Skip to content

allow link-local multicast on ingress ports#222

Merged
rcgoodfellow merged 1 commit intomainfrom
ry/allow-local-v6-mcast-ingress
Feb 20, 2026
Merged

allow link-local multicast on ingress ports#222
rcgoodfellow merged 1 commit intomainfrom
ry/allow-local-v6-mcast-ingress

Conversation

@rcgoodfellow
Copy link
Contributor

@rcgoodfellow rcgoodfellow commented Feb 20, 2026
edited
Loading

On Asilomar, we were not able to peer with Juniper routers using BGP unnumbered. There is a bit of a quirk the the Juniper unnumbered implementation in that when you send it an NDP router solicitation, it will send a corresponding router advertisement back on ff02::1 instead of responding directly to the peers link-local unicast address.

Packet traces were showing our router solicitation packets arriving on the Juniper router, and the Juniper router was sending back advertisements to ff02::1, but we were not seeing them in the switch zone.

I used the forthcoming snapshot tool to debug this. The following sets up a capture filter on a destination of ff02::1 and a source filter on the link local address of the Juniper router we are trying to peer with. The -f flags are the fields we want to capture. We use pipeline 1 because that is the pipeline this particular port is on.

root@oxz_switch0:/# swadm snapshot capture \
  --start-stage 5 \
  --end-stage 7 \
  --pipe 1 \
  -t 'hdr.ipv6.dst_addr=0xff020000000000000000000000000001/0xffffffffffffffffffffffffffffffff' \
  -t 'hdr.ipv6.src_addr=0xfe8000000000000046f477fffeb10737/0xffffffffffffffffffffffffffffffff' \
  -f meta.nat_ingress_hit \
  -f meta.is_mcast \
  -f meta.is_link_local_mcastv6 \
  -f meta.is_switch_address \
  -f ig_intr_md.ingress_port \
  -f hdr.sidecar_valid \
  -f hdr.arp_valid \
  -f hdr.icmp_valid \
  -f hdr.ipv4_valid \
  -f hdr.ipv6_valid \
  -f meta.nat_egress_hit \
  -f meta.dropped \
  -f meta.uplink_ingress

creating snapshot: pipe=1 stages=5..7 dir=Ingress
  trigger: hdr.ipv6.dst_addr = 0xff020000000000000000000000000001 / 0xffffffffffffffffffffffffffffffff
  trigger: hdr.ipv6.src_addr = 0xfe8000000000000046f477fffeb10737 / 0xffffffffffffffffffffffffffffffff
arming and waiting for trigger (timeout 10s)...

capture: 3 stage(s)

--- stage 5 ---
  local_trigger: true
  prev_trigger:  false
  timer_trigger: false
  next_table:
  table: Ingress_nat_ingress_ingress_hit -> miss (addr=0x0)
  table: Ingress_nat_ingress_CalculateIPv4Len_ipv4_set_len -> miss (addr=0x0)
  table: tbl_sidecar2202 -> miss [inhibited] (addr=0x0)
  meta.nat_ingress_hit = 0x00
  meta.is_mcast = 0x01
  meta.is_link_local_mcastv6 = 0x01
  meta.is_switch_address = 0x00
  ig_intr_md.ingress_port = 0xc400
  hdr.sidecar_valid = 0x00
  hdr.arp_valid = 0x00
  hdr.icmp_valid = 0x01
  hdr.ipv4_valid = 0x00
  hdr.ipv6_valid = 0x01
  meta.nat_egress_hit = (not valid)
  meta.dropped = 0x00
  meta.uplink_ingress = 0x01

--- stage 6 ---
  local_trigger: false
  prev_trigger:  true
  timer_trigger: false
  next_table:
  table: tbl_nat_ingress_encap_ipv4 -> miss (addr=0x0)
  table: tbl_sidecar756 -> miss (addr=0x0)
  table: tbl_nat_ingress_encap_ipv6 -> miss (addr=0x0)
  table: tbl_nat_ingress_CalculateIPv4Len_invert -> miss (addr=0x0)
  meta.nat_ingress_hit = 0x00
  meta.is_mcast = 0x01
  meta.is_link_local_mcastv6 = 0x01
  meta.is_switch_address = 0x00
  ig_intr_md.ingress_port = 0xc400
  hdr.sidecar_valid = 0x00
  hdr.arp_valid = 0x00
  hdr.icmp_valid = 0x01
  hdr.ipv4_valid = 0x00
  hdr.ipv6_valid = 0x01
  meta.nat_egress_hit = (not valid)
  meta.dropped = 0x01
  meta.uplink_ingress = (not valid)

--- stage 7 ---
  local_trigger: false
  prev_trigger:  true
  timer_trigger: false
  next_table:
  table: Ingress_services_service -> miss (addr=0x0)
  table: tbl_sidecar419 -> miss (addr=0x0)
  meta.nat_ingress_hit = (not valid)
  meta.is_mcast = 0x01
  meta.is_link_local_mcastv6 = (not valid)
  meta.is_switch_address = (not valid)
  ig_intr_md.ingress_port = 0xc400
  hdr.sidecar_valid = 0x00
  hdr.arp_valid = 0x00
  hdr.icmp_valid = 0x01
  hdr.ipv4_valid = 0x00
  hdr.ipv6_valid = 0x01
  meta.nat_egress_hit = 0x00
  meta.dropped = 0x01
  meta.uplink_ingress = (not valid)

snapshot complete.

the values shown at each stage are measured at the end of stage execution. That means we were setting the meta.dropped value some time in stage 6. The table output shows this is the stage we are executing the NatIngress control in. From there it was pretty straightforward to see that we had determined this was not a NAT ingress packet and it was also not a packet destined to a switch address, so we drop it. But we need to also let link-local multicast through to the switch zone in this case.

After deploying this patch to madrid, our peering session with the juniper sprung to life.

@rcgoodfellow rcgoodfellow added this to the 19 milestone Feb 20, 2026
@rcgoodfellow rcgoodfellow merged commit fbf4dc0 into main Feb 20, 2026
6 checks passed
@rcgoodfellow rcgoodfellow deleted the ry/allow-local-v6-mcast-ingress branch February 20, 2026 16:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Nieuwejaar Nieuwejaar Nieuwejaar approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

19

Development

Successfully merging this pull request may close these issues.

2 participants

@rcgoodfellow @Nieuwejaar