第 3 层子接口不通过 IPv6 流量
13179
Created On 03/05/19 22:25 PM - Last Modified 03/26/21 18:21 PM
Symptom
- 客户端已在界面配置上配置了静态 IPV6 地址,他们还选择了"使用接口 ID 作为主机部分"
- 尽管在接口上定义了 IPV6 地址,客户端仍无法 ping 子接口 IPv6 地址"2602:fe6a:a:d99:1/64"。
- 当从 IPV6 主机 ping 到 firewall 子接口时,可以看到邻居的招揽消息转发到子界面 firewall ,但没有响应。 请参阅下面的客户端的数据包捕获:
user1@ubuntu-49-59:~$ sudo tcpdump -vvveni eth1
[sudo] password for user1:
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
05:38:39.293587 00:50:56:81:f0:fd > 33:33:ff:00:00:01, ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) 2602:fe6a:a:d99:ff59:72db:2d58:9631 > ff02::1:ff00:1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2602:fe6a:a:d99::1
source link-address option (1), length 8 (1): 00:50:56:81:f0:fd
0x0000: 0050 5681 f0fd
05:38:40.291867 00:50:56:81:f0:fd > 33:33:ff:00:00:01, ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) 2602:fe6a:a:d99:ff59:72db:2d58:9631 > ff02::1:ff00:1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2602:fe6a:a:d99::1
source link-address option (1), length 8 (1): 00:50:56:81:f0:fd
0x0000: 0050 5681 f0fd
05:38:41.291859 00:50:56:81:f0:fd > 33:33:ff:00:00:01, ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) 2602:fe6a:a:d99:ff59:72db:2d58:9631 > ff02::1:ff00:1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2602:fe6a:a:d99::1
source link-address option (1), length 8 (1): 00:50:56:81:f0:fd
0x0000: 0050 5681 f0fd
05:38:42.309129 00:50:56:81:f0:fd > 33:33:ff:00:00:01, ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) 2602:fe6a:a:d99:ff59:72db:2d58:9631 > ff02::1:ff00:1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2602:fe6a:a:d99::1
source link-address option (1), length 8 (1): 00:50:56:81:f0:fd
0x0000: 0050 5681 f0fd
05:38:43.307873 00:50:56:81:f0:fd > 33:33:ff:00:00:01, ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) 2602:fe6a:a:d99:ff59:72db:2d58:9631 > ff02::1:ff00:1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2602:fe6a:a:d99::1
source link-address option (1), length 8 (1): 00:50:56:81:f0:fd
0x0000: 0050 5681 f0fd
- 在此 firewall 上,以下命令可用于确定分配给接口的 IPv6 地址。
admin@Lab32-58-PA-500> show interface all
total configured hardware interfaces: 4
name id speed/duplex/state mac address
--------------------------------------------------------------------------------
ethernet1/2 17 1000/full/up 00:1b:17:32:a9:11
ethernet1/3 18 ukn/ukn/down(autoneg) 00:1b:17:32:a9:12
ethernet1/5 20 ukn/ukn/down(autoneg) 00:1b:17:32:a9:14
ethernet1/6 21 ukn/ukn/down(autoneg) 00:1b:17:32:a9:15
aggregation groups: 0
total configured logical interfaces: 5
name id vsys zone forwarding tag address
------------------- ----- ---- ---------------- ------------------------ ------ ------------------
ethernet1/2 17 1 L3-Trust vr:default 0 10.201.1.1/24
fe80::21b:17ff:fe32:a911/64
2602:fe6a:a:2::1/64
ethernet1/2.3892 310 1 L3-DMZ vr:default 3892 10.201.99.1/24
fe80::21b:17ff:fe32:a911/64
2602:fe6a:a:d99:21b:17ff:fe32:a911/64
ethernet1/3 18 1 L3-Untrust vr:default 0 10.46.40.58/23
ethernet1/5 20 1 L3-DMZ vr:default 0 10.46.44.58/23
ethernet1/6 21 1 L3-Trust vr:default 0 192.168.58.1/24
- 从上面的截图 GUI 显示静态地址为"2602:fe6a:a:d99::1/64"
- 但从 CLI 界面地址是"2602:fe6a:a:d99:21b:17ff:fe32:a911/64"。
- 因此,我们无法 ping 静态地址。
Environment
- PAN-OS 8.1
- 第 3 层 IPv6 接口或子接口
Cause
- 在 ID IPv6 接口上启用了"使用接口作为主机部分", firewall 该接口 ID 用作该地址的主机部分。
- 如果界面具有静态 IPv6 地址,则启用了"使用接口 ID 作为主机部分"。 Firewall 将优先于静态地址,并使用使用界面生成的地址 ID 。
Resolution
- 如果您正在向界面分配静态 IPv6 地址,请确保 ID 界面上禁用"将接口用作主机部分"。 如果启用了该选项,则 firewall 将使用接口 ID 生成 IPv6 地址并将其分配到界面。
NOTE:
根据文档 pan-os :https://docs.paloaltonetworks.com//8-1/- pan-os 管理员/网络/配置接口/层-3接口/配置-层-3-接口
- 对于界面 ID ,输入六十进制格式的 64 位扩展唯一标识符 EUI-64 ()(例如,00:26:08: FF : FE DE :4E:29)。
- 如果您将此字段留空,则 firewall 使用 EUI-64 从 MAC 物理界面地址生成的。
- 如果在添加地址时将"使用界面 ID "用作主机部分选项,则 firewall 使用接口 ID 作为该地址的主机部分。