IPv6 SLAAC addresses received on all interfaces

RouterOS General
1

I am trying to configure a switch (CRS326) with an uplink trunk port carrying three different VLANs. I only want an IPv6 address assigned to the “mgmt” VLAN, but I always receive IPv6 addresses on all VLANs.

The IPv6 configuration:

/ipv6 nd
set [ find default=yes ] interface=mgmt
/ipv6 settings
set forward=no

…how do I prevent the other VLANs from creating SLAAC IPv6 addresses?

1 Like
2

What do you mean with this? If you see the other devices (not the router) having IPv6 link-local addresses (fe80::/10) then that has nothing with your CRS and it's not something your CRS can control. You'll have to go to each devices and turn off IPv6 support on them if you want that they don't assign IPv6 link-local addresses to themselves.

But if you see the clients in your VLANs having unexpected non-link-local IPv6 addresses assigned, then:

  • Check under /ipv6 address whether you have non-link-local address entries assigned to the VLAN interfaces with the advertise flag turned on.
  • Also verify with /ipv6 nd prefix print whether there are entries, dynamic or not, corresponding to thoses VLAN interfaces.
  • Check if you have any DHCPv6 server instances configured.

If none of the above shows anything at all, then you should check your VLAN configuration. Unlike IPv4 DHCP that requires a two-way communication for devices to obtain IP addresses, IPv6 SLAAC only needs multicast traffic in one direction. Which means if your VLAN is wrongly configured, and the CRS (or any downstream managed switch) is sending out untagged packets of multiple VLANs on the same port, then the clients attached to that port will use the advertised prefixes from all of those VLANs to create SLAAC addresses.

So, you should verify that you don't have /interface bridge vlan entries with populated untagged parameter while having multiple values in vlan-ids. You should do the check on all the other switches too.

Or, if you mean that your CRS is on the receiving end of those address assignments, and your CRS gets IPv6 addresses assigned to it on multiple unwanted interfaces then:

  • The easiest way is to not create /interface vlan entries for VLAN IDs other than the one used for management. If you don't add any interface other than mgmt, then only mgmt will get IPv6 address. Of course, don't include the bridge in the tagged lists of those other VLANs under /interface bridge vlan either.

  • In case you need your CRS to have L3 access on those VLANs, and need to create multiple VLAN interfaces under /interface vlan, then recent RouterOS versions allow you to have an interface list, where you'll only put mgmt in, then assign that interface list to this setting under IPv6 -> Settings:

    image

    With that the CRS will ignore router advertisements on the other VLAN interfaces.

3

Thank you very much for your help so far!

The CRS in question is on the receiving end. I removed the additional VLAN from the interfaces - for that VLAN there are no more IPv6 addresses received, obviously. But for the default VLAN on the bridge, there are still IPv6 addresses received additionally to the link-local addresses.

/interface/vlan> print
Flags: R - RUNNING
Columns: NAME, MTU, ARP, VLAN-ID, INTERFACE, L3-HW-OFFLOADING
#   NAME   MTU  ARP      VLAN-ID  INTERFACE  L3-HW-OFFLOADING
0 R mgmt  1500  enabled       99  lan        yes   

/interface/bridge/vlan> print
Columns: BRIDGE, VLAN-IDS, CURRENT-TAGGED, CURRENT-UNTAGGED
# BRIDGE  VLAN-IDS  CURRENT-TAGGED  CURRENT-UNTAGGED
0 lan            1                  lan             
                                    ether23         
1 lan           99  lan                             
                    ether23                         
2 lan          666  ether23 

/ipv6/address> print
Flags: D - DYNAMIC; G - GLOBAL, L - LINK-LOCAL
Columns: ADDRESS, INTERFACE, VRF, ADVERTISE, VALID, PREFERRED
#    ADDRESS                                   INTERFACE  VRF   ADVERTISE  VALID          PREFERRED  
0 D  ::1/128                                   lo         main  no                                   
1 DL fe80::xxxx:xxxx:xxxx:ba65/64              lan        main  no                                   
2 DL fe80::xxxx:xxxx:xxxx:ba65/64              mgmt       main  no                                   
3 DG fd00:80::xxxx:xxxx:xxxx:ba65/64           mgmt       main  no         4w1d23h55m58s  6d23h55m58s
4 DG 2003:xx:xxxx:xxxx:xxxx:xxxx:xxxx:ba65/64  mgmt       main  no         1h55m57s       55m57s     
5 DG fd00:1::xxxx:xxxx:xxxx:ba65/64            lan        main  no         4w1d23h55m58s  6d23h55m58s
6 DG 2003:xx:xxxx:xxxx:xxxx:xxxx:xxxx:ba65/64  lan        main  no         1h55m57s       55m57s

The IPv6 addresses assigned would be correct for the respective VLANs btw - I just don’t want it on the default VLAN.

The dialog you mentioned does not allow me to select a specific interface:

image
image504×200 27 KB

4

In WinBox you can go to the Interfaces -> Interface Lists window, then on the right side, click on "Lists". There you can create a new list. Then back to the Interfaces -> Interface Lists table, you can add interfaces to that list.

Or with commands:

/interface list
add name=ACCEPT_RA_LIST

/interface list member
add interface=mgmt list=ACCEPT_RA_LIST

Then set the list to the IPv6 settings:

/ipv6 settings
set accept-router-advertisements-on=ACCEPT_RA_LIST
1 Like
5

Awesome! This solved the issue for me!

Thank you very much!