2017年8月17日 星期四

Nexus 7000 IPv6 Configuration Pitfalls

https://www.tachyondynamics.com/nexus-7000-ipv6-configuration-pitfalls/

N7K-1-LAN(config)# vlan configuration 1149
N7K-1-LAN(config-vlan-config)# no ip igmp snooping optimise-multicast-flood
Warning: This command should be executed on peer VPC switch as well.
==============================================================
N7K-2-LAN(config)# vlan configuration 1149
N7K-2-LAN(config-vlan-config)# no ip igmp snooping optimise-multicast-flood
Warning: This command should be executed on peer VPC switch as well.


Guidelines and Limitations for IPv6

IPv6 has the following configuration guidelines and limitations:
  • IPv6 packets are transparent to Layer 2 LAN switches because the switches do not examine Layer 3 packet information before forwarding IPv6 frames. IPv6 hosts can be directly attached to Layer 2 LAN switches.
  • You can configure multiple IPv6 global addresses within the same prefix on an interface. However, multiple IPv6 link-local addresses on an interface are not supported.
  • Because RFC 3879 deprecates the use of site-local addresses, you should configure private IPv6 addresses according to the recommendations of unique local addressing (ULA) in RFC 4193.
  • F2 Series modules do not support IPv6 tunnels.
  • On F2 Series modules, you must disable IGMP optimized multicast flooding (OMF) on any VLANs that require any IPv6 packet forwarding (unicast or multicast). IPv6 neighbor discovery functions correctly only in a VLAN with the OMF feature disabled. To disable OMF, use the no ip igmp snooping optimised-multicast-flood command in VLAN configuration mode. With OMF disabled, unknown IPv4 multicast traffic (as well as all IPv6 multicast traffic) is flooded to all ports in the VLAN. Note that unknown multicast traffic refers to multicast packets with an active source but no receivers (and therefore no group forwarding entry in the hardware) in the ingress VLAN.
Yeah, that last one got me.  Apparently, Cisco is trying to “help” me by taking multicast snooping to an all new level – killing any IPv6 communication.  Why this is important is because IPv6 Neighbor Discovery (think ARP for IPv4) goes over multicast.  So what I imagine the snooping is doing on F2 Modules is drop all Ethernet frames with the the destination MAC of 33-33-xx-xx-xx-xx.  The “XX” map to the IPv6 multicast group the frame is trying to reach.  For example, the all-nodes multicast address is ff02::1 the Ethernet MAC maps to 33:33:00:00:00:01.
So by disabling Cisco’s “optimized” multicast flood protection, you get IPv6 to work on a layer-2 interface.  The command should be done on the VDC you are working in.  You have to make sure you think in the Queen’s English for this one:

  • no ip igmp snooping optimised-multicast-flood