Hide Navigation Pane
Show Navigation Pane
Download
SHA1
Guidelines for Duplicate Address Verification
In dual-stack networks in which both IPv4 and IPv6 subscribers are available, the subscribers might be granted the same IPv4 and IPv6 addresses if one user logs in quickly after another user has logged in. To avoid the problem of two sessions containing the same address, when you enable detection of duplicate addresses, the subscriber is completely terminated when a duplicate IPv4 or IPv6 address is detected. The duplicate check operation is performed for 32-bit IPv4 subnet masks and IPv6 addresses with a prefix length of 128.
The value of the Framed-IPv6-Address attribute is determined using the Framed-IPv6-Prefix and Framed-Interface-Id attributes, normally obtained from the MAC addresses of clients in the PPP Network Control Protocol (NCP) phase in the PPP link connection process. Because the Framed-IPv6-Address attribute is not available to AAA during the authentication phase (before NCP negotiation occurs), the duplicate address detection mechanism performed for IPv4 cannot be adopted for IPv6. To achieve this functionality, if IPv6 detects a duplicate address while adding the route, it notifies AAA about the duplicate and AAA terminates the subscriber.
To correctly enable duplicate address detection when subscribers log in simultaneously, the IP and AAA applications examine the access-route table instead of the route table. In certain scenarios, AAA cannot detect whether a subscriber requesting access uses the same address as another subscriber. When the IP application detects a duplicate address while adding the route, the IP application notifies AAA about the duplication to terminate the connection for that subscriber.
In certain cases, when two subscribers with the same address attempt to log in, the duplicate might be detected only after access is granted to both subscribers. AAA terminates the duplicate subscriber session immediately upon detecting the duplicate address.
If AAA cannot determine the virtual router (VR) context configured in the profile during subscriber authentication, the subscriber that uses the same address as another subscriber is terminated immediately after the IP application detects the duplicate address. Such a disconnection of subscribers occurs even if the duplicate subscriber was granted access previously when the VR context was not available to AAA for processing.
In a dual-stack environment in which both IPv4 and IPv6 subscribers are present, if a subscriber that uses a duplicate IPv6 address is detected, the subscriber is denied access even if the IPv4 interface address is unique. This method of terminating subscriber sessions occurs to avoid duplicate sessions from being established in scenarios in which the IPv6 interface address is the same as another client, whereas the IPv4 interface address is unique.
The following scenarios can occur during the establishment of subscriber sessions in a dual-stack network in which clients using both IPv4 and IPv6 protocols are present, and when detection of duplicate addresses is enabled on the router that delegates addresses to requesting clients. These scenarios assume that the RADIUS server is configured on a VR other than the default VR and that the AAA domain name is mapped to a non-default VR.
- When the VR context for subscribers is configured in the AAA domain map or obtained from the RADIUS server, and the same IP address is returned for two dual-stack subscribers from the RADIUS server, only the first subscriber session is configured and the second client session is terminated.
- When the same IP address is returned from the RADIUS server or the domain map for two dual-stack subscribers that log in simultaneously, only the first subscriber session is established and the second subscriber that contains the same address or prefix as the first subscriber is disconnected. Termination of the second subscriber occurs even if detection of the duplicate address occurs only after access is granted.
- When the VR context for subscribers is configured in the AAA profile, and the same IP address is returned from the RADIUS server or the domain map for two dual-stack subscribers, only the first subscriber session is configured and the second client session is terminated.
- If you disable the routing table address lookup for duplicate addresses by using the no aaa duplicate-address-check command, define the VR context for subscribers in the profile, and the same address is returned for two dual-stack subscribers, both the subscriber sessions are brought up successfully. However, for the second subscriber, which contains the same address as the first client, only the IPv6 interface is enabled and the IPv4 interface is not brought up.
- If the same IPv6-NdRa-Prefix (VSA 26-129) and Framed-Interface-Id (VSA 26-96) attributes are returned in the Access-Accept message from the RADIUS server for two dual-stack subscribers, and the VR context for the subscribers is specified in the profile, only the first subscriber is brought up and the second subscriber session is rejected.
- If you set the Framed-IPv6-Prefix RADIUS attribute for IPv6 Neighbor Discovery router advertisements by using the aaa ipv6-nd-ra-prefix framed-ipv6-prefix command, the same Framed-IPv6-Prefix (VSA 26-129) and Framed-Interface-Id (VSA 26-96) attributes are returned in the Access-Accept message from the RADIUS server for two dual-stack subscribers, and the VR context for the subscribers is specified in the profile or the domain map, only the first subscriber is brought up and the second subscriber session is rejected.
- If you set the Framed-IPv6-Prefix RADIUS attribute for IPv6 Neighbor Discovery router advertisements by using the aaa ipv6-nd-ra-prefix framed-ipv6-prefix command, disable the routing table address lookup for duplicate addresses, specify the VR context for subscribers in the domain map, and the same Framed-IPv6-Prefix (VSA 26-129) and Framed-Interface-Id (VSA 26-96) attributes are returned in the Access-Accept message from the RADIUS server for two dual-stack subscribers, only the first subscriber is brought up and the second subscriber session is rejected.
