Wired Intelligent Edge

Hi All

I'm new to configuring IPv6 on HPE/Aruba switches and need some help. We have a HPE 5412zl which we're trying to configure. It appears that router advertisements are leaking between VLANs.

For example, this is our (sanitised) config on our 5412zl:

ip routing
ipv6 route ::/0 xxx:xxx:402:314::1

ipv6 unicast-routing

vlan 51
name "ICT Network"
tagged A8,B5-B8,C7-C8,D15-D20
ip address 10.51.254.254 255.255.0.0
ipv6 enable
ipv6 address xxx:xxx:402:51::1/64

ipv6 nd ra prefix xxx:xxx:402:51::/64
dhcp-server
exit

vlan 100
name "MDL Wired"
untagged B5-B7,C7-C8,D15-D20
ip address 10.100.254.254 255.255.0.0
ipv6 address xxx:xxx:402:100::1/64

ipv6 na ra prefix xxx:xxx:402:100::/64
dhcp-server
exit

Routing etc works and this device can reach upstream through its gateway.

Now, I have a PC running Windows 10 which is connected to VLAN100 (access port downstream). However, it is getting IPv6 addresses from BOTH vlan100 and vlan51:

I can't figure out why. It appears the RA's are spanning the vlans.

The IP 10.100.x.x is assigned by the DHCP server on the 5412zl and it can ping the gateway, access internet, etc... so I know the machine is in the right VLAN.

Does anyone have any ideas?

I'd guess that is it very unlikely that the switch is leaking these advertisements.

What I have seen is that Windows is getting IPv6 addresses on VLANs it is getting in 'tagged'. Could it be that you have tagged vlan 51 on the port where your client is connected? Can you check the 'show running interface <interface>'?

A second option is that you created a leak somewhere by connecting two ports on different VLANs. You should be able to see that by running a 'show mac-address' to see if MAC addresses from VLAN51 and VLAN100 show up in both VLAN mac tables. If that was the case, I would expect the IPv4 DHCP to be unreliable as well (sometimes IP in 51 sometimes in 100).

If this doesn't find your issue, I would run a packet capture (Wireshark or so) on the client and see the advertisements coming in. You might have a rogue IPv6 router in the 'wrong' VLAN.

Across the network vlan51 is tagged on ports that these devices may connect on, but the untagged vlan those ports is vlan100. Surely the Windows PC end device does not see ra's from a tagged vlan they're not configured to accept?

We've run show mac-address and checked the same address doesn't exist on more than one vlan. We also never have issues with IPv4 DHCP. I'm fairly confident there is no leak in that regards.

There are also definitely no other routers connected.

Are ra's only broadcast within their vlan?

It turns out you are absolutely right. Contrary to my expectations, Windows listens to RA's coming in on tagged vlans. 

What release of Windows 10 ?

I noticed myself on one of my Windows Server instances in lab which one is running Server 2012R2, the is other Server 2019. I would not know if it is just a specific version of the Windows IP stack or wider in the Windows family.