Skip to content

Fix IPv6 ping failures with L3 MAC mismatch error#872

Merged
aritrbas merged 1 commit intomasterfrom
abasu-fix-mac
Feb 5, 2026
Merged

Fix IPv6 ping failures with L3 MAC mismatch error#872
aritrbas merged 1 commit intomasterfrom
abasu-fix-mac

Conversation

@aritrbas
Copy link
Collaborator

@aritrbas aritrbas commented Feb 3, 2026
edited
Loading

Issue:

IPv6 ping between nodes fails with l3 mac mismatch error in VPP's ethernet-input node. Packets arriving on tap0 with destination MAC set to the infrastructure gateway's MAC are dropped.

00:49:14:744945: ethernet-input
  frame: flags 0x1, hw-if-index 2, sw-if-index 2
  IP6: fa:16:3e:42:ec:44 -> fa:ce:ba:ba:be:ef
00:49:14:744946: error-punt
  rx:tap0
00:49:14:744947: punt
  ethernet-input: l3 mac mismatch

Difference between IPv4 and IPv6:

  • IPv4 (ARP Proxy): Host sends ARP request, VPP responds with its own tap interface MAC. All subsequent IPv4 packets use VPP's MAC as the destination, passing VPP's L3 MAC filter check.
  • IPv6 (ND Proxy + Neighbor Advertisement): While VPP's ND proxy responds to Neighbor Solicitations with the tap interface MAC, the host also receives Neighbor Advertisement (NA) packets from the real gateway. These RA packets contain the Target Link-Layer Address Option (TLLAO) with the real gateway's MAC address. The host overwrites its neighbor cache with this information and sends IPv6 packets to the real gateway MAC instead of VPP's tap0 MAC.
18:41:34.907872 IP6 (class 0xe0, hlim 255, next-header ICMPv6 (58) payload length: 32)
_gateway > lab-dal3a-carmine-md-1-7g2zg-mx7mj:
[icmp6 sum ok] ICMP6, neighbor advertisement, length 32, tgt is _gateway,
Flags [router, solicited, override]
destination link-address option (2), length 8 (1): fa:ce:ba:ba:be:ef

$ ip -6 neigh
2a04:e4c0:74:507::1 dev muon0 lladdr fa:ce:ba:ba:be:ef router REACHABLE

$ ip -6 route
default via 2a04:e4c0:74:507::1 dev muon0 proto static metric 1024 onlink pref medium

Fix:

  • Capture the gateway's MAC address from Linux neighbor cache before VPP takes over the interface, then add it as a secondary MAC address on the tap interface using VPP's existing sw_interface_add_del_mac_address API.
  • VPP's ethernet-input node accepts packets with either the primary MAC or any configured secondary MAC addresses, allowing traffic to flow regardless of which MAC address the host learned (from ND proxy or NA).
  • This is a control plane only fix that does not require any VPP patches.

@aritrbas aritrbas self-assigned this Feb 3, 2026
sknat
sknat approved these changes Feb 4, 2026
View reviewed changes
Copy link
Collaborator

@sknat sknat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, thanks !

ipv6: fix L3 MAC mismatch error for gateway traffic
42f7489 
IPv6 ping between nodes fails with "l3 mac mismatch" error in VPP's
ethernet-input node. Packets arriving on tap0 with destination MAC
set to the infrastructure gateway's MAC are dropped.

- IPv4 (ARP Proxy): Host sends ARP request, VPP responds with its own
  tap interface MAC. All subsequent IPv4 packets use VPP's MAC as the
  destination, passing VPP's L3 MAC filter check.

- IPv6 (ND Proxy + Neighbor Advertisement): While VPP's ND proxy responds
  to Neighbor Solicitations with the tap interface MAC, the host also
  receives Neighbor Advertisement (NA) packets from the real gateway.
  These RA packets contain the Target Link-Layer Address Option (TLLAO)
  with the real gateway's MAC address. The host overwrites its neighbor
  cache with this information and sends IPv6 packets to the real gateway
  MAC instead of VPP's tap MAC.

Capture the gateway's MAC address from Linux neighbor cache before VPP
takes over the interface, then add it as a secondary MAC address on the
tap interface using VPP's existing sw_interface_add_del_mac_address API.

VPP's ethernet-input node accepts packets with either the primary MAC
or any configured secondary MAC addresses, allowing traffic to flow
regardless of which MAC address the host learned (from ND proxy or NA).

This is a control plane only fix that requires no VPP patches.

Signed-off-by: Aritra Basu <aritrbas@cisco.com>
@aritrbas
Copy link
Collaborator Author

aritrbas commented Feb 5, 2026

Resolved the merge conflict because of #873

@aritrbas aritrbas merged commit 1810abd into master Feb 5, 2026
5 checks passed
@aritrbas aritrbas deleted the abasu-fix-mac branch February 5, 2026 19:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sknat sknat sknat approved these changes

@hedibouattour hedibouattour hedibouattour approved these changes

@onong onong Awaiting requested review from onong

Assignees

@aritrbas aritrbas

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@aritrbas @sknat @hedibouattour