Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1235
Views
0
Helpful
0
Replies

Multi-auth and IPv6 RAs

Johannes Luther
Level 4
Level 4

‎10-21-2019 03:36 AM - edited ‎02-21-2020 11:11 AM

Hi board,

in the configuration guide for IOS-XE, the following multi-auth limitation is described:

 

In the Multi-auth Per User VLAN assignment feature, egress traffic from multiple vlans are untagged on a port where the hosts receive traffic that is not meant for them. This can be a problem with broadcast and multicast traffic.

  • IPv6 control packets: In IPv6 deployments, Router Advertisements (RA) are processed by hosts that are not supposed to receive them. When a host from one VLAN receives RA from a different VLAN, the host assign incorrect IPv6 address to itself. Such a host is unable to get access to the network. The workaround is to enable the IPv6 first hop security so that the broadcast ICMPv6 packets are converted to unicast and sent out from multi-auth enabled ports.. The packet is replicated for each client in multi-auth port belonging to the VLAN and the destination MAC is set to an individual client. Ports having one VLAN, ICMPv6 packets broadcast normally.

So the problem itself is crystal clear. End devices might receive broad- and multicast packets, which are outside their IP subnet scope.

However I have to idea how to configure the described workaround (The workaround is to enable the IPv6 first hop security so that the broadcast ICMPv6 packets are converted to unicast and sent out from multi-auth enabled ports).

 

How to configure IPv6 FHS that multicast RAs are replicated to each end device as an unicast frame?

1 person had this problem
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents