IPv6 over backup interface

Reply
Highlighted
L3 Networker

IPv6 over backup interface

I have IPv6 over my backup ISP (dual PA 3020s).
 
I am trying to route all IPv6 traffic over that interface but not having much luck passing any IPv6 through the PA. If I ping6 internal and external hosts from the PA itself it works. If I try to ping/traceroute from behind the PAN at the core or from outside the PAN it doesn't work. I have policies in both directions and I see when I send traffic from behind the PAN (from the core) the PAN is routing it out the primary interface eth1/2 which won't work.  I need it to go out eth1/3.
 
This is what I have tried:
 
  • Static route for IPv6 default route pointing to backup interface + next hop of IPv6 WAN
  • PBF for IPv6 source traffic forwarded to backup interface + next hop IPv6 WAN
Neither worked and I am still seeing IPv6 packets being routed out the primary interface.
 
Anyone have any ideas?
Trust > Untrust (wrong int):
 
Untrust > Trust: (right int):
L7 Applicator

Re: IPv6 over backup interface

A couple things you may be able to test to see what's going on:

 

1. Dump the fib table. It won't help for your PBF rule, but since your VR has a static route it should show that correctly:

> show routing route

2. Test the routing to see what the firewall thinks the correct route should be:

> test routing fib-lookup virtual-router your_vr_name ip 2a00:1450:4001...

The virtual router will always take a more specific route, so make sure your eth1/1 route doesn't have a more specific IPv6 route that is overriding your static route. It may also be helpful to see what your static route and PBF policy does (if you can sanitize it for public consumption here in the forums).

L3 Networker

Re: IPv6 over backup interface

I got it working.  I simply moved the PBF to the top of my PBF list and did not specify a next hop interface (eth 1/3) on the static route and it started working.  Which is weird because that PBF rule was the only one referrencing any IPv6 traffic so I figured it would match it regardless of where it resided in the list.  Not sure which one of this allowed it start working but it is now.  

 

 

pbf-ipv6.JPGroute-ipv6.JPG

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!