cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4155
Views
0
Helpful
5
Replies

Multi-auth "Per User VLAN" and IPv6

Johannes Luther
Level 4
Level 4

Hi board,

I tried to ask this question in the NAC board a while ago, but got no answer. I guess it's more an IPv6 FHS feature question...

in the configuration guide for IOS-XE, the following multi-auth limitation is described:

 

In the Multi-auth Per User VLAN assignment feature, egress traffic from multiple vlans are untagged on a port where the hosts receive traffic that is not meant for them. This can be a problem with broadcast and multicast traffic.

  • IPv6 control packets: In IPv6 deployments, Router Advertisements (RA) are processed by hosts that are not supposed to receive them. When a host from one VLAN receives RA from a different VLAN, the host assign incorrect IPv6 address to itself. Such a host is unable to get access to the network. The workaround is to enable the IPv6 first hop security so that the broadcast ICMPv6 packets are converted to unicast and sent out from multi-auth enabled ports.. The packet is replicated for each client in multi-auth port belonging to the VLAN and the destination MAC is set to an individual client. Ports having one VLAN, ICMPv6 packets broadcast normally.

So the problem itself is crystal clear. End devices might receive broad- and multicast packets, which are outside their IP subnet scope.

However I have to idea how to configure the described workaround (The workaround is to enable the IPv6 first hop security so that the broadcast ICMPv6 packets are converted to unicast and sent out from multi-auth enabled ports).

 

How to configure IPv6 FHS that multicast RAs are replicated to each end device as an unicast frame?

1 Accepted Solution

Accepted Solutions