IPv6 Neighbor Discovery

This chapter contains the following sections:

Neighbor Discovery

The IPv6 Neighbor Discovery (ND) protocol is responsible for the address auto configuration of nodes, discovery of other nodes on the link, determining the link-layer addresses of other nodes, duplicate address detection, finding available routers and DNS servers, address prefix discovery, and maintaining reachability information about the paths to other active neighbor nodes.

ND-specific Neighbor Solicitation or Neighbor Advertisement (NS or NA) and Router Solicitation or Router Advertisement (RS or RA) packet types are supported on all ACI fabric Layer 3 interfaces, including physical, Layer 3 sub interface, and SVI (external and pervasive). Up to APIC release 3.1(1x), RS/RA packets are used for auto configuration for all Layer 3 interfaces but are only configurable for pervasive SVIs.

Starting with APIC release 3.1(2x), RS/RA packets are used for auto configuration and are configurable on Layer 3 interfaces including routed interface, Layer 3 sub interface, and SVI (external and pervasive).

ACI bridge domain ND always operates in flood mode; unicast mode is not supported.

The ACI fabric ND support includes the following:

  • Interface policies (nd:IfPol) control ND timers and behavior for NS/NA messages.

  • ND prefix policies (nd:PfxPol) control RA messages.

  • Configuration of IPv6 subnets for ND (fv:Subnet).

  • ND interface policies for external networks.

  • Configurable ND subnets for external networks, and arbitrary subnet configurations for pervasive bridge domains are not supported.

Configuration options include the following:

  • Adjacencies

    • Configurable Static Adjacencies: (<vrf, L3Iface, ipv6 address> --> mac address)

    • Dynamic Adjacencies: Learned via exchange of NS/NA packets

  • Per Interface

    • Control of ND packets (NS/NA)

      • Neighbor Solicitation Interval

      • Neighbor Solicitation Retry count

    • Control of RA packets

      • Suppress RA

      • Suppress RA MTU

      • RA Interval, RA Interval minimum, Retransmit time

  • Per Prefix (advertised in RAs) control

    • Lifetime, preferred lifetime

    • Prefix Control (auto configuration, on link)

  • Neighbor Discovery Duplicate Address Detection (DAD)

Configuring IPv6 Neighbor Discovery on a Bridge Domain

Creating the Tenant, VRF, and Bridge Domain with IPv6 Neighbor Discovery on the Bridge Domain Using the GUI

This task shows how to create a tenant, a VRF, and a bridge domain (BD) within which two different types of Neighbor Discovery (ND) policies are created. They are ND interface policy and ND prefix policy. While ND interface policies are deployed under BDs, ND prefix policies are deployed for individual subnets. Each BD can have its own ND interface policy . The ND interface policy is deployed on all IPv6 interfaces by default. In Cisco APIC, there is already an ND interface default policy available to use. If desired, you can create a custom ND interface policy to use instead. The ND prefix policy is on a subnet level. Every BD can have multiple subnets, and each subnet can have a different ND prefix policy.

Procedure

Step 1

On the menu bar, click Tenant > Add Tenant.

Step 2

In the Create Tenant dialog box, perform the following tasks:

  1. in the Name field, enter a name.

  2. Click the Security Domains + icon to open the Create Security Domain dialog box.

  3. In the Name field, enter a name for the security domain. Click Submit.

  4. In the Create Tenant dialog box, check the check box for the security domain that you created, and click Submit.

Step 3

In the Navigation pane, expand Tenant-name > Networking.

Step 4

In the Work pane, drag the VRF icon to the canvas to open the Create VRF dialog box, and perform the following actions:

  1. In the Name field, enter a name.

  2. Click Submit to complete the VRF configuration.

Step 5

In the Networking area, drag the Bridge Domain icon to the canvas while connecting it to the VRF icon. In the Create Bridge Domain dialog box that displays, perform the following actions:

  1. In the Name field, enter a name.

  2. Click the L3 Configurations tab, and expand Subnets to open the Create Subnet dialog box, enter the subnet mask in the Gateway IP field.

Step 6

In the Subnet Control field, ensure that the ND RA Prefix check box is checked.

Step 7

In the ND Prefix policy field drop-down list, click Create ND RA Prefix Policy.

Note

 

There is already a default policy available that will be deployed on all IPv6 interfaces. Alternatively, you can create an ND prefix policy to use as shown in this example. By default, the IPv6 gateway subnets are advertised as ND prefixes in the ND RA messages. A user can choose to not advertise the subnet in ND RA messages by un-checking the ND RA prefix check box.

Step 8

In the Create ND RA Prefix Policy dialog box, perform the following actions:

  1. In the Name field, enter the name for the prefix policy.

    Note

     

    For a given subnet there can only be one prefix policy. It is possible for each subnet to have a different prefix policy, although subnets can use a common prefix policy.

  2. In the Controller State field, check the desired check boxes.

  3. In the Valid Prefix Lifetime field, choose the desired value for how long you want the prefix to be valid.

  4. In the Preferred Prefix Lifetime field, choose a desired value. Click OK.

    Note

     

    An ND prefix policy is created and attached to the specific subnet.

Step 9

In the ND policy field drop-down list, click Create ND Interface Policy and perform the following tasks:

  1. In the Name field, enter a name for the policy.

  2. Click Submit.

Step 10

Click OK to complete the bridge domain configuration.

Similarly you can create additional subnets with different prefix policies as required.

A subnet with an IPv6 address is created under the BD and an ND prefix policy has been associated with it.

Configuring IPv6 Neighbor Discovery on a Layer 3 Interface

Guidelines and Limitations

The following guidelines and limitations apply to Neighbor Discovery Router Advertisement (ND RA) Prefixes for Layer 3 Interfaces:

  • An ND RA configuration applies only to IPv6 Prefixes. Any attempt to configure an ND policy on IPv4 Prefixes will fail to apply.

Configuring an IPv6 Neighbor Discovery Interface Policy with RA on a Layer 3 Interface Using the GUI


Note

The steps here show how to associate an IPv6 neighbor discovery interface policy with a Layer 3 interface. The specific example shows how to configure using the non-VPC interface.

Before you begin

  • The tenant, VRF, BD are created.

  • The L3Out is created under External Routed Networks.

Procedure

Step 1

In the Navigation pane, navigate to the appropriate external routed network under the appropriate Tenant.

Step 2

Under L3Outs, expand > Logical Node Profiles > Logical Node Profile_name > Logical Interface Profiles.

Step 3

Double-click the appropriate Logical Interface Profile, and in the Work pane, click Policy > Routed Interfaces.

Note

 

If you do not have a Logical Interface Profile created, you can create a profile here.

Step 4

In the Routed Interface dialog box, perform the following actions:

  1. In the ND RA Prefix field, check the check box to enable ND RA prefix for the interface.

    When enabled, the routed interface is available for auto configuration.

    Also, the ND RA Prefix Policy field is displayed.

  2. In the ND RA Prefix Policy field, from the drop-down list, choose the appropriate policy.

  3. Choose other values on the screen as desired. Click Submit.

Note

 

When you configure using a VPC interface, you must enable the ND RA prefix for both side A and side B as both are members in the VPC configuration. In the Work Pane, in the Logical Interface Profile screen, click the SVI tab. Under Properties, check the check boxes to enable the ND RA Prefix for both Side A and Side B. Choose the identical ND RA Prefix Policy for Side A and Side B.

Configuring IPv6 Neighbor Discovery Duplicate Address Detection

About Neighbor Discovery Duplicate Address Detection

Duplicate Address Detection (DAD) is a process that is used by Neighbor Discovery to detect the duplicated addresses in the network. By default, DAD is enabled for the link-local and global-subnet IPv6 addresses used on the ACI fabric leaf layer 3 interfaces. Optionally, you can disable the DAD process for a IPv6 global-subnet by configuring the knob through the REST API (using the ipv6Dad="disabled" setting) or through the GUI. Configure this knob when the same shared secondary address is required to be used across L3Outs on different border leaf switches to provide border leaf redundancy to the external connected devices. Disabling the DAD process in this case will avoid the situation where the DAD considers the same shared secondary address on multiple border leaf switches as duplicates. If you do not disable the DAD process in this case, the shared secondary address might enter into the DUPLICATE DAD state and become unusable.

Configuring Neighbor Discovery Duplicate Address Detection Using the GUI

Use the procedures in this section to disable the Neighbor Discovery Duplicate Address Detection process for a subnet.

Procedure

Step 1

Navigate to the appropriate page to access the DAD field for that interface. For example:

  1. Navigate to Tenants > Tenant > Networking > L3Outs > L3Out > Logical Node Profiles > node > Logical Interface Profiles, then select the interface that you want to configure.

  2. Click on Routed Sub-interfaces or SVI, then click on the Create (+) button to configure that interface.

Step 2

For this interface, make the following settings for the DAD entries:

  • For the primary address, set the value for the DAD entry to enabled.

  • For the shared secondary address, set the value for the DAD entry to disabled. Note that if the secondary address is not shared across border leaf switches, then you do not need to disable the DAD for that address.

Example:

For example, if you were configuring this setting for the SVI interface, you would:

  • Set the Side A IPv6 DAD to enabled.

  • Set the Side B IPv6 DAD to disabled.

Example:

As another example, if you were configuring this setting for the routed sub-interface interface, you would:

  • In the main Select Routed Sub-Interface page, set the value for IPv6 DAD for the routed sub-interface to enabled.

  • Click on the Create (+) button on the IPv4 Secondary/IPv6 Additional Addresses area to access the Create Secondary IP Address page, then set the value for IPv6 DAD to disabled. Then click on the OK button to apply the changes in this screen.

Step 3

Click on the Submit button to apply your changes.

Step 4

Enter the show ipv6 int command on the leaf switch to verify that the configuration was pushed out correctly to the leaf switch. For example: 

swtb23-leaf5# show ipv6 int vrf icmpv6:v1
IPv6 Interface Status for VRF "icmpv6:v1"(9)
 
vlan2, Interface status: protocol-up/link-up/admin-up, iod: 73
if_mode: ext
  IPv6 address:
    2001:DB8:A::2/64 [VALID] [PREFERRED]
    2001:DB8:A::11/64 [VALID] [dad-disabled]
  IPv6 subnet:  2001:DB8:A::/64
  IPv6 link-local address: fe80::863d:c6ff:fe9f:eb8b/10 (Default) [VALID]