[c-nsp] MLD snooping breaks IPv6 neighbor discovery

Bernhard Schmidt berni at birkenwald.de
Mon Aug 28 08:33:14 EDT 2006 

Hi everyone,

I have an extremely ugly "little" problem regarding IPv6 neighbor
discovery.

We have a Cisco Catalyst 6509 running 12.2(18)SXD7. This Catalyst has our
server network connected on an SVI

interface Vlan6
 ipv6 address XXXX:XXXX:0:103::1/64
 ipv6 nd ra-interval 20
 ipv6 nd ra-lifetime 60
 ipv6 nd prefix default no-autoconfig

this VLAN is added on two 10GE 802.1q trunks going to HP ProCurve 5400
switches. On the first switch (Te1/2) is (among others) a linux server
and an IPv6-enabled F5 BigIP loadbalancer, on the second switch (Te1/2)
are several other Linux servers.

The BigIP loadbalancer has XXXX:XXXX:0:103::FFFF:1/64 as local address
and XXXX:XXXX:0:103::80:2:1/64 as virtual address for a service. On one
linux server on the second switch we have XXXX:XXXX:0:103::25:2:1/64
configured.

My problem is that neighbor solicitation requests for ::80:2:1 are not
visible on the first switch, neither on the loadbalancer nor on the
server. Neighbor discovery for this address fails. They are visible on
servers connected to the second switch though.

It looks like this problem is caused by IPv6 MLD snooping (default
enabled) on the switch. It has an entry for the ND multicast group for
*:??02:0001 pointing towards the second switch:

# sh ipv6 mld snooping explicit-tracking vlan 6 | i FF02::1:FF02:1
::/FF02::1:FF02:1               Te2/2:Vl6 FE80::207:E9FF:FE24:997E  EX
::/FF02::1:FF02:1               Te2/2:Vl6 FE80::204:23FF:FEBC:C20E  EX

The first address belongs to the box serving ::53:2:1, the second
address to the box serving ::25:2:1. I guess due to these entries ND
packets to FF02::1:FF02:1 are not sent towards Te1/2.

If I disable MLD snooping by adding "no ipv6 mld snooping" either on
SVI level or globally neighbor discovery for the loadbalancer works, but
now router advertisement packets are not sent anymore and all boxes in
this VLAN/all VLANs lose their defaultroute. This problem is
reproducible, when I enable MLD snooping RAs are sent but the ND to the
loadbalancer fail, if I disable MLD snooping ND works but RA packets are
not sent anymore.

Any ideas? :-)

Regards,
Bernhard

More information about the cisco-nsp mailing list