The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
To allow stateful DHCPv6 IP addressing to operate properly, you must have a switch or router that supports the DHCP for IPv6 feature that is configured to act like a DHCPv6 server, or you need a dedicated server such as a Windows 2008 server with a built-in DHCPv6 server.
To support the seamless IPv6 Mobility, you might need to configure the following:
Clients must support IPv6 with either static stateless auto configuration (such as Windows XP clients) or stateful DHCPv6 IP addressing (such as Windows Vista clients).
Note | The Dynamic VLAN function for IPv6 is not supported. |
Roaming of IPv6 clients that are associated with a WLAN that is mapped to an untagged interface to another WLAN that is mapped to a tagged interface is not supported.
On the 7.4 release, the WLCs that have the same mobility group, same VLAN ID, and different IPv4 and IPv6 subnets, generate different IPv6 router advertisements. WLAN on these WLCs is assigned to the same dynamic interface with the same VLAN ID on all the controllers. The client receives correct IPv4 address; however it receives a router advertisement from the different subnets that reach the other WLCs. There could be issue of no traffic from the client, because the first given IPv6 address to the client does not match to the subnet for the IPv4 address. To resolve this, you can configure the WLCs in different mobility group.
Note | While adding or deleting IPv6 mobility peer, the SSH rules for bypassing traffic are applicable for the 16666 port and for the pairs of IPs of the mobility peers. |
Note | IPv6 ping from Cisco WLC to a client is not supported if the client is in the management subnet. |
In Cisco 2504 WLC with directly connected APs, client IPv6 is not supported. (CSCvf51290)
Cisco WLC sends all application IPv6 traffic to the gateway even if the host is in the same subnet. The gateway forwards the traffic to the host in the same subnet. If the gateway is a Cisco ASA, by default, the Cisco ASA drops traffic sent by the Cisco WLC to the gateway, if traffic has to be sent to the same subnet. This is because traffic ingress and egress interface is the same. To allow Cisco ASA to forward this traffic, use the same-security-traffic permit intra-interface command in Cisco ASA. For more information, see https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/vpn/asa-vpn-cli/vpn-params.html#56144.
Internet Protocol version 6 (IPv6) is the next-generation network layer Internet protocol intended to replace version 4 (IPv4) in the TCP/IP suite of protocols. This new version increases the Internet global address space to accommodate users and applications that require unique global IP addresses. IPv6 incorporates 128-bit source and destination addresses, which provide significantly more addresses than the 32-bit IPv4 addresses.
To support IPv6 clients across controllers, ICMPv6 messages must be dealt with specially to ensure the IPv6 client remains on the same Layer 3 network. The controllers keep track of IPv6 clients by intercepting the ICMPv6 messages to provide seamless mobility and protect the network from network attacks. The ICMPv6 packets are converted from multicast to unicast and delivered individually per client. This process allows more control. Specific clients can receive specific Neighbor Discovery and Router Advertisement packets, which ensures correct IPv6 addressing and avoids unnecessary multicast traffic.
The configuration for IPv6 mobility is the same as IPv4 mobility and requires no separate software on the client side to achieve seamless roaming. The controllers must be part of the same mobility group. Both IPv4 and IPv6 client mobility are enabled by default.
Configuring IPv6 Globally
IPv4 address needs to be configured on the interface prior to configuring the IPv6 address.
Enable or disable IPv6 globally by entering this command:
config ipv6 {enable | disable}
Configuring RA Guard for IPv6 Clients
IPv6 clients configure IPv6 addresses and populate their router tables based on IPv6 Router Advertisement (RA) packets. The RA Guard feature is similar to the RA guard feature of wired networks. RA Guard increases the security of the IPv6 network by dropping the unwanted or rogue RA packets that come from wireless clients. If this feature is not configured, malicious IPv6 clients could announce themselves as the router for the network, which would take higher precedence over legitimate IPv6 routers.
RA Guard occurs at the controller. You can configure the controller to drop RA messages at the access point or at the controller. By default, RA Guard is configured at the access point and also enabled in the controller. All IPv6 RA messages are dropped, which protects other wireless clients and upstream wired network from malicious IPv6 clients.
Note |
|
Use this command to configure RA Guard:
config ipv6 ra-guard ap {enable | disable}
Configuring RA Throttling for IPv6 Clients
RA throttling allows the controller to enforce limits to RA packets headed toward the wireless network. By enabling RA throttling, routers that send many RA packets can be trimmed to a minimum frequency that will still maintain an IPv6 client connectivity. If a client sends an RS packet, then an RA is sent back to the client. This is allowed through the controller and unicasted to the client. This process ensures that the new clients or roaming clients are not affected by the RA throttling.
Use this command to configure the RA throttle policy:
config ipv6 neigbhor-binding ra-throttle {allow at-least at-least-value | enable | disable | interval-option { ignore | passthrough | throttle} | max-through {max-through-value | no-limit}}