Juniper SRX300 IPv6 tunnel

The SRX300 (and SRX550M) are configured to drop IPv6 traffic by default: see documentation: When IPv6 is configured on SRX300 Series and the SRX550M devices, the default behavior is set to drop mode because of memory constraints. This can be confirmed: admin@CS7-HQ-FW02> show security flow status Flow forwarding mode: Inet forwarding mode: flow based Inet6... Continue Reading →

EIGRP IPv6 map-leak

Demonstration of the EIGRP leak-map feature in an IPv6 topology. The leak-map feature allows for a prefix to be advertise which forms part of a larger summary prefix.

Raspberry Pi NAT64/DNS64 router

I am currently experimenting running an IPv6 only WLAN at work, so thought I'd try experimenting at home. Whereas at work we have a CSR1000v to perform the NAT64 and a separate Linux VM for DNS64, the config below details combining both functions on a Raspberry Pi (RPi). The topology looks like this: apt-get install... Continue Reading →

IPv6 conntrack and munin

Argh, my beloved linux IPv6 firewall was suffering, too many connections, munin graphs not updating; this needed looking at... Firstly I noticed multiple entries of the following in kern.log: nf_conntrack: table full, dropping packet After checking the existing table size: # /sbin/sysctl net.netfilter.nf_conntrack_count net.netfilter.nf_conntrack_count = 76768 seemed sensible to double it: # cat /proc/sys/net/nf_conntrack_max... Continue Reading →

IPv6 on NX-OS

So you thought you'd enable IPv6 on your new Nexus chassis and get ready for the future of the internet? Create some IPv6 SVIs and away you'd go? Wrong! Out of the box the Nexus is configured such that Neighbor Discrovery will not work. A bit of googling will eventually lead you to this command:... Continue Reading →

Munin IPv6 neighbor state graphs

A recent issue with a Linux IPv6 firewall which saw on-link hosts appear to be flapping according to monitoring tools, highlighting a IPv6 ND table overflow problem. The short version of the solution required: net.ipv6.neigh.default.gc_thresh1 = 256 net.ipv6.neigh.default.gc_thresh2 = 1024 net.ipv6.neigh.default.gc_thresh3 = 2048 To keep an eye on the neighbor table I created a series... Continue Reading →

Cisco 7206VXR FA-GE= port adapter performance

Cisco 7206VXR FA-GE= port adapter performance High CPU utilization is not uncommon, especially when a router is struggling to process a packet and punts it between switching processes. The graphs below show the output from a production Cisco 7206VXR (NPE-G1, PA-GE=, PA-2FE-TX) router which is the primary for an IPv6 HSRP pair. Whenever the primary... Continue Reading →

IPv6 tunnel

IPv6 tunnel This scenario details how to connect an IPv6 enabled site which has no native IPv6 internet service to connect to a remote IPv6 routing service to facilitate end to end IPv6 transport, thus avoiding the need for NAT64. Hurricane Electirc ( offers an excellent free service which allows for the use of global... Continue Reading →

Blog at

Up ↑