On Wed, 10 Jun 2020 at 16:04, Gert Doering <[email protected]> wrote:
> You should be able to filter ND/NS by matching on TTL 255, but when > we did this, we saw peer routers send out NS with lower TTLs - which is > a violation of RFCs, but nobody seems to care... We match hop-limit 255, and not any addr globally in every market against diverse set of implementations and have not had a single issue. I suspect you may have attributed the problem incorrectly. Please add a new rule before existing ones which is just hop-limit 255 match, and observe if counters move to that rule. It is normal to see non-255 due to random internet trash. We regularly do have IPv6 ND problems, sometimes IPv6 BGP to customer breaks when _WE_ change device in our end, and the customer does nothing. Because the customer is filtering ND address based and allows only LL or only GUA and our end changed from LL to GUA or from GUA to LL and is no longer allowed by the customer. Not always easy task convincing customer their filters are wrong, when they changed nothing and it broke, thanks IPv6! -- ++ytti _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
