate-forward 0 pps exceed 0 pps
Earl in slot 8 :
0 packets
5 minute offered rate 0 pps
aggregate-forwarded 0 packets
action: transmit
exceeded 0 packets action: drop
aggregate-forward 0 pps exceed 0 pps
Software Counters:
Class-map: class-copp-ipv6-connected (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: none
0 packets, 0 bytes
5 minute rate 0 bps
police:
rate 100000 pps, burst 25600 packets
conformed 0 packets, 0 bytes; action:
transmit
exceeded 0 packets, 0 bytes; action:
drop
conformed 0 pps, exceeded 0 pps
02-09-2022 07:41 AM
root@p7920b:~# ping6 -c 20 2001:638:XXX:14D1:21C:B1FF:FEAC:BC00
PING 2001:638:XXX:14D1:21C:B1FF:FEAC:BC00(2001:638:XXX:14d1:21c:b1ff:feac:bc00) 56 Datenbytes
--- 2001:638:XXX:14D1:21C:B1FF:FEAC:BC00 ping statistics ---
20 Pakete übertragen, 0 empfangen, 100% Paketverlust, Zeit 19458ms
fb4_int2#show ipv6 interface vlan 10
Vlan10 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::21C:B1FF:FEAC:BC00
No Virtual link-local address(es):
Global unicast address(es):
2001:638:XXX:14D1:21C:B1FF:FEAC:BC00, subnet is 2001:638:XXX:14D1::/64 [EUI]
Joined group address(es):
FF02::1
FF02::2
FF02::1:FFAC:BC00
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ICMP unreachables are sent
Output features: HW Shortcut Installation
Post_Encap features: HW shortcut
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds (using 30000)
ND advertised reachable time is 0 (unspecified)
ND advertised retransmit interval is 0 (unspecified)
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
ND advertised default router preference is Medium
Hosts use stateless autoconfig for addresses.
02-09-2022 07:54 AM
Hello,
where does an IPv6 traceroute stop (traceroute ipv6) ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide