[c-nsp] MLD snooping breaks IPv6 neighbor discovery

Tue Aug 29 05:47:00 EDT 2006

Alexander Gall <gall at switch.ch> wrote:

>> If I disable MLD snooping by adding "no ipv6 mld snooping" either on
>> SVI level or globally neighbor discovery for the loadbalancer works, but
>> now router advertisement packets are not sent anymore and all boxes in
>> this VLAN/all VLANs lose their defaultroute. This problem is
>> reproducible, when I enable MLD snooping RAs are sent but the ND to the
>> loadbalancer fail, if I disable MLD snooping ND works but RA packets are
>> not sent anymore.
> Are you sure the RA packets are not sent at all? 

Yes. 

> I know that at least 12.2(18)SXD1 had a bug that caused *all* traffic
> sent to the ALL-NODES address FF02::1 to be blackholed when MLD
> snooping was disabled.  You can verify this by pinging FF02::1.  The
> bug came in various guises, sometimes breaking FF02::1 on SVIs,
> sometimes even on p2p links.  It drove me nuts. 

Aha! Thanks for this, I was always wondering why another stupid box did not
send router advertisements (in the largest segment of our public access
WLAN), now I know it :-)

> So, like Gert suggested, upgrading is probably your only chance.

This bug is not fixed. I just tried it with a lab box and 12.2(33)SRA
with the following configuration

interface Vlan6
 ipv6 address 2001:db8:0:103::1/64
 ipv6 nd ra interval 20
 ipv6 nd ra lifetime 60
!
interface FastEthernet2/1
 switchport
 switchport access vlan 6
!
interface FastEthernet2/2
 switchport
 switchport access vlan 6

I connected a laptop on each port. On Fa2/1 we had a Linux 2.6.17.8 with
MAC address 00:0d:60:11:ac:aa, on Fa2/2 we had Linux 2.6.16.13-4 (SuSE
10.1) with 00:0b:5d:4b:7a:35. The boxes autoconfigured their EUI-64
addresses and it looked like the problem reappeared.

The solicited-node address of the first box (ff02::1:ff11:acaa) was
visible in "sh ipv6 mld snooping explicit-tracking" and only seen on
Fa2/1. The address of the second node did not appear at all. There seems
to be either a difference due to the kernel versions or a SuSE setting,
the first box responded to MLD queries and listed the solicited-node
address in the groups, the second box did not respond at all.

>From that point it looked like the problem had reappeared, as "sh
mac-address-table multicast vlan 6" showed the multicast macs only on
the specific port, and when I tried to ping 2001:db8:0:103::11:acaa (an
unused address but using the same solicited-node group) from the router
the neighbor solicitation was not visible on Fa2/2.

However, when I added this address on the box on Fa2/2 the second port
suddenly appeared in the output of "sh mac-address ..." and pinging any
address that ends in 11:acaa resulted in the neighbor discovery being
sent to both ports. My guess is this was due to DAD sending a packet to
the solicited-node address, because when I entered

conf t
interface Fa2/2
switchport access vlan 1
switchport access vlan 6

the port was gone from the group, neighbor discoveries for
2001:db8:0:103::11:acaa were not sent to the port anymore and the
address was unreachable. The other address on the second box worked fine
though. Exact duplicated behaviour as I can currently see with our
loadbalancers.

There is only one positive aspect, at least on 12.2(33)SRA I can disable
MLD snooping without breaking my router advertisements. But since
upgrading is such a horrible pain in the ass in our current network
structure, I think I'll have to find some workarounds for the next few
weeks.

Regards,
Bernhard