07-06-2023 02:16 AM - edited 06-14-2024 05:40 AM
We are rolling out IPv6 in our network. When a client is assigned both an IPv6 address and an IPv4 address, it doesn't get any IPv4 traffic. If it is only assigned an IPv4 address, the IPv4 traffic works as it should. IPv6 traffic works normally in all situations.
We are suspecting that the issue has to do with IPv6 source guard (ipv6 source-guard attach-policy
IPV6_SOURCE_GUARD_CLIENTS) and IPv4 source guard (ip verify source) running on the same port If we remove either IPv4 source guard or IPv6 source guard, IPv4 traffic starts to work.
Here is an example of an interface configuration on a Cat9300 running 17.6.5:
interface GigabitEthernet1/0/9
description Interface Ansible 1 userport
switchport mode access
ip arp inspection limit rate 100
ipv6 nd suppress attach-policy ND_SUPPRESS
ipv6 source-guard attach-policy IPV6_SOURCE_GUARD_CLIENTS
authentication event fail action authorize vlan 540
authentication event server dead action authorize vlan 530
authentication event no-response action authorize vlan 540
authentication event server alive action reinitialize
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
source template USERPORT_DOT1X
ip verify source
I was cehcking the release notes for this version and found:
Control Plane Policing (CoPP)—The show run command does not display information about classes configured under system-cpp policy
, when they are left at default values. Use the show policy-map system-cpp-policy or the show policy-map control-plane commands in privileged EXEC mode instead.
Cisco TrustSec restrictions—Cisco TrustSec can be configured only on physical interfaces, not on logical interfaces.
Flexible NetFlow limitations
You cannot configure NetFlow export using the Ethernet Management port (GigabitEthernet0/0).
You can not configure a flow monitor on logical interfaces, such as layer 2 port-channels, loopback, tunnels.
You can not configure multiple flow monitors of same type (ipv4, ipv6 or datalink) on the same interface for same direction.
Even though this is for Netflow, I'm wonedring if it is also the case for ipv4/6. Anyone has any idea why this might be happening?
07-06-2023 04:23 AM
- You may want to verify this issue with the latest advisory release : https://software.cisco.com/download/home/286326357/type/282046477/release/Cupertino-17.9.3
M.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide