I have a Cisco 3825 router that (among other things) functions as a gateway to the internet. I have two VLANS, but only one of them should have access to the internet.
VLAN10: network = x:y:z:10::/64 (NO internet access)
VLAN20: network = x:y:z:20::/64 (internet access)
This is the essential part of my current configuration:
interface FastEthernet0/0/0
description *** Shared LAN connection for all VLANs
switchport trunk allowed vlan 1,10,20
switchport mode trunk
interface Vlan10
description *** LAN with NO internet access
ipv6 address x:y:z:10::1/64
interface Vlan20
description *** LAN with internet access
ipv6 address x:y:z:20::1/64
interface GigabitEthernet0/0
description *** The actual internet connection
ipv6 address a:b:c:d::1/64
ipv6 route x:y:z:10::/64 Vlan10
ipv6 route x:y:z:20::/64 Vlan20
ipv6 route ::/0 GigabitEthernet0/0 n:e:x:t:h:o:p:1
The problem is that the router sends neighbor solicitation messages for both networks out on both VLANs, making the hosts aquire an IPv6 global unicast address from both networks which prevents the subnet segregation i need. For instance, a host on Vlan20 gets addresses x:y:z:10::something/64 and x:y:z:20::something/64, and may end up using the first one to access the internet which will fail because of the ipv6 route specification in the configuration.
I've tried all sorts of ACLs, but I have not found one that allows me to filter on the contents of network solicitation packets.
Is there a way to prevent these "faulty" NS-messages? Or is there perhaps a different approach I could try?
EDIT:
A more in-depth packet analysis has revealed to me that it is not NS-messages that is the cause, but instead it is the Router Advertisement messages sent to from the Cisco router to the host. However, this does not help me to solve the problem. I still need to "filter out" the subnet which does not belong in that specific Vlan.