Prerequisites for IPv6 Client Address Learning
Before configuring IPv6 client address learning, configure the wireless clients to support IPv6.
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Before configuring IPv6 client address learning, configure the wireless clients to support IPv6.
Client Address Learning is configured on device to learn the wireless client's IPv4 and IPv6 address and clients transition state maintained by the device on an association, re-association, de-authentication and timeout.
There are three ways for IPv6 client to acquire IPv6 addresses:
Stateless Address Auto-Configuration (SLACC)
Stateful DHCPv6
Static Configuration
For all of these methods, the IPv6 client always sends neighbor solicitation DAD (Duplicate Address Detection) request to ensure there is no duplicate IP address on the network. The device snoops the client's NDP and DHCPv6 packets to learn about its client IP addresses.
The most common method for IPv6 client address assignment is Stateless Address Auto-Configuration (SLAAC). SLAAC provides simple plug-and-play connectivity where clients self-assign an address based on the IPv6 prefix. This process is achieved
Stateless Address Auto-Configuration (SLAAC) is configured as follows:
The last 64 bits of the IP v6 address can be learned based on the following 2 algorithms:
The following Cisco IOS configuration commands from a Cisco-capable IPv6 router are used to enable SLAAC addressing and router advertisements:
ipv6 unicast-routing
interface Vlan20
description IPv6-SLAAC
ip address 192.168.20.1 255.255.255.0
ipv6 address FE80:DB8:0:20::1 linklocal
ipv6 address 2001:DB8:0:20::1/64
ipv6 enable
end
The use of DHCPv6 is not required for IPv6 client connectivity if SLAAC is already deployed. There are two modes of operation for DHCPv6 called Stateless and Stateful.
The DHCPv6 Stateless mode is used to provide clients with additional network information that is not available in the router advertisement, but not an IPv6 address as this is already provided by SLAAC. This information can include the DNS domain name, DNS server(s), and other DHCP vendor-specific options. This interface configuration is for a Cisco IOS IPv6 router implementing stateless DHCPv6 with SLAAC enabled:
ipv6 unicast-routing
ipv6 dhcp pool IPV6_DHCPPOOL
address prefix 2001:db8:5:10::/64
domain-name cisco.com
dns-server 2001:db8:6:6::1
interface Vlan20
description IPv6-DHCP-Stateless
ip address 192.168.20.1 255.255.255.0
ipv6 nd other-config-flag
ipv6 dhcp server IPV6_DHCPPOOL
ipv6 address 2001:DB8:0:20::1/64
end
The DHCPv6 Stateful option, also known as managed mode, operates similarly to DHCPv4 in that it assigns unique addresses to each client instead of the client generating the last 64 bits of the address as in SLAAC. This interface configuration is for a Cisco IOS IPv6 router implementing stateful DHCPv6 on a local Device:
ipv6 unicast-routing
ipv6 dhcp pool IPV6_DHCPPOOL
address prefix 2001:db8:5:10::/64
domain-name cisco.com
dns-server 2001:db8:6:6::1
interface Vlan20
description IPv6-DHCP-Stateful
ip address 192.168.20.1 255.255.255.0
ipv6 address 2001:DB8:0:20::1/64
ipv6 nd prefix 2001:DB8:0:20::/64 no-advertise
ipv6 nd managed-config-flag
ipv6 nd other-config-flag
ipv6 dhcp server IPV6_DHCPPOOL
end
This interface configuration is for a Cisco IOS IPv6 router implementing stateful DHCPv6 on an external DHCP server:
ipv6 unicast-routing
domain-name cisco.com
dns-server 2001:db8:6:6::1
interface Vlan20
description IPv6-DHCP-Stateful
ip address 192.168.20.1 255.255.255.0
ipv6 address 2001:DB8:0:20::1/64
ipv6 nd prefix 2001:DB8:0:20::/64 no-advertise
ipv6 nd managed-config-flag
ipv6 nd other-config-flag
ipv6 dhcp_relay destination 2001:DB8:0:20::2
end
Statically configured address on a client.
A Router Solicitation message is issued by a host controller to facilitate local routers to transmit Router Advertisement from which it can obtain information about local routing or perform Stateless Auto-configuration. Router Advertisements are transmitted periodically and the host prompts with an immediate Router Advertisement using a Router Solicitation such as - when it boots or following a restart operation.
A Router Advertisement message is issued periodically by a router or in response to a Router Solicitation message from a host. The information contained in these messages is used by hosts to perform Stateless Auto-configuration and to modify its routing table.
IPv6 Neighbor Discovery is a set of messages and processes that determine relationships between neighboring nodes. Neighbor Discovery replaces ARP, ICMP Router Discovery, and ICMP Redirect used in IPv4.
IPv6 Neighbor Discovery inspection analyzes neighbor discovery messages in order to build a trusted binding table database, and IPv6 neighbor discovery packets that do not comply are dropped. The neighbor binding table in the switch tracks each IPv6 address and its associated MAC address. Clients are expired from the table according to Neighbor Binding timers.
The IPv6 addresses of wireless clients are cached by the device. When the device receives an NS multicast looking for an IPv6 address, and if the target address is known to the device and belongs to one of its clients, the device will reply with an NA message on behalf of the client. The result of this process generates the equivalent of the Address Resolution Protocol (ARP) table of IPv4 but is more efficient - uses generally fewer messages.
Note |
The device acts like proxy and respond with NA, only when the ipv6 nd suppress command is configured |
If the device does not have the IPv6 address of a wireless client, the device will not respond with NA and forward the NS packet to the wireless side. To resolve this, an NS Multicast Forwarding knob is provided. If this knob is enabled, the device gets the NS packet for the IPv6 address that it does not have (cache miss) and forwards it to the wireless side. This packet reaches the intended wireless client and the client replies with NA.
This cache miss scenario occurs rarely, and only very few clients which do not implement complete IPv6 stack may not advertise their IPv6 address during NDP.
IPv6 clients configure IPv6 addresses and populate their router tables based on IPv6 router advertisement (RA) packets. The RA guard feature is similar to the RA guard feature of wired networks. RA guard increases the security of the IPv6 network by dropping the unwanted or rogue RA packets that come from wireless clients. If this feature is not configured, malicious IPv6 wireless clients announce themselves as the router for the network often with high priority, which would take higher precedence over legitimate IPv6 routers.
Port on which the frame is received
IPv6 source address
Prefix list
The following configuration information created on the switch is available to RA-Guard to validate against the information found in the received RA frame:
Trusted/Untrusted ports for receiving RA-guard messages
Trusted/Untrusted IPv6 source addresses of RA-sender
Trusted/Untrusted Prefix list and Prefix ranges
Router Preference
RA guard occurs at the device. You can configure the device to drop RA messages at the device. All IPv6 RA messages are dropped, which protects other wireless clients and upstream wired network from malicious IPv6 clients.
//Create a policy for RA Guard//
ipv6 nd raguard policy raguard-router
trusted-port
device-role router
//Applying the RA Guard Policy on port/interface//
interface tengigabitethernet1/0/1 (Katana)
interface gigabitethernet1/0/1 (Edison)
ipv6 nd raguard attach-policy raguard-router
RA throttling allows the controller to enforce limits to RA packets headed toward the wireless network. By enabling RA throttling, routers that send many RA packets can be trimmed to a minimum frequency that will still maintain an IPv6 client connectivity. If a client sends an RS packet, an RA is sent back to the client. This RA is allowed through the controller and unicasted to the client. This process ensures that the new clients or roaming clients are not affected by the RA throttling.
IPv6 unicasting must always be enabled on the switch and the controller. IPv6 unicast routing is disabled.
To enable the forwarding of IPv6 unicast datagrams, use the ipv6 unicast-routing command in global configuration mode. To disable the forwarding of IPv6 unicast datagrams, use the no form of this command.
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure terminal Example:
|
Enters the global configuration mode. |
Step 2 |
ipv6 unicast routing Example:
|
|
Configure RA Guard policy on the device to add IPv6 client addresses and populate the router table based on IPv6 router advertisement packets.
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure terminal Example:
|
Enters the global configuration mode. |
Step 2 |
ipv6 nd raguard policy raguard-router Example:
|
|
Step 3 |
trustedport Example:
|
|
Step 4 |
device-role router Example:
|
|
Step 5 |
exit Example:
|
|
Applying the RA Guard policy on the device will block all the untrusted RA's.
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure terminal Example:
|
Enters the global configuration mode. |
Step 2 |
interface tengigabitethernet 1/0/1 Example:
|
|
Step 3 |
ipv6 nd raguard attach-policy raguard-router Example:
|
|
Step 4 |
exit Example:
|
|
Configure RA Throttle policy to allow the enforce the limits
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure terminal Example:
|
Enters the global configuration mode. |
Step 2 |
ipv6 nd ra-throttler policy ra-throttler1 Example:
|
|
Step 3 |
throttleperiod 500 Example:
|
|
Step 4 |
max-through 10 Example:
|
|
Step 5 |
allow-atleast 5 at-most 10 Example:
|
|
Applying the RA Throttle policy on a VLAN. By enabling RA throttling, routers that send many RA packets can be trimmed to a minimum frequency that will still maintain an IPv6 client connectivity.
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure terminal Example:
|
Enters the global configuration mode. |
Step 2 |
vlan configuration 1 Example:
|
|
Step 3 |
ipv6 nd ra throttler attach-policy ra-throttler1 Example:
|
|
Note |
A single IPv6 client can have multiple IPv6 addresses at any given time. When you execute the command show ipv6 neighbor binding mac mac_address , these addresses display the state as REACHABLE in the IPv6 neighbor binding table for that client's MAC address. If there is no control activity on these addresses for 300 seconds, they move to STALE state and become unusable by the client thereafter. ipv6 neighbor tracking command is used to send periodic probes (default time period is 300 seconds) to all IPv6 clients to ensure that the client's IPv6 address(s) do not age out and move to STALE state. These probes are sent from the switch with a source IP address of all zeros which is a Duplicate address detection (DAD) probe. There are a few clients which do not respond to DAD probes and hence age out after 300 seconds. Follow the steps below to configure IPv6 Neighbor Tracking. |
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable Example:
|
Enables privileged EXEC mode.
|
Step 2 |
configure terminal Example:
|
Enters global configuration mode. |
Step 3 |
ipv6 neighbor tracking [retry-interval value ] Example:
|
Tracks entries in the binding table. |
Step 4 |
interface vlan vlan-id Example:
|
Enters interface configuration mode, and enters the VLAN to which the IP information is assigned. The range is 1 to 4094. |
Step 5 |
ipv6 enable Example:
|
Enables IPv6 processing on an interface that has not been configured with an explicit IPv6 address. |
Step 6 |
exit Example:
|
Exits interface configuration mode. |
Step 7 |
vlan configuration vlan_list Example:
|
Specifies the VLANs to which the IPv6 Snooping policy will be attached ; enters the VLAN interface configuration mode. |
Step 8 |
ipv6 snooping [attach-policy policy_name] Example:
|
Attaches the IPv6 Snooping policy to the specified VLANs across all switch and stack interfaces. The default policy is attached if the attach-policy option is not used. The default policy is, security-level guard, device-role node, protocol ndp and dhcp. |
Step 9 |
end Example:
|
Exits configuration mode. |
IPv6 snooping must always be enabled on the switch and the controller.
Enable IPv6 on the client machine.
Command or Action | Purpose | |
---|---|---|
Step 1 |
vlan configuration 1 Example:
|
Enters Vlan configuration mode. |
Step 2 |
ipv6 snooping Example:
|
Enables IPv6 snooping on the Vlan. |
Step 3 |
ipv6 nd suppress Example:
|
Enables the IPv6 ND suppress on the Vlan. |
Step 4 |
exit Example:
|
Saves the configuration and comes out of the Vlan configuration mode. |
The IPv6 neighbor discovery (ND) multicast suppress feature stops as many ND multicast neighbor solicit (NS) messages as possible by dropping them (and responding to solicitations on behalf of the targets) or converting them into unicast traffic. This feature runs on a layer 2 switch or a wireless controller and is used to reduce the amount of control traffic necessary for proper link operations.
When an address is inserted into the binding table, an address resolution request sent to a multicast address is intercepted, and the device either responds on behalf of the address owner or, at layer 2, converts the request into a unicast message and forwards it to its destination.
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable Example:
|
|
Step 2 |
configure terminal Example:
|
Enters the global configuration mode. |
Step 3 |
ipv6 nd suppress policy Example:
|
Defines the ND suppress policy name and enters ND suppress policy configuration mode. |
Neighbor Discover (ND) suppress can be enabled or disabled on either the VLAN or a switchport.
Command or Action | Purpose | |
---|---|---|
Step 1 |
vlan config901 Example:
|
|
Step 2 |
ipv6 nd suppress Example:
|
|
Step 3 |
end Example:
|
|
Step 4 |
interface gi1/0/1 Example:
|
Creates a gigabitethernet port interface. |
Step 5 |
ipv6 nd suppress Example:
|
|
Step 6 |
end Example:
|
|
Use this configuration example to configure IPv6 on an interface.
Enable IPv6 on the client and IPv6 support on the wired infrastructure.
Command or Action | Purpose | |
---|---|---|
Step 1 |
interface vlan 1 Example:
|
Creates a interface and enters interface configuration mode. |
Step 2 |
ip address fe80::1 link-local Example:
|
Configures IPv6 address on the interface using the link-local option. |
Step 3 |
ipv6 enable Example:
|
(Optional) Enables IPv6 on the interface. |
Step 4 |
end Example:
|
Exits from the interface mode. |
Command or Action | Purpose | |
---|---|---|
Step 1 |
ipv6 dhcp pool Vlan21 Example:
|
Enters the configuration mode and configures the IPv6 DHCP pool on the Vlan. |
Step 2 |
address prefix 2001:DB8:0:1:FFFF:1234::/64 lifetime 300 10 Example:
|
Enters the configuration-dhcp mode and configures the address pool and its lifetime on a Vlan. |
Step 3 |
dns-server 2001:100:0:1::1 Example:
|
Configures the DNS servers for the DHCP pool. |
Step 4 |
domain-name example.com Example:
|
Configures the domain name to complete unqualified host names. |
Step 5 |
end Example:
|
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode. |
Command or Action | Purpose | |
---|---|---|
Step 1 |
interface vlan 1 Example:
|
Creates a interface and enters interface configuration mode. |
Step 2 |
ip address fe80::1 link-local Example:
|
Configures IPv6 address on the interface using the link-local option. |
Step 3 |
ipv6 enable Example:
|
(Optional) Enables IPv6 on the interface. |
Step 4 |
no ipv6 nd managed-config-flag Example:
|
Ensures the attached hosts do not use stateful autoconfiguration to obtain addresses. |
Step 5 |
no ipv6 nd other-config-flag Example:
|
Ensures the attached hosts do not use stateful autoconfiguration to obtain non-address options from DHCP (domain etc). |
Step 6 |
end Example:
|
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode. |
Command or Action | Purpose | |
---|---|---|
Step 1 |
interface vlan 1 Example:
|
Creates a interface and enters interface configuration mode. |
Step 2 |
ip address fe80::1 link-local Example:
|
Configures IPv6 address on the interface using the link-local option. |
Step 3 |
ipv6 enable Example:
|
(Optional) Enables IPv6 on the interface. |
Step 4 |
no ipv6 nd managed-config-flag Example:
|
Ensures the attached hosts do not use stateful autoconfiguration to obtain addresses. |
Step 5 |
ipv6 nd other-config-flag Example:
|
Ensures the attached hosts do not use stateful autoconfiguration to obtain non-address options from DHCP (domain etc). |
Step 6 |
end Example:
|
Exits from the interface mode. |
This interface configuration is for a Cisco IOS IPv6 router implementing stateful DHCPv6 on a local Device
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure terminal Example:
|
Enters the global configuration mode. |
Step 2 |
ipv6 unicast-routing Example:
|
Configures IPv6 for unicasting. |
Step 3 |
ipv6 dhcp pool IPv6_DHCPPOOL Example:
|
Enters the configuration mode and configures the IPv6 DHCP pool on the VLAN. |
Step 4 |
address prefix 2001:DB8:0:1:FFFF:1234::/64 Example:
|
Specifies the address range to provide in the pool. |
Step 5 |
dns-server 2001:100:0:1::1 Example:
|
Provides the DNS server option to DHCP clients. |
Step 6 |
domain-name example.com Example:
|
Provides the domain name option to DHCP clients. |
Step 7 |
exit Example:
|
Returns to the previous mode. |
Step 8 |
interface vlan1 Example:
|
Enters the interface mode to configure the stateful DHCP. |
Step 9 |
description IPv6-DHCP-Stateful Example:
|
Enter description for the stateful IPv6 DHCP. |
Step 10 |
ipv6 address 2001:DB8:0:20::1/64 Example:
|
Enters the IPv6 address for the stateful IPv6 DHCP. |
Step 11 |
ip address 192.168.20.1 255.255.255.0 Example:
|
Enters the IPv6 address for the stateful IPv6 DHCP. |
Step 12 |
ipv6 nd prefix 2001:db8::/64 no-advertise Example:
|
Configures the IPv6 routing prefix advertisement that must not be advertised. |
Step 13 |
ipv6 nd managed-config-flag Example:
|
Configures IPv6 interfaces neighbor discovery to allow the hosts to uses DHCP for address configuration. |
Step 14 |
ipv6 nd other-config-flag Example:
|
Configures IPv6 interfaces neighbor discovery to allow the hosts to uses DHCP for non-address configuration. |
Step 15 |
ipv6 dhcp server IPv6_DHCPPOOL Example:
|
Configures the DHCP server on the interface. |
This interface configuration is for a Cisco IOS IPv6 router implementing stateful DHCPv6 on an external DHCP server.
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure terminal Example:
|
Enters the global configuration mode. |
Step 2 |
ipv6 unicast-routing Example:
|
Configures the IPv6 for unicasting. |
Step 3 |
dns-server 2001:100:0:1::1 Example:
|
Provides the DNS server option to DHCP clients. |
Step 4 |
domain-name example.com Example:
|
Provides the domain name option to DHCP clients. |
Step 5 |
exit Example:
|
Returns to the previous mode. |
Step 6 |
interface vlan1 Example:
|
Enters the interface mode to configure the stateful DHCP. |
Step 7 |
description IPv6-DHCP-Stateful Example:
|
Enter description for the stateful IPv6 DHCP. |
Step 8 |
ipv6 address 2001:DB8:0:20::1/64 Example:
|
Enters the IPv6 address for the stateful IPv6 DHCP. |
Step 9 |
ip address 192.168.20.1 255.255.255.0 Example:
|
Enters the IPv6 address for the stateful IPv6 DHCP. |
Step 10 |
ipv6 nd prefix 2001:db8::/64 no-advertise Example:
|
Configures the IPv6 routing prefix advertisement that must not be advertised. |
Step 11 |
ipv6 nd managed-config-flag Example:
|
Configures IPv6 interfaces neighbor discovery to allow the hosts to uses DHCP for address configuration. |
Step 12 |
ipv6 nd other-config-flag Example:
|
Configures IPv6 interfaces neighbor discovery to allow the hosts to uses DHCP for non-address configuration. |
Step 13 |
ipv6 dhcp_relay destination 2001:DB8:0:20::2 Example:
|
Configures the DHCP server on the interface. |
This example displays the output of the show ipv6 dhcp pool command. This command displays the IPv6 service configuration on the device. The vlan 21 configured pool detail displays 6 clients that are currently using addresses from the pool.
Command or Action | Purpose |
---|---|
show ipv6 dhcp pool Example:
|
Displays the IPv6 service configuration on the device. |
Related Topic | Document Title |
---|---|
IPv6 command reference | IPv6 Command Reference (Catalyst 3850 Switches) |
IP command reference | IP Command Reference (Catalyst 3850 Switches) |
Description | Link |
---|---|
To help you research and resolve system error messages in this release, use the Error Message Decoder tool. |
https://www.cisco.com/cgi-bin/Support/Errordecoder/index.cgi |
MIB | MIBs Link |
---|---|
All supported MIBs for this release. |
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: |
Description | Link |
---|---|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
Feature |
Release |
Modification |
---|---|---|
IPv6 Client Address Learning Functionality |
Cisco IOS XE 3.2SE |
This feature was introduced. |