IPv6 dhcpd/slaac
-
I've got multiple dhcp servers on different vlans for IPv6 but for some reason the dhcp/routeradvertisments of other vlans flow into each other. vlan100 gets an IPv6 assigned from vlan200 and visa versa.
How do I prevent this from happening?
I've tried various router advertisement modes and even tried turning of the dhcpv6, either it doesn't give me an IP at all or it gives me multiple. To me beats the point of separating networks then I can rater put everthing in one network.
-
Simple, you have IPv6 RA packets (multicast) crossing your VLANs/Broadcast domains, you have a switching config/issue somewhere, or a client/nic behaving badly when receiving tagged traffic.
Post some info on you setup.
For example I have seen this when a switch port was setup as a "Trunk"/Tagged (and a "native"/untagged VLAN) and the device on the other end was not "VLAN Aware", or atleast configed to be, traffic from the tagged VLANs the tag was striped and the packet passed along to the OS, yet that client could never talk back to the LAN that packet came from, so DHCP4 or DHCP6 could not assign an IP as there was no working 2 way path to complete the assingment, only 1 way. But the client could SLAAC, since that only needed a 1 way path.
-
Got TP-Link?
-
Yes, indeed it was a switch problem, .. i did find out why however, .. it doesn't really solve my problem. For mac vlans to work i need to set the port configuration to "GENERAL", and for some reason if the port is not configured as "TRUNK" but "GENERAL" as required for mac vlan the vlans multicasts flow into eachother.
- Yes I've got a T2600G-28TS TP-link
ACCESS: The ACCESS port can be added in a single VLAN, and the egress rule of the port is UNTAG. The PVID is same as the current VLAN ID. If the current VLAN is deleted, the PVID will be set to 1 by default. TRUNK: The TRUNK port can be added in multiple VLANs. The egress rule of the port is UNTAG if the arriving packet’s VLAN tag is the same as the port’s PVID, otherwise the egress rule is TAG. The PVID can be set as the VID number of any valid VLAN. GENERAL: The GENERAL port can be added in multiple VLANs and set various egress rules according to the different VLANs. The default egress rule is UNTAG. The PVID can be set as the VID -
Yet another example of why we should stay away from TP-Link.
-
GENERAL: The GENERAL port can be added in multiple VLANs and set various egress rules according to the different VLANs. The default egress rule is UNTAG. The PVID can be set as the VIDJust from reading that it sounds like when in general that YOU (via "rules") have to tell it what vlans to TAG, otherwise ALL VLANs assigned to the port go out untagged.
-
never mind spoke to soon :/
The port has vlan tags of several vlans enabled so not quite sure what you're refering to when you're talking about retagging the traffic, .. but i think what you're saying i already did.
-
never mind spoke to soon :/
The port has vlan tags of several vlans enabled so not quite sure what you're refering to when you're talking about retagging the traffic, .. but i think what you're saying i already did.
What is connected to that port? Is the connected device VLAN aware? Is it setup for multiple VLANs? Is this happening on more then one port with more then one device/client?
Best bet is to use wireshark on a port that has this issue and look at the RA packets, confirm they are tagged at all and correctly for the VLAN for the subnet being advertised, if they are then set your sights on the client/s.
