Weird Packet Loss [Cisco]

[fukawi2]

OK, so I have a really weird packet loss issue on traffic going *through* my firewall.

Anything to/from the firewall itself is fine, but with traffic going through it, I see 25% packet loss due to my CPE router bouncing every 4th packet with "Address Unreachable".

From one of my dedicated servers in Germany (native IPv6).
=> 2001:44b8:4126:c600::/56 is my prefix.
=> 2001:44b8:4126:c642::dddd:9338 is my desktop inside my firewall.
=> 2001:44b8:4031:b7:ceef:48ff:feaf:ecb8 is my CPE router (Cisco 887).

Code Select Expand

www1 /etc/network # ping6 -c100 2001:44b8:4126:c642::dddd:9338
PING 2001:44b8:4126:c642::dddd:9338(2001:44b8:4126:c642::dddd:9338) 56 data bytes
64 bytes from 2001:44b8:4126:c642::dddd:9338: icmp_seq=1 ttl=45 time=380 ms
From 2001:44b8:4031:b7:ceef:48ff:feaf:ecb8 icmp_seq=2 Destination unreachable: Address unreachable
64 bytes from 2001:44b8:4126:c642::dddd:9338: icmp_seq=3 ttl=45 time=380 ms
64 bytes from 2001:44b8:4126:c642::dddd:9338: icmp_seq=4 ttl=45 time=381 ms
64 bytes from 2001:44b8:4126:c642::dddd:9338: icmp_seq=5 ttl=45 time=381 ms
From 2001:44b8:4031:b7:ceef:48ff:feaf:ecb8 icmp_seq=6 Destination unreachable: Address unreachable
64 bytes from 2001:44b8:4126:c642::dddd:9338: icmp_seq=7 ttl=45 time=381 ms
64 bytes from 2001:44b8:4126:c642::dddd:9338: icmp_seq=8 ttl=45 time=380 ms
64 bytes from 2001:44b8:4126:c642::dddd:9338: icmp_seq=9 ttl=45 time=380 ms
From 2001:44b8:4031:b7:ceef:48ff:feaf:ecb8 icmp_seq=10 Destination unreachable: Address unreachable
64 bytes from 2001:44b8:4126:c642::dddd:9338: icmp_seq=11 ttl=45 time=380 ms
64 bytes from 2001:44b8:4126:c642::dddd:9338: icmp_seq=12 ttl=45 time=381 ms
64 bytes from 2001:44b8:4126:c642::dddd:9338: icmp_seq=13 ttl=45 time=380 ms
From 2001:44b8:4031:b7:ceef:48ff:feaf:ecb8 icmp_seq=14 Destination unreachable: Address unreachable
tcpdump on the firewall confirms that it never sees the ICMP packets with the seq numbers that are bounced back with Address Unreachable.

I don't know where to begin trying to figure out why the Cisco decides it can't find the address for every 4th packet.

[nickbeee]

Do you have any duplex mismatches with the hosts on the 887 LAN? IIRC the 887 has a built-in managed switch similar to the 877 which I'm reasonably familiar with.

It would be helpful if you could post the output of "show running-config" to indicate what kind of firewall and ACLs you have configured.

[fukawi2]

Do you have any duplex mismatches with the hosts on the 887 LAN? IIRC the 887 has a built-in managed switch similar to the 877 which I'm reasonably familiar with.

Thanks for taking the time to reply :)
Yes, the 887 has a 4-port switch embedded.
FastEthernet0 => fw1
FastEthernet1 => fw2
FastEthernet2 and 3 => bonded (active-backup) to another host. This host does NOT experience the same issues.

It would be helpful if you could post the output of "show running-config" to indicate what kind of firewall and ACLs you have configured.

Code Select Expand

#show running-config
Building configuration...

Current configuration : 3594 bytes
!
! No configuration change since last restart
!
version 15.1
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname Natures
!
boot-start-marker
boot-end-marker
!
!
logging buffered 65536
enable secret 5 $1$R................................VZ0
!
no aaa new-model
!         
memory-size iomem 10
clock timezone ACST 9 30
clock summer-time ACST recurring 1 Sun Oct 2:00 1 Sun Apr 2:00
crypto pki token default removal timeout 0
!
!
no ip source-route
!
!
!
!
!
ip cef
no ip bootp server
ip domain list
no ip domain lookup
ipv6 unicast-routing
ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO887M-K9 sn FG.........6
!
!         
archive
log config
  logging enable
  logging size 500
  notify syslog contenttype plaintext
  hidekeys
username admin password 7 0722......................80F
!
!
!
!
!
!
!
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!         
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
  tx-ring-limit 3
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description --- Local LAN ---
ip address 59.167.124.89 255.255.255.248
no ip redirects
no ip proxy-arp
ip flow ingress
ip flow egress
ip virtual-reassembly in
ipv6 address NODE-PD ::1/64
ipv6 enable
!
interface Dialer1
description --- Internode ADSL ---
ip address negotiated
no ip redirects
ip mtu 1460
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ipv6 address NODE-PD ::FF:0:0:0:1/128
ipv6 address autoconfig default
ipv6 enable
ipv6 dhcp client pd NODE-PD rapid-commit
ppp chap hostname ....................@ipv6.internode.on.net
ppp chap password 7 15......................29
!
ip forward-protocol nd
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip http server
no ip http secure-server
!
ip flow-cache timeout inactive 30
ip flow-cache timeout active 10
ip flow-top-talkers
top 50
sort-by bytes
!
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 59.167.195.32 255.255.255.248 59.167.124.90
ip route 172.31.0.0 255.255.0.0 59.167.124.90
!
logging esm config
access-list 1 permit 192.83.231.113
access-list 1 permit 203.26.95.0 0.0.0.255
access-list 1 permit 172.31.0.0 0.0.0.128
access-list 60 permit 59.167.195.35
access-list 60 permit 172.31.0.0 0.0.0.127
access-list 60 remark snmp access control
ipv6 route 2001:44B8:4126:C600::/56 2001:44B8:4126:C600::F0
ipv6 route ::/0 Dialer1
!
!
!
!         
snmp-server community public RO 60
snmp-server chassis-id gateway.ftg.nato.com.au
!
control-plane
!
banner motd ^C
Access to this device or the attached
networks is prohibited without express written permission.
Violators will be prosecuted to the fullest extent of both civil
and criminal law.

Your session will be logged.
^C
!
line con 0
logging synchronous
login local
no modem enable
terminal-type vt100
length 25
stopbits 1
line aux 0
line vty 0 4
access-class 1 in
exec-timeout 60 0
logging synchronous
login local
terminal-type vt100
length 25
transport input telnet
!
scheduler max-task-time 5000
sntp server 192.231.203.132
event manager applet MONITOR-IPV6-DHCP-APP
event syslog pattern "DIALER-6-BIND"
action 1.0 cli command "enable"
action 1.1 cli command "clear ipv6 dhcp client Dialer1"
action 2.0 syslog priority debugging msg "Refreshed IPv6 DHCP PD lease"
!
end
My ISP has suggested dropping the MTU to 1400; I'm still waiting to hear back if they mean on the ppp link or the Vlan. I assume on the ppp link, but I don't see how that will help since it's the Vlan side that can't find the fw host.

[nickbeee]

I can't see anything obviously wrong in your configs - ipv6 should be routed straight through.

You might want to check out some IPv6 ACLs though, it looks wide open to the WAN side.  :o

[fukawi2]

I can't see anything obviously wrong in your configs - ipv6 should be routed straight through.

That's what I thought... If it was IPv4, I'd be thinking something along the lines of the ARP table entry timing out and it not getting a reponse from the firewall fast enough.... But this it IPv6 :S

You might want to check out some IPv6 ACLs though, it looks wide open to the WAN side.  :o

Isn't it closed by default unless you create an ACL to allow an address? This is how the ISP configured it; I had to add ACL 60 to allow SNMP though :/

[nickbeee]

You might want to check out some IPv6 ACLs though, it looks wide open to the WAN side.  :o

Isn't it closed by default unless you create an ACL to allow an address? This is how the ISP configured it; I had to add ACL 60 to allow SNMP though :/

No. You've got IPv4 access lists restricting telnet access to the router but you don't have any for IPv6 - if there was you would have

Code Select Expand

ipv6 access-class... in the vty section.

But it could be possible that show running-config has not listed the entire config as your login may give you a lower privilege level. You can check this from the show privilege command.

The output from show version would be useful too as it will  indicate what feature set IOS is installed.

[fukawi2]

No. You've got IPv4 access lists restricting telnet access to the router but you don't have any for IPv6 - if there was you would have

Code Select Expand

ipv6 access-class... in the vty section.

So what would that ACL be? The ACL is to allow access; what do I set it to to deny everything? (I'm happy to admin over IPv4 and Serial only)

But it could be possible that show running-config has not listed the entire config as your login may give you a lower privilege level. You can check this from the show privilege command.

Code Select Expand

#show privilege
Current privilege level is 15

The output from show version would be useful too as it will  indicate what feature set IOS is installed.

Code Select Expand

#show version
Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.1(2)T3, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Thu 10-Mar-11 21:30 by prod_rel_team

ROM: System Bootstrap, Version 12.4(22r)YB5, RELEASE SOFTWARE (fc1)

Natures uptime is 3 days, 15 hours, 37 minutes
System returned to ROM by power-on
System restarted at 16:51:36 ACST Mon Dec 19 2011
System image file is "flash:c880data-universalk9-mz.151-2.T3.bin"
Last reload type: Normal Reload

..........cryptographic warning here..........

Cisco 887M (MPC8300) processor (revision 1.0) with 236544K/25600K bytes of memory.
Processor board ID FGL15392746

4 FastEthernet interfaces
1 ISDN Basic Rate interface
1 ATM interface
1 Virtual Private Network (VPN) Module
256K bytes of non-volatile configuration memory.
125440K bytes of ATA CompactFlash (Read/Write)


License Info:

License UDI:

-------------------------------------------------
Device#   PID SN
-------------------------------------------------
*0    CISCO887M-K9          FGLxxxxxxxx     



License Information for 'c880-data'
    License Level: advipservices   Type: Permanent
    Next reboot license Level: advipservices


Configuration register is 0x2102

[nickbeee]

Firstly you will need a security policy to decide what traffic you are going to allow though and to what hosts.
If you have web servers or anything that needs public access, create a DMZ and put them there. As I don't know exactly what you have on the LAN side (firewalls hosts?) I can't be more specific but it might involve creating an additional vlan SVI (for another /64 and ipv4 subnet) then assigning switchports (the LAN fastethernet interfaces) to that vlan.

From the IOS version it appears as if you should have Zone-Based Policy firewall. If you got a CD with your router that has Cisco Configuration Professional there is a wizard that will guide you though setting up a firewall as well as locking down the router. This is Cisco's preferred method of IOS firewalling replacing the ACL and ip inspect statements (CBAC or classic firewall). If you haven't got a CD or the full software then there may be a "lite" version in flash memory on the router (check the show flash command). You will need to enable the web server if you want to access this...

Code Select Expand


ip http server
ip http secure-server
ip http authentication local

You will need to create a user with privilege 15:

Code Select Expand


user myusername privilege 15 secret mysecretpassword


Cisco has lots of useful information on configuration.

As far as vty ACLs are concerned for IPv6 -

Code Select Expand


ipv6 access-list MYVTYFILTER
! permit hosts here
!
! last entry by default is an implicit DENY but included for completeness
deny ipv6 any any

Then apply this to your vty lines

Code Select Expand


line vty 0 4
ipv6 access-class MYVTYFILTER in


There is a good article on IPv6 access lists on packetlife.net that is worth a read.

[fukawi2]

Firstly you will need a security policy to decide what traffic you are going to allow though and to what hosts.
If you have web servers or anything that needs public access, create a DMZ and put them there. As I don't know exactly what you have on the LAN side (firewalls hosts?) I can't be more specific but it might involve creating an additional vlan SVI (for another /64 and ipv4 subnet) then assigning switchports (the LAN fastethernet interfaces) to that vlan.

Ah, that's not a job for the Cisco. We have a HA pair of firewalls behind the Cisco (in front of 17 VLAN's ;D) that handles the firewalling (ingress and egress), IDS etc. The Cisco just needs to route the packets like a good lil router and that's all :)

As far as vty ACLs are concerned for IPv6 -

Code Select Expand


ipv6 access-list MYVTYFILTER
! permit hosts here
!
! last entry by default is an implicit DENY but included for completeness
deny ipv6 any any
[/quote]
That was what I meant, thanks :)

[nickbeee]

I just re-read your startup-config and realised you are using Internode - they have some IPv6 configuration pages you might find useful too!

Good luck,

[fukawi2]

OK, so I came across some debug commands which might help show the problem... I'm not entirely sure how to interpret it though since I have about as much experience with Cisco as I do with Mongolian Underwater Basket Weaving :(.

There are some "encapsulation errors" which Google suggests indicates an ARP problem (in IPv4 world), so perhaps it is a problem with ND in IPv6... I found a debug command for that too :) (But still not sure how to interpret it)

Code Select Expand

#debug ipv6 packet detail
Dec 30 08:41:40.081 ACST: IPv6-Fwd: Destination lookup for 2001:44B8:4126:C642::DDDD:9338 : i/f=Vlan1, nexthop=2001:44B8:4126:C600::F0
Dec 30 08:41:40.081 ACST: IPV6: source 2A01:4F8:140:6224::122 (Dialer1)
Dec 30 08:41:40.081 ACST:       dest 2001:44B8:4126:C642::DDDD:9338 (Vlan1)
Dec 30 08:41:40.081 ACST:       traffic class 0, flow 0x0, len 104+2, prot 58, hops 48, forwarding
Dec 30 08:41:40.081 ACST: IPv6-Fwd: Destination lookup for 2A01:4F8:140:6224::122 : i/f=Dialer1, nexthop=2A01:4F8:140:6224::122
Dec 30 08:41:40.081 ACST: IPV6: source 2001:44B8:4126:C642::DDDD:9338 (Vlan1)
Dec 30 08:41:40.081 ACST:       dest 2A01:4F8:140:6224::122 (Dialer1)
Dec 30 08:41:40.081 ACST:       traffic class 0, flow 0x0, len 104+14, prot 58, hops 62, forwarding
Dec 30 08:41:41.081 ACST: IPv6-Fwd: Destination lookup for 2001:44B8:4126:C642::DDDD:9338 : i/f=Vlan1, nexthop=2001:44B8:4126:C600::F0
Dec 30 08:41:41.081 ACST: IPV6: source 2A01:4F8:140:6224::122 (Dialer1)
Dec 30 08:41:41.081 ACST:       dest 2001:44B8:4126:C642::DDDD:9338 (Vlan1)
Dec 30 08:41:41.081 ACST:       traffic class 0, flow 0x0, len 104+2, prot 58, hops 48, forwarding
Dec 30 08:41:41.081 ACST: IPv6-Fwd: Destination lookup for 2A01:4F8:140:6224::122 : i/f=Dialer1, nexthop=2A01:4F8:140:6224::122
Dec 30 08:41:41.081 ACST: IPV6: source 2001:44B8:4126:C642::DDDD:9338 (Vlan1)
Dec 30 08:41:41.081 ACST:       dest 2A01:4F8:140:6224::122 (Dialer1)
Dec 30 08:41:41.081 ACST:       traffic class 0, flow 0x0, len 104+14, prot 58, hops 62, forwarding
Dec 30 08:41:42.081 ACST: IPv6-Fwd: Destination lookup for 2001:44B8:4126:C642::DDDD:9338 : i/f=Null0, nexthop=2001:44B8:4126:C642::DDDD:9338
Dec 30 08:41:42.081 ACST: IPV6: source 2A01:4F8:140:6224::122 (Dialer1)
Dec 30 08:41:42.081 ACST:       dest 2001:44B8:4126:C642::DDDD:9338 (Null0)
Dec 30 08:41:42.081 ACST:       traffic class 0, flow 0x0, len 104+2, prot 58, hops 48, forwarding
Dec 30 08:41:42.081 ACST: IPv6-Sas: SAS picked source 2001:44B8:4031:B7:CEEF:48FF:FEAF:ECB8 for 2A01:4F8:140:6224::122 (Dialer1)
Dec 30 08:41:42.085 ACST: IPv6-Fwd: Destination lookup for 2A01:4F8:140:6224::122 : i/f=Dialer1, nexthop=2A01:4F8:140:6224::122
Dec 30 08:41:42.085 ACST: IPV6: source 2001:44B8:4031:B7:CEEF:48FF:FEAF:ECB8 (local)
Dec 30 08:41:42.085 ACST:       dest 2A01:4F8:140:6224::122 (Dialer1)
Dec 30 08:41:42.085 ACST:       traffic class 0, flow 0x0, len 152+0, prot 58, hops 64, originating
Dec 30 08:41:42.085 ACST: IPv6-Fwd: Sending on Virtual-Access2
Dec 30 08:41:42.085 ACST: IPv6-Fwd: Encapsulation failed, could not queue for resolution
Dec 30 08:41:43.085 ACST: IPv6-Fwd: Destination lookup for 2001:44B8:4126:C642::DDDD:9338 : i/f=Vlan1, nexthop=2001:44B8:4126:C600::F0
Dec 30 08:41:43.085 ACST: IPV6: source 2A01:4F8:140:6224::122 (Dialer1)
Dec 30 08:41:43.085 ACST:       dest 2001:44B8:4126:C642::DDDD:9338 (Vlan1)
Dec 30 08:41:43.085 ACST:       traffic class 0, flow 0x0, len 104+2, prot 58, hops 48, forwarding
Dec 30 08:41:43.085 ACST: IPv6-Fwd: Destination lookup for 2A01:4F8:140:6224::122 : i/f=Dialer1, nexthop=2A01:4F8:140:6224::122
Dec 30 08:41:43.085 ACST: IPV6: source 2001:44B8:4126:C642::DDDD:9338 (Vlan1)
Dec 30 08:41:43.085 ACST:       dest 2A01:4F8:140:6224::122 (Dialer1)
Dec 30 08:41:43.085 ACST:       traffic class 0, flow 0x0, len 104+14, prot 58, hops 62, forwarding
Dec 30 08:41:44.085 ACST: IPv6-Fwd: Destination lookup for 2001:44B8:4126:C642::DDDD:9338 : i/f=Vlan1, nexthop=2001:44B8:4126:C600::F0
Dec 30 08:41:44.085 ACST: IPV6: source 2A01:4F8:140:6224::122 (Dialer1)
Dec 30 08:41:44.085 ACST:       dest 2001:44B8:4126:C642::DDDD:9338 (Vlan1)
Dec 30 08:41:44.085 ACST:       traffic class 0, flow 0x0, len 104+2, prot 58, hops 48, forwarding
Dec 30 08:41:44.085 ACST: IPv6-Fwd: Destination lookup for 2A01:4F8:140:6224::122 : i/f=Dialer1, nexthop=2A01:4F8:140:6224::122
Dec 30 08:41:44.085 ACST: IPV6: source 2001:44B8:4126:C642::DDDD:9338 (Vlan1)
Dec 30 08:41:44.085 ACST:       dest 2A01:4F8:140:6224::122 (Dialer1)
Dec 30 08:41:44.085 ACST:       traffic class 0, flow 0x0, len 104+14, prot 58, hops 62, forwarding
Dec 30 08:41:44.181 ACST: IPv6-Fwd: Destination lookup for FE80::CEEF:48FF:FEAF:ECB8 : Local, i/f=Vlan1, nexthop=FE80::CEEF:48FF:FEAF:ECB8
Dec 30 08:41:44.181 ACST: IPV6: source FE80::213:21FF:FEB3:A72E (Vlan1)
Dec 30 08:41:44.181 ACST:       dest FE80::CEEF:48FF:FEAF:ECB8 (Vlan1)
Dec 30 08:41:44.181 ACST:       traffic class 0, flow 0x0, len 72+14, prot 58, hops 255, forward to ulp
Dec 30 08:41:44.181 ACST: IPV6: source FE80::CEEF:48FF:FEAF:ECB8 (local)
Dec 30 08:41:44.181 ACST:       dest FE80::213:21FF:FEB3:A72E (Vlan1)
Dec 30 08:41:44.181 ACST:       traffic class 224, flow 0x0, len 72+0, prot 58, hops 255, originating
Dec 30 08:41:44.181 ACST: IPv6-Fwd: Sending on Vlan1
Dec 30 08:41:44.181 ACST: IPV6: source FE80::CEEF:48FF:FEAF:ECB8 (local)
Dec 30 08:41:44.181 ACST:       dest FE80::213:21FF:FEB3:A72E (Vlan1)
Dec 30 08:41:44.181 ACST:       traffic class 224, flow 0x0, len 64+0, prot 58, hops 255, originating
Dec 30 08:41:44.181 ACST: IPv6-Fwd: Sending on Vlan1
Dec 30 08:41:44.181 ACST: IPv6-Fwd: Destination lookup for FE80::CEEF:48FF:FEAF:ECB8 : Local, i/f=Vlan1, nexthop=FE80::CEEF:48FF:FEAF:ECB8
Dec 30 08:41:44.181 ACST: IPV6: source FE80::213:21FF:FEB3:A72E (Vlan1)
Dec 30 08:41:44.181 ACST:       dest FE80::CEEF:48FF:FEAF:ECB8 (Vlan1)
Dec 30 08:41:44.181 ACST:       traffic class 0, flow 0x0, len 64+14, prot 58, hops 255, forward to ulp

Code Select Expand

#debug ipv6 nd
Dec 30 08:45:49.340 ACST: ICMPv6-ND: Received NS for 2001:44B8:4126:C600::1 on Vlan1 from FE80::213:21FF:FEB3:A72E
Dec 30 08:45:49.340 ACST: ICMPv6-ND: Sending NA for 2001:44B8:4126:C600::1 on Vlan1
Dec 30 08:45:49.344 ACST: ICMPv6-ND: STALE -> DELAY: FE80::213:21FF:FEB3:A72E
Dec 30 08:45:49.408 ACST: ICMPv6-ND: DELAY -> PROBE: 2001:44B8:4126:C600::F0
Dec 30 08:45:49.408 ACST: ICMPv6-ND: Sending NS for 2001:44B8:4126:C600::F0 on Vlan1
Dec 30 08:45:49.412 ACST: ICMPv6-ND: Received NA for 2001:44B8:4126:C600::F0 on Vlan1 from 2001:44B8:4126:C600::F0
Dec 30 08:45:49.412 ACST: ICMPv6-ND: PROBE -> REACH: 2001:44B8:4126:C600::F0
Dec 30 08:45:54.408 ACST: ICMPv6-ND: DELAY -> PROBE: FE80::213:21FF:FEB3:A72E
Dec 30 08:45:54.408 ACST: ICMPv6-ND: Sending NS for FE80::213:21FF:FEB3:A72E on Vlan1
Dec 30 08:45:54.412 ACST: ICMPv6-ND: Received NS for FE80::CEEF:48FF:FEAF:ECB8 on Vlan1 from FE80::213:21FF:FEB3:A72E
Dec 30 08:45:54.412 ACST: ICMPv6-ND: Sending NA for FE80::CEEF:48FF:FEAF:ECB8 on Vlan1
Dec 30 08:45:54.412 ACST: ICMPv6-ND: Received NA for FE80::213:21FF:FEB3:A72E on Vlan1 from FE80::213:21FF:FEB3:A72E
Dec 30 08:45:54.412 ACST: ICMPv6-ND: PROBE -> REACH: FE80::213:21FF:FEB3:A72E

[fukawi2]

I just re-read your startup-config and realised you are using Internode - they have some IPv6 configuration pages you might find useful too!

Thanks for the link; the router was supplied and configured by 'node so the config matches that page exactly :)

[fukawi2]

OK, short update on this after working with a Cisco engineer for the last week...

It appears the issue is related to the Prefix Delegation process. When the Cisco receives a PD for my /56 from the ISP, it automatically installs a Null Route for the whole /56, presumably under the assumption that anything within that /56 is going to be subnetted into a /64 and directly connected to the Cisco.

Adding a new route for the /56 to my internal firewall/router creates equal routes, so occasionally traffic hits the proper route, and occasionally the traffic hits the Null route  :-[

Temporary solution: Add 2 x /57 routes which are more specific than the /56 so they win the route table.

Waiting to hear back a proper solution.

[maestroevolution]

What is the administrative distance of the null0 route? I assume it must be the same as static (ad of 5 on IOS?), or it would not try to load-share across the two routes.

Can you modify the admin distance on your static route to be lower than the default?  I know you can make it higher; don't recall on lower.

IMHO, the auto-installation of an aggregate route is a good thing, as it would prevent routing-loops due to forgetting to add it yourself.  It should be less preferred (higher admin distance) than other user-defined routes though, especially statics.

Joel

[fukawi2]

I'm not proficient on Cisco / IOS so I don't know how to find what you're asking... I did originally have a topic about this exact route before this thread:
http://www.tunnelbroker.net/forums/index.php?topic=2188.0

I'd like to think that since I've been working with a Cisco engineer from their support dept that he would have thought of that if it were possible  ???

IMHO, the auto-installation of an aggregate route is a good thing

I agree and understand why they've done it, but it shouldn't impact my ability to route the entire /56 an extra hop :(