cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2314
Views
0
Helpful
32
Replies

IPv6 not working over dot1q-tunnel ?

ralfw
Level 1
Level 1

Hello,

 

we have a dot1q tunnel to our co-location
and can ping the servers in the co-location
over IPv4, but not over IPv6. The servers
get an IPv6 address through the dot1q tunnel
from the router interface per stateless
address autoconfiguration, but I can't reach
the servers over IPv6. Between the servers
on each site of the tunnel IPv6 is working.

 

I was thinking dot1q tunnel is layer 2 and
IPv4/IPv6 doesn't matter ?

 

Is there something special to configure for
IPv6 through a dot1q tunnel ?


Regards
Ralf

 

32 Replies 32

Hello,

 

in theory, the dot1q tunnel should be layer 2 only, and IPv6 traffic should pass. Can you post the configs of both tunnel endpoints ?

ralfw
Level 1
Level 1

Here the configs..

 

Head Office:
-----------------

interface Port-channel4
description DOT1Q Tunnel FB4
switchport access vlan 446
switchport mode dot1q-tunnel
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel vtp

interface TenGigabitEthernet1/1/7
description Po4 DOT1Q Tunnel FB4
switchport access vlan 446
switchport mode dot1q-tunnel
no cdp enable
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel vtp
channel-group 4 mode active

interface TenGigabitEthernet2/1/7
description Po4 DOT1Q Tunnel FB4
switchport access vlan 446
switchport mode dot1q-tunnel
no cdp enable
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel vtp
channel-group 4 mode active

 


Co-Location:
-----------------

interface Port-channel1
description Dot1Q_Tunnel_Huck
switchport
switchport mode dot1q-tunnel
switchport access vlan 446
mtu 9216
logging event spanning-tree status
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel vtp
spanning-tree bpdufilter enable


interface TenGigabitEthernet7/11
description DV2SP 1-G3/4 R.E42.U004
switchport
switchport mode dot1q-tunnel
switchport access vlan 446
mtu 9216
logging event spanning-tree status
no cdp enable
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel vtp
channel-group 1 mode active

interface TenGigabitEthernet7/12
description DV2SP 1-G5/6 R.E42.U004
switchport
switchport mode dot1q-tunnel
switchport access vlan 446
mtu 9216
logging event spanning-tree status
no cdp enable
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel vtp
channel-group 1 mode active

 

Hello,

 

sorry for the late response. Maybe changing the sdm prefer template helps:

 

sdm prefer dual-ipv4-and-ipv6 default

Hello,

 

where should this be configured.. on the customer switches, on the tunnel switches or on all ?

C --- T ... T --- C

 

My  customer side switches don't know sdm. One side is an old cat6509 with sup2t-10g and

ios 15.2 and the other side is a sx550x. If this should be configured on the tunnel switches,

then i have to ask a college for doing this. What if the tunnel switches don't support sdm too ?

 

Regards

Ralf

 

 

Hello,

 

if at all, this preferred template should be configured on both T switches. I have no idea if this makes any difference, but it was the only thing I could think of. It is rather strange that a layer 2 link blocks any sort of layer 3 (IPv6 in this case ) traffic.

The one tunnel switch is a cat6800 and don't know sdm and the other tunnel switch is a cat9300 which only knows the access template. So we can't configure this option on the tunnel switches and try it out.

 

Regards

Ralf

 

Hello,

 

I was reading through your initial post:

 

--> The servers get an IPv6 address through the dot1q tunnel from the router interface per stateless address autoconfiguration,

 

What does the router configuration look like ? The problem might be elsewhere, meaning: not with the dot1q tunnel..

I searched in the config and found that here.. I never configured this.. that must be autogenerated.

Maybe this is somehow relevant ? But it's not attached to an interface..

 

!
class-map match-any class-copp-icmp-redirect-unreachable
class-map match-all class-copp-glean
class-map match-all class-copp-receive
class-map match-all class-copp-options
class-map match-all class-copp-broadcast
class-map match-all class-copp-mcast-acl-bridged
class-map match-all class-copp-slb
class-map match-all class-copp-mtu-fail
class-map match-all class-copp-ttl-fail
class-map match-all class-copp-arp-snooping
class-map match-any class-copp-mcast-copy
class-map match-any class-copp-ip-connected
class-map match-any class-copp-match-igmp
match access-group name acl-copp-match-igmp
class-map match-all class-copp-unknown-protocol
class-map match-any class-copp-vacl-log
class-map match-all class-copp-mcast-ipv6-control
class-map match-any class-copp-match-pimv6-data
match access-group name acl-copp-match-pimv6-data
class-map match-any class-copp-mcast-punt
class-map match-all class-copp-unsupp-rewrite
class-map match-all class-copp-ucast-egress-acl-bridged
class-map match-all class-copp-ip-admission
class-map match-any class-copp-dpss-divert
class-map match-all class-copp-service-insertion
class-map match-all class-copp-mac-pbf
class-map match-any class-copp-match-mld
match access-group name acl-copp-match-mld
class-map match-all class-copp-ucast-ingress-acl-bridged
class-map match-all class-copp-dhcp-snooping
class-map match-all class-copp-wccp
class-map match-all class-copp-nd
class-map match-any class-copp-ipv6-connected
class-map match-all class-copp-mcast-rpf-fail
class-map match-any class-copp-match-ndv6hl
match access-group name acl-copp-match-ndv6hl
class-map match-any class-copp-ucast-rpf-fail
class-map match-all class-copp-mcast-ip-control
class-map match-any class-copp-match-pim-data
match access-group name acl-copp-match-pim-data
class-map match-any class-copp-match-ndv6
match access-group name acl-copp-match-ndv6
class-map match-any class-copp-mcast-v4-data-on-routedPort
class-map match-any class-copp-mcast-v6-data-on-routedPort
!
policy-map policy-default-autocopp
class class-copp-mcast-v4-data-on-routedPort
police rate 10 pps burst 1 packets conform-action drop exceed-action drop
class class-copp-mcast-v6-data-on-routedPort
police rate 10 pps burst 1 packets conform-action drop exceed-action drop
class class-copp-match-mld
police rate 10000 pps burst 10000 packets conform-action set-discard-class-transmit 48 exceed-action transmit
class class-copp-match-igmp
police rate 10000 pps burst 10000 packets conform-action set-discard-class-transmit 48 exceed-action transmit
class class-copp-icmp-redirect-unreachable
police rate 100 pps burst 10 packets conform-action transmit exceed-action drop
class class-copp-ucast-rpf-fail
police rate 100 pps burst 10 packets conform-action transmit exceed-action drop
class class-copp-vacl-log
police rate 2000 pps burst 1 packets conform-action transmit exceed-action drop
class class-copp-mcast-punt
police rate 1000 pps burst 256 packets conform-action transmit exceed-action drop
class class-copp-mcast-copy
police rate 1000 pps burst 256 packets conform-action transmit exceed-action drop
class class-copp-ip-connected
police rate 1000 pps burst 256 packets conform-action transmit exceed-action drop
class class-copp-ipv6-connected
police rate 1000 pps burst 256 packets conform-action transmit exceed-action drop
class class-copp-match-pim-data
police rate 1000 pps burst 1000 packets conform-action transmit exceed-action drop
class class-copp-match-pimv6-data
police rate 1000 pps burst 1000 packets conform-action transmit exceed-action drop
class class-copp-match-ndv6
police rate 1000 pps burst 1000 packets conform-action set-discard-class-transmit 48 exceed-action drop
!

ipv6 access-list acl-copp-match-mld
permit icmp any any mld-report
permit icmp any any mld-query
permit icmp any any mld-reduction
permit icmp any any 143
!
ipv6 access-list acl-copp-match-ndv6
permit icmp any any nd-na
permit icmp any any nd-ns
permit icmp any any router-advertisement
permit icmp any any router-solicitation
permit icmp any any redirect
!
ipv6 access-list acl-copp-match-ndv6hl
permit icmp any any nd-na hoplimit
permit icmp any any nd-ns hoplimit
permit icmp any any router-advertisement hoplimit
permit icmp any any router-solicitation hoplimit
permit icmp any any redirect hoplimit
!
ipv6 access-list acl-copp-match-pimv6-data
deny 103 any host FF02::D
permit 103 any any
!

Hello,

 

interesting...that is the control plane policy. What device is this configured on (e.g. Cisco ISR 4431) ?

That's a WS-C6509-E switch with a VS-SUP2T-10G supervisor engine with IOS Version 15.2..

 

 

Hello,

 

you could try and change the copp, especially this class, change it to:

 

class class-copp-ipv6-connected
police rate 100000 pps burst 25600 packets conform-action transmit exceed-action drop

 

The link below describes how to edit the copp:

 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-0SY/configuration/guide/15_0_sy_swcg/control_plane_policing_copp.html#wp1141836

I changed it in the policy-default-autocopp map, but seems not to help.

I can't ping from the server on the one side to the router interface on

the other side of the tunnel. If I look with "show policy-map control-plane"

at the counter there is no traffic..

 

Hardware Counters:

class-map: class-copp-ipv6-connected (match-any)
Match: none
police :
100000 pps 25600 limit 25600 extended limit
Earl in slot 2 :
0 packets
5 minute offered rate 0 pps
aggregate-forwarded 0 packets
action: transmit
exceeded 0 packets action: drop
aggregate-forward 0 pps exceed 0 pps
Earl in slot 3 :
0 packets
5 minute offered rate 0 pps
aggregate-forwarded 0 packets
action: transmit
exceeded 0 packets action: drop
aggregate-forward 0 pps exceed 0 pps
Earl in slot 4 :
0 packets
5 minute offered rate 0 pps
aggregate-forwarded 0 packets
action: transmit
exceeded 0 packets action: drop
aggregate-forward 0 pps exceed 0 pps
Earl in slot 5 :
0 packets
5 minute offered rate 0 pps
aggregate-forwarded 0 packets
action: transmit
exceeded 0 packets action: drop
aggregate-forward 0 pps exceed 0 pps
Earl in slot 6 :
0 packets
5 minute offered rate 0 pps
aggregate-forwarded 0 packets
action: transmit
exceeded 0 packets action: drop
aggregate-forward 0 pps exceed 0 pps
Earl in slot 7 :
0 packets
5 minute offered rate 0 pps
aggregate-forwarded 0 packets
action: transmit
exceeded 0 packets action: drop
aggregate-forward 0 pps exceed 0 pps
Earl in slot 8 :
0 packets
5 minute offered rate 0 pps
aggregate-forwarded 0 packets
action: transmit
exceeded 0 packets action: drop
aggregate-forward 0 pps exceed 0 pps

Software Counters:

Class-map: class-copp-ipv6-connected (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: none
0 packets, 0 bytes
5 minute rate 0 bps
police:
rate 100000 pps, burst 25600 packets
conformed 0 packets, 0 bytes; action:
transmit
exceeded 0 packets, 0 bytes; action:
drop
conformed 0 pps, exceeded 0 pps

root@p7920b:~# ping6 -c 20 2001:638:XXX:14D1:21C:B1FF:FEAC:BC00
PING 2001:638:XXX:14D1:21C:B1FF:FEAC:BC00(2001:638:XXX:14d1:21c:b1ff:feac:bc00) 56 Datenbytes

--- 2001:638:XXX:14D1:21C:B1FF:FEAC:BC00 ping statistics ---
20 Pakete übertragen, 0 empfangen, 100% Paketverlust, Zeit 19458ms

 

fb4_int2#show ipv6 interface vlan 10
Vlan10 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::21C:B1FF:FEAC:BC00
No Virtual link-local address(es):
Global unicast address(es):
2001:638:XXX:14D1:21C:B1FF:FEAC:BC00, subnet is 2001:638:XXX:14D1::/64 [EUI]
Joined group address(es):
FF02::1
FF02::2
FF02::1:FFAC:BC00
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ICMP unreachables are sent
Output features: HW Shortcut Installation
Post_Encap features: HW shortcut
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds (using 30000)
ND advertised reachable time is 0 (unspecified)
ND advertised retransmit interval is 0 (unspecified)
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
ND advertised default router preference is Medium
Hosts use stateless autoconfig for addresses.

 

 

 

 

 

Hello,

 

where does an IPv6 traceroute stop (traceroute ipv6) ?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco