Duplicate IPv6 Prefix Detection in the AAA User Profile Database Overview

You can configure AAA service to detect duplicates of both IP and IPv6 Neighbor Discovery router advertisement prefixes, Framed-IPv6-Prefixes, and DHCPv6 delegated prefixes by validating the prefixes against the AAA database instead of the IP route table. If AAA detects a non-unique IP address or IPv6 prefix, the corresponding subscriber session is terminated.

In some network environments where the same customer logs in from multiple locations, terminating sessions with duplicate IP addresses and IPv6 prefixes might result in breaking subscriber setup. The enhanced duplicate prefix detection capability is disabled by default. Because the prefix is validated against the AAA table, enabling the enhanced prefix detection capability may impact performance.

AAA maintains a new table for IPv6 prefixes and Framed-IP-Address information for subscribers. The AAA service checks for duplication of IP addresses and prefixes in this new table after PPP authorization. If a duplicate address or prefix is detected by AAA before a subscriber is granted access, the subscriber is denied access. However, in some cases, when two subscribers with the same IPv6 prefix log in simultaneously, the duplicate might be detected only after access is granted to both subscribers. AAA terminates the duplicate subscriber session immediately upon detecting the duplicate IPv6 prefix.

The following scenarios can occur during the establishment of subscriber sessions:

Note: AAA cannot detect duplicates of overlapping IPv6 prefixes. Also, the aaa duplicate-prefix-check-extension command detects duplicate prefixes globally for all VRs and is not limited to detecting duplicates on a per-VR basis.

Related Documentation