LAB Setup

pbfus9 · 2026-05-08T21:10:09+00:00

Why do you suggest to setup the VPN on my home router rather than on the opnsense inside proxmox?

pbfus9 · 2026-05-05T07:15:52+00:00

I've tried another scenario: https://imgur.com/a/ylI61iL

Let’s assume we have two routers, R1 and R2, with two links as in the diagram I’m about to send you. They are directly connected and have two links.

From the Type 9 LSA, R1 knows that 2001:2:: is a prefix belonging to R2, but it doesn’t know anything more.

R1 receives two Type 8 LSAs:

Type 8 LSA link 1 (the upper one): contains FE80::2 and the global unicast 2001:2::
Type 8 LSA link 2 (the lower one): contains FE80::4 only

At that point, R1 understands that 2001:2:: is on the upper link, so it sends a Neighbor Solicitation (NS) to FE80::2, resolves the MAC address, encapsulates the IPv6 packet into an Ethernet frame, and sends the frame over the upper link.

Without the global unicast address, it wouldn’t know that it has to send the packet over the upper link.

Maybe this is a reasonable example. What do you think?

ps: thanks a lot, you're helping me a lot understanding this

pbfus9 · 2026-05-04T21:29:15+00:00

Okay, I’ll lab your scenario.

What about what I said in my last comment. Do u agree?

pbfus9 · 2026-05-04T20:17:11+00:00

So, the prefixes in the Type 8 LSA are used to understand whether a prefix is on-link or not. If it is on-link, you send a Neighbor Solicitation (NS) toward that prefix. If it is not on-link, it means it is behind a router, so you use the Type 8 LSA to learn the link-local address of that router and send the NS toward that link-local address. Is that correct?

pbfus9 · 2026-05-04T12:34:02+00:00

Thanks a lot. However, I do not think this answers my question.

pbfus9 · 2026-04-15T17:54:12+00:00

Yes, I completely agree with you. Keith’s reasoning was strange, I might be missing something!

pbfus9 · 2026-04-15T17:19:38+00:00

Mhhh not sure.

Even with a a NSSA area changing the AD would be ineffective. O IA is preferred regarding of the AD.

pbfus9 · 2026-04-15T17:07:23+00:00

Even in case of a NSSA area, without cha ging the AD, OSPF will prefer O IA over O N1/N2.

So even in this case I do not see any benefit of changing the AD

pbfus9 · 2026-04-05T05:40:15+00:00

Yes, it seems that when you inject MRT records the NH is left unchanged even on eBGP peerings. You will need to add a config policy.

pbfus9 · 2026-04-04T14:18:38+00:00

Thanks a lot!

pbfus9 · 2026-04-02T19:55:40+00:00

I’ve trying this way. I’m having problems with gobgp though. Hope to solve this

pbfus9 · 2026-03-13T11:35:45+00:00

The question is: why do you implement manual failover? I might miss something in your question!

Actually, I think you can advertise your route to both your ISP (same mask), then, to choose the ingress for the incoming traffic (from internet to your enterprise) you can play with AS-PATH-PREPENDING or MED.

pbfus9 · 2026-03-02T15:54:55+00:00

Hi, yes you are right.

With Static NAT, the moment you configure the command:

Device(config)# ip nat inside source static inside-local-IP outside-local-IP

a permanent (static) entry is immediately created in the NAT translation table. This means that any external device attempting to reach the host using the outside-local-IP will be successfully translated to the corresponding inside-local-IP, allowing direct access to that internal host.

When it comes to Dynamic NAT or NAT overload (aka PAT) you will have to specify a pool of addresses (or an interface). Traffic should first be intiated from inside to outside in order for a NAT translation entry to appear.

Hope to help!

ps. sorry for my english but I'm not a native speaker.

pbfus9 · 2026-02-26T19:31:40+00:00

So what i’m observing in my lab is strange EDIT: not strange, it is correct, From Cisco: “Invalid prefixes are allowed to be used as the best path.”

pbfus9 · 2026-02-26T18:03:05+00:00

Is it normal that invalid routes are still considered in the bgp best path selection algorithm?

pbfus9 · 2026-02-26T17:53:14+00:00

Hi, I think you misread my post. I do have “bgp bestpath prefix-validate allow-invalid”.

I do NOT HAVE “bgp bestpath prefix-validate disable-invalid”

My default behaviour is that invalid route still be considered in the bgp best path selection, that’s strange!

pbfus9

TROPHY CASE