RA & DHCP problem...

Lorenzo Colitti lorenzo at google.com
Mon Dec 30 15:21:52 CET 2013


On Mon, Dec 30, 2013 at 2:31 PM, Phil Mayers <p.mayers at imperial.ac.uk>wrote:

> One problem we have with this setup: If two devices are on a port, in
> different IPv6-enabled VLANs, they both see both RAs, and IPv6 connectivity
> breaks.
>

<rant issue="That's a terrible architecture" reply="Shove it.">
How are these "different VLANs" if broadcast/multicast packets can pass
from one to the other?

Also, it's not secure if all clients get all the RAs for all the VLANs, and
(in theory at least) can thus just pick the one that works. The objective
is to deny Internet connectivity to certain clients, right?
</rant>

And with that out of the way - are you sure the problem is the default
route and not the source address? If the switch maps received traffic to a
"VLAN" based on source MAC, then it will receive all hosts's packets, so
outbound from the hosts should be fine. The problem is that some of the
outbound packets will have the source address from the wrong "VLAN", and
thus the replies will go to the wrong place. If that's the case, then you
don't need to do routing in DHCPv6 for this to work - if you want to solve
this using DHCPv6, you can do that by using DHCPv6 to configure addressing,
not routing (which you can already do today). Routing is already fine.

Also, mostly for my own curiosity - what will you'll do when everything is
available over IPv6? Will you disable IPv6 to maintain security, or will
you stick to restricting IPv4 traffic even though it doesn't really do
anything useful any more because everything is available over IPv6?

Cheers,
Lorenzo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cluenet.de/pipermail/ipv6-ops/attachments/20131230/b778240e/attachment.htm>


More information about the ipv6-ops mailing list