Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

Who Me Too'd this topic

IPv6 Neighbor Advertisement with different MAC address causes flooding across all switches

bcoverstone
Level 1
Level 1

‎08-19-2014 09:42 AM - edited ‎03-10-2019 12:16 AM

I was using Wireshark yesterday when I noticed that there was a lot of IPv6 traffic being received on my switch port that was not destined for my host.  So I decided to track it down and find out why.  Easy enough, I'll just log onto the switches and trace the port that the MAC address is connected to, right?  Wrong!

Here is what happened.  First, I pinged the host in question:

  SwitchA# ping ipv6 2001:xxxx:xxxx:10:1C1B:CA6:A0F:2219
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 2001:xxxx:xxxx:10:1C1B:CA6:A0F:2219, timeout is 2 seconds:
  !!!!!
  Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/8 ms

 

Great, that worked.  I then checked the IPv6 neighbors to find the MAC address:

  SwitchA# show ipv6 neighbor | i 2219
  2001:xxxx:xxxx:10:1C1B:CA6:A0F:2219         0 001e.33fd.91ab  REACH Vl10

 

Great, we got the MAC address.  Now let's find out what port it's on:

  SwitchA# show mac add add 001e.33fd.91ab
            Mac Address Table
  -------------------------------------------

  Vlan    Mac Address       Type        Ports
  ----    -----------       --------    -----
 

Um..  nothing was listed.  Strange, it is as if the switch had no idea where that MAC address was.  Well, that would make sense why the switch was broadcasting the traffic to all ports.  Just to be sure I tried pinging my own host's IPv6 address and then cross referenced the MAC address and it worked just fine.

I was puzzled all last night as to how this could happen.  Today, an idea hit me.  What if the Neighbor Advertisement packet can contain a MAC addrses in the payload, which could be different than the MAC address of the host sending it?  I figured it was pulled directly from layer 2, but maybe not.  So I pulled up wireshark and ran a ping on the host.  Here is a snippet of what I saw:

2001:xxxx:xxxx:10:1c1b:ca6:a0f:2219     ICMPv6   86   Neighbor Advertisement (sol, ovr) is at 00:1e:33:fd:91:ab
Ethernet II, Src: CiscoSpv_2c:db:c0 (48:44:87:2c:db:c0), Dst: Giga-Byt_51:fd:6d (1c:6f:65:51:fd:6d)
...

ICMPv6 Option (Target link-layer address : 00:1e:33:fd:91:ab)

 

Aha!  The real MAC address is 48:44:87:2c:db:c0, which I was able to locate in the switch (by the way, this was an AT&T Microcell).

So now that I know that a Neighbor Advertisement packet can contain any arbitrary MAC address, it would seem logical that Cisco would have a way to perform "NA snooping" or "ND snooping".  I have performed several searches to try and find out best practices for configuring a switch for IPv6 so it does not broadcast packets everywhere when this condition happens, but I have not been able to find much on the subject.  I tried "IPv6 snooping", but that didn't seem to work.  Or maybe I configured it incorrectly.

Does anyone know how to correct this issue?

 

1 person had this problem
Labels:
0 Helpful
Who Me Too'd this topic