Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
581
Views
0
Helpful
1
Replies

Does ipv6 gaurd stop ipv4 traffic?

RahmaSallm
Level 1
Level 1

‎07-06-2023 02:16 AM - edited ‎06-14-2024 05:40 AM

We are rolling out IPv6 in our network. When a client is assigned both an IPv6 address and an IPv4 address, it doesn't get any IPv4 traffic. If it is only assigned an IPv4 address, the IPv4 traffic works as it should. IPv6 traffic works normally in all situations.

We are suspecting that the issue has to do with IPv6 source guard (ipv6 source-guard attach-policy
IPV6_SOURCE_GUARD_CLIENTS) and IPv4 source guard (ip verify source)  running on the same port If we remove either IPv4 source guard or IPv6 source guard, IPv4 traffic starts to work.

Here is an example of an interface configuration on a Cat9300 running 17.6.5:

interface GigabitEthernet1/0/9
description Interface Ansible 1 userport
switchport mode access
ip arp inspection limit rate 100
ipv6 nd suppress attach-policy ND_SUPPRESS
ipv6 source-guard attach-policy IPV6_SOURCE_GUARD_CLIENTS
authentication event fail action authorize vlan 540
authentication event server dead action authorize vlan 530
authentication event no-response action authorize vlan 540
authentication event server alive action reinitialize
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
source template USERPORT_DOT1X
ip verify source

I was cehcking the release notes for this version and found:

Limitations and Restrictions

  • Control Plane Policing (CoPP)—The show run command does not display information about classes configured under system-cpp policy, when they are left at default values. Use the show policy-map system-cpp-policy or the show policy-map control-plane commands in privileged EXEC mode instead.

  • Cisco TrustSec restrictions—Cisco TrustSec can be configured only on physical interfaces, not on logical interfaces.

  • Flexible NetFlow limitations

    • You cannot configure NetFlow export using the Ethernet Management port (GigabitEthernet0/0).

    • You can not configure a flow monitor on logical interfaces, such as layer 2 port-channels, loopback, tunnels.

    • You can not configure multiple flow monitors of same type (ipv4, ipv6 or datalink) on the same interface for same direction.

Even though this is for Netflow, I'm wonedring if it is also the case for ipv4/6. Anyone has any idea why this might be happening?

Labels:
0 Helpful
1 Reply 1

marce1000
VIP
VIP

‎07-06-2023 04:23 AM

 

 - You may want to verify this issue with the latest advisory release : https://software.cisco.com/download/home/286326357/type/282046477/release/Cupertino-17.9.3

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card