cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

IPv6 Auto config .. Servers getting two addresses...

graham smart
Beginner
Beginner

Hi Guys,

Just trying to figure out what the "best" way is to enable auto config on a vlan..

Currently, I have ipv6 enabled and left the rest as default.

This means that servers get two /64 addresses.

One is from the local MAC address ( ie., its padded ff:fe )

One is an address from the vlans /64   , Ie its not padded but an actual address.

Now,

My question is..

Is this ok?

Should I be happy and leave it so server sget two addresses? or should I have some config in place that only allows them to autoconfig from MAC and not get another assigned?

Thanks for your feedback.

-Graham
Please note: My comments are simply suggestions. I cannot be held liable for any loss of data, life or marbles due to following my instructions.

Got a website? Need some live chat software?
Live chat software for websites. Increase sales.

-Graham
Please note: My comments are simply suggestions. I cannot be held liable for any loss of data, life or marbles due to following my instructions.

Got a website? Need some live chat software?

13 REPLIES 13

cadet alain
Mentor
Mentor

Hi,

"

One is an address from the vlans /64   , Ie its not padded but an actual address.

"

How did it get this second address ?

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

"

How did it get this second address ?"

This is what I dont understand.

We have one thats not padded ( Like you said, from its /64 )

and one that is padded.

"Apparently" this is so the machine has a secure dynamic IP and a less secure static based on MAC..

I suppose ideally, I just want it to use the MAC addess one and not one from the /64..

How do i supress the vlan interface from allowing the /64 address while still allowing an autoconfig MAC ip?

-Graham
Please note: My comments are simply suggestions. I cannot be held liable for any loss of data, life or marbles due to following my instructions.

Got a website? Need some live chat software?
Live chat software for websites. Increase sales.

-Graham
Please note: My comments are simply suggestions. I cannot be held liable for any loss of data, life or marbles due to following my instructions.

Got a website? Need some live chat software?

Hi,

ok that's what i thought so you have one with privacy extension which will be the preferred one, what i wonder though is why it also autoconfigured one without privacy extension. what OS is running on this server ?

This is a client config in any case but I'm not sure it is available on all Oses and you should prefer the private one for security reasons if used for communicating with the outside world which is not the case i presume.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Its a ubuntu server

and the v6 interface config is very basic.

auto eth0

iface eth0 inet6 auto

The router config is also basic.

it has a /64 IP and ipv6 enabled.

I normally have these commands enabled to stop any autoconfig ( if i want static assigned addresses )

ipv6 nd prefix default no-advertise

ipv6 nd managed-config-flag

ipv6 nd other-config-flag

ipv6 nd ra suppress

but in this instance , I havent got these commands so it auto configs.

Im assuming there is a command that I am missing to only allow one address to be configured ( Ie: so it only uses the mac-address based address and doesnt assign an IP out of its own subnet? )

Thanks for your time on this.

While im not too worried about this 2 ip problem, My OCD side wants it all clean and neat. So i know it will either have a mac-based address or an address out of the /64 , not both.

-Graham
Please note: My comments are simply suggestions. I cannot be held liable for any loss of data, life or marbles due to following my instructions.

Got a website? Need some live chat software?
Live chat software for websites. Increase sales.

-Graham
Please note: My comments are simply suggestions. I cannot be held liable for any loss of data, life or marbles due to following my instructions.

Got a website? Need some live chat software?

Hi,

could you post the output from ifconfig on the server and your  ipv6 config on the cisco L3 device.

if you want it clean and neat then configure a static address and stop the RA from the L3 device.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

eth0      Link encap:Ethernet  HWaddr 00:50:56:93:7a:13

          inet6 addr: XXXX:ed0:2000:3000:d565:de91:26d3:d1ee/64 Scope:Global

          inet6 addr: XXXX:ed0:2000:3000:250:56ff:fe93:7a13/64 Scope:Global

          inet6 addr: fe80::250:56ff:fe93:7a13/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:791 errors:0 dropped:0 overruns:0 frame:0

          TX packets:269 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:65345 (65.3 KB)  TX bytes:37187 (37.1 KB)

interface Vlan92

ipv6 address XXXX:ED0:2000:3000::1/64

ipv6 enable

ipv6 nd ra suppress

service-policy input 1000Mbps

service-policy output 1000Mbps

-Graham
Please note: My comments are simply suggestions. I cannot be held liable for any loss of data, life or marbles due to following my instructions.

Got a website? Need some live chat software?
Live chat software for websites. Increase sales.

-Graham
Please note: My comments are simply suggestions. I cannot be held liable for any loss of data, life or marbles due to following my instructions.

Got a website? Need some live chat software?

Yeah, IPv6 addressing is a wee bit complex, what with the link-local fe80::/64 addresses, the ff02::/16 multicast groups, and the 2::/3 global scope addresses.  That's before we throw in mobile IP, permanent versus temporary, and deprecated versus preferred.   You are getting those extra RFC 4941 privacy addresses on Linux because of your /proc/sys/net/ipv6/conf/eth0/use_tempaddr setting.  I believe 0=off, 1=on, 2=preferred; check your kernel documentation.

There are various ways to turn them off.  One that might work is putting:

    net.ipv6.conf.default.use_tempaddr = 0

into /etc/sysctl.conf and rebooting.

Meanwhile,

    sysctl -w net.ipv6.conf.eth0.use_tempaddr=0

    service networking restart

ought to disable them until the next reboot.

-- Jim Leinweber, WI State Lab of Hygiene  

Hi James,

Thanks for the reply.

Ideally id like to find a fix from the router end ( as i wouldnt have full access to some of the devices on this subnet, so would be handy if the servers were just allowed the ff:fe address and not a dynamic from the /64 )

a command like

ipv6 supress autoconfig dynamic

or something similar would be handy.

-Graham
Please note: My comments are simply suggestions. I cannot be held liable for any loss of data, life or marbles due to following my instructions.

Got a website? Need some live chat software?
Live chat software for websites. Increase sales.

-Graham
Please note: My comments are simply suggestions. I cannot be held liable for any loss of data, life or marbles due to following my instructions.

Got a website? Need some live chat software?

Thinking about it further.

ideally, i would want the router to just hand a /64 address and disallow the host from getting a ff:fe address

-Graham
Please note: My comments are simply suggestions. I cannot be held liable for any loss of data, life or marbles due to following my instructions.

Got a website? Need some live chat software?
Live chat software for websites. Increase sales.

-Graham
Please note: My comments are simply suggestions. I cannot be held liable for any loss of data, life or marbles due to following my instructions.

Got a website? Need some live chat software?

The main roles of the RA in IPv6 are to:

  (1) exhibit the link-local gateway address of the sending router (this is not an RA option, and unlike v4, not a DHCPv6 option either)

  (2) describe which prefixes are on-link; those will be resolved by clients using neighbor discovery, whereas all others will be forwarded to a gateway router.

The prefixes advertised by the router each have a flag bit indicating whether or not they are available for autoconfiguration.   The RA also has global flag bits indicating whether or not the client should use DHCPv6; the M bit for managed addresses, and the O bit for other network configurations options.  The usual combinations would be M-O- (no DHCP), M+O+ (full DHCP), or M-O+ (static DHCP, addresses are autoconfigured from the prefixes flagged as available).   In practice most production network are running dual-stack with DHCPv4 and either static or SLAAC v6, partly because downlevel clients like windows XP and older OS-X either don't implement DHCPv6 at all, or get it wrong, not to mention the DHCPv6 problems in most consumer grade wifi gear.

The client controls whether it is doing static or dynamic addressing, and if dynamic how it picks its host part.  EUI-64 mappings off the 48-bit ethernet MAC and privacy addresses are only two of its options; there are others.

In your case, I think you have to go with:

   * router flags on-link prefixes as not available for autoconfiguration, tells clients to use managed addresses

   * DHCPv6 server (not necessarily the router) hands out the v6 addresses you want

Most Cisco gear is willing to enforce EUI-64 mappings on host parts, if you want to be that draconian.  Other v6 packets could get dropped.

-- Jim Leinweber, WI State Lab of Hygiene

Please don't spam with that disclaimer

Hi,

This is not doable on the router, all the router does is advertise  /64 prefixes and it is the host which derives the hostid.

http://otrs.menandmice.com/otrs/public.pl?Action=PublicFAQZoom;ItemID=91

Now you could use dhcpv6 on the router instead of SLAAC:

http://www.cisco.com/en/US/docs/ios/ios_xe/ipv6/configuration/guide/ip6-dhcp_xe.html

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Hi,

Thanks for the info.

I dont think DHCP is an option as this is essentially a DC edge router with 2000 vlans.

Oddly, the issue seems to only happen with Ubuntu servers. Not windows or Centos/Redhat servers.

SO, This leads me to think that its a server configuration issue rather than simply the router handing two v6 addresses out.

I think I will live with it. Its only a select few vlans that have auto conf enabled. The rest have it all supressed ( So in a normal customer environment they wont get auto config. )

-Graham

Got a website? Need some live chat software?
Live chat software for websites. Increase sales.

-Graham
Please note: My comments are simply suggestions. I cannot be held liable for any loss of data, life or marbles due to following my instructions.

Got a website? Need some live chat software?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: