Before configuring IPv6 client address learning, configure the wireless clients to support IPv6.
Information About IPv6 Client Address Learning
Client Address Learning is configured on switch to learn the wireless client's IPv4 and IPv6 address and clients transition state maintained by the switch on an association, re-association, de-authentication and timeout.
There are three ways for IPv6 client to acquire IPv6 addresses:
Stateless Address Auto-Configuration (SLACC)
Stateful DHCPv6
Static Configuration
For all of these methods, the IPv6 client always sends neighbor solicitation DAD (Duplicate Address Detection) request to ensure there is no duplicate IP address on the network. The switch snoops the client's NDP and DHCPv6 packets to learn about its client IP addresses.
The most common method for IPv6 client address assignment is Stateless Address Auto-Configuration (SLAAC). SLAAC provides simple plug-and-play connectivity where clients self-assign an address based on the IPv6 prefix. This process is achieved when the IPv6 router sends out periodic Router Advertisement (RA) messages, which inform the client of the IPv6 prefix in use (the first 64 bits) and the IPv6 default gateway. From this point, clients can generate the remaining 64 bits of their IPv6 address based on two algorithms:
EUI-64 which is based on the MAC address of the interface, or
Private addresses that are randomly generated.
The choice of algorithm is up to the client and is often configurable. Duplicate Address Detection is performed by IPv6 clients in order to ensure that random addresses that are picked do not collide with other clients. The address of the router sending advertisements is used as the default gateway for the client.
Figure 1. SLAAC Address Assignment
The following Cisco IOS configuration commands from a Cisco-capable IPv6 router are used to enable SLAAC addressing and router advertisements:
ipv6 unicast-routing
ipv6 dhcp pool IPV6_DHCPPOOL
interface Vlan20
description IPv6-SLAAC
ip address 192.168.20.1 255.255.255.0
ipv6 address 2001:DB8:0:20::1/64
ipv6 enable
ipv6 nd other-config-flag
ipv6 dhcp server IPV6_DHCPPOOL
end
Stateful DHCPv6 Address Assignment
Figure 2. Stateful DHCPv6 Address Assignment
The use of DHCPv6 is not required for IPv6 client connectivity if SLAAC is already deployed. There are two modes of operation for DHCPv6 called Stateless and Stateful.
The DHCPv6 Stateless mode is used to provide clients with additional network information that is not available in the router advertisement, but not an IPv6 address as this is already provided by SLAAC. This information can include the DNS domain name, DNS server(s), and other DHCP vendor-specific options. This interface configuration is for a Cisco IOS IPv6 router implementing stateless DHCPv6 with SLAAC enabled:
ipv6 unicast-routing
ipv6 dhcp pool IPV6_DHCPPOOL
address prefix 2001:db8:5:10::/64
domain-name cisco.com
dns-server 2001:db8:6:6::1
interface Vlan20
description IPv6-DHCP-Stateless
ip address 192.168.20.1 255.255.255.0
ipv6 nd other-config-flag
ipv6 dhcp server IPV6_DHCPPOOL
ipv6 address 2001:DB8:0:20::1/64
end
The DHCPv6 Stateful option, also known as managed mode, operates similarly to DHCPv4 in that it assigns unique addresses to each client instead of the client generating the last 64 bits of the address as in SLAAC. This interface configuration is for a Cisco IOS IPv6 router implementing stateful DHCPv6 with SLAAC disabled:
The binding-table manager used by the switch is responsible for managing the L2/L3 binding table. The entry life-cycle is driven by a finite state machine. An entry is created as INCOMPLETE, moves to REACHABLE when binding is known, moves back and forth from REACHABLE to VERIFY if tracking is enabled, at some point moves to STALE when the client stops talking, and finally the entry is deleted.
The important states in a binding table follow:
Incomplete – An entry is set in this state when it does not have the L3/L2 binding yet
Reachable – An entry is moved to REACHABLE state when L3 to L2 address mapping is obtained when snooping the RS, NS, NA or DHCP packets from a client
Verify – An entry is moved into this state, when L3/L2 binding is known but must be verified. This state is reached when tracking is enabled
Stale – An entry is moved into this state, when the binding table manager does not hear any packets from the client for the configured reachable timer
Down – An entry is set in this state when the interface, from where the packet is received, goes down
RA Guard
IPv6 clients configure IPv6 addresses and populate their router tables based on IPv6 router advertisement (RA) packets. The RA guard feature is similar to the RA guard feature of wired networks. RA guard increases the security of the IPv6 network by dropping the unwanted or rogue RA packets that come from wireless clients. If this feature is not configured, malicious IPv6 clients could announce themselves as the router for the network often with high priority, which would take higher precedence over legitimate IPv6 routers.
RA-Guard also examines the incoming RA's and decides whether to switch or block them based solely on information found in the message or in the L2-device configuration. The information available in the frames received is useful for RA validation:
Port on which the frame is received
IP source address
Prefix list
The following configuration information created on the L2-device is available to RA-Guard to validate against the information found in the received RA frame:
Allowed/Disallowed ports for receiving RA-guard messages
Allowed/Disallowed IP source addresses of RA-sender
Allowed Prefix list and Prefix ranges
Control Router Preference
RA guard occurs at the switch. You can configure the switch to drop RA messages at the access point or at the switch. All IPv6 RA messages are dropped, which protects other wireless clients and upstream wired network from malicious IPv6 clients.
RA Throttling
RA throttling allows the controller to enforce limits to RA packets headed toward the wireless network. By enabling RA throttling, routers that send many RA packets can be trimmed to a minimum frequency that will still maintain an IPv6 client connectivity. If a client sends an RS packet, an RA is sent back to the client. This RA is allowed through the controller and unicasted to the client. This process ensures that the new clients or roaming clients are not affected by the RA throttling.
Neighbor Discovery
IPv6 Neighbor Discovery is a set of messages and processes that determine relationships between neighboring nodes. Neighbor Discovery replaces ARP, ICMP Router Discovery, and ICMP Redirect used in IPv4.
IPv6 Neighbor Discovery inspection analyzes neighbor discovery messages in order to build a trusted binding table database, and IPv6 neighbor discovery packets that do not comply are dropped. The neighbor binding table in the switch tracks each IPv6 address and its associated MAC address. Clients are expired from the table according to Neighbor Binding timers.
Neighbor Solicitation
The IPv6 addresses of wireless clients are cached by the switch. If the switch receives an NS multicast looking for an IPv6 address, which belongs to any of the wireless clients of the switch, the switch acts as the proxy and replies with the NA.
Note
The switch acts like proxy and respond with NA, only when the ipv6 nd suppress command is configured
If the switch does not have the IPv6 address of a wireless client, the switch will not respond with NA and forward the NS packet to the wireless side. To resolve this, an NS Multicast Forwarding knob is provided. If this knob is enabled, the switch gets the NS packet for the IPv6 address that it does not have (cache miss) and forwards it to the wireless side. This packet reaches the intended wireless client and the client replies with NA.
This cache miss scenario occurs rarely, and only very few clients which do not implement complete IPv6 stack may not advertise their IPv6 address during NDP.
How To Configure IPv6 Client Address Learning
Configuring IPv6 Snooping (CLI)
IPv6 snooping must always be enabled on the switch and the controller.
Before You Begin
Enable IPv6 on the client machine.
SUMMARY STEPS
1.vlan configuration 1
2.ipv6 snooping
3.ipv6 ndsuppress
4.exit
DETAILED STEPS
Command or Action
Purpose
Step 1
vlan configuration 1
Example:
Switch(config)# vlan configuration 1
Enters Vlan configuration mode.
Step 2
ipv6 snooping
Example:
Switch(config-vlan)# ipv6 snooping
Enables IPv6 snooping on the Vlan.
Step 3
ipv6 ndsuppress
Example:
Switch(config-vlan-config)# ipv6 nd suppress
Enables the IPv6 ND suppress on the Vlan.
Step 4
exit
Example:
Switch(config-vlan-config)# exit
Saves the configuration and comes out of the Vlan configuration mode.
Configuring IPv6 on Switch
Use this configuration example to configure IPv6 on an interface.
Before You Begin
Enable IPv6 on the client and IPv6 support on the wired infrastructure.
SUMMARY STEPS
1.interface vlan 1
2.ip address fe80::1 link-local
3.ipv6 enable
4.end
DETAILED STEPS
Command or Action
Purpose
Step 1
interface vlan 1
Example:
Switch(config)# interface vlan 1
Creates a interface and enters interface configuration mode.
Configures the IPv6 routing prefix advertisement that must not be advertised.
Step 9
ipv6 nd managed-config-flag
Example:
Switch (config-if)# ipv6 nd managed-config-flag
Configures IPv6 interfaces neighbor discovery to allow the hosts to uses DHCP for address configuration.
Step 10
ipv6 nd other-config-flag
Example:
Switch (config-if)# ipv6 nd other-config-flag
Configures IPv6 interfaces neighbor discovery to allow the hosts to uses DHCP for non-address configuration.
Step 11
ipv6 dhcp server IPv6_DHCPPOOL
Example:
Switch (config-if)# ipv6 dhcp server IPv6_DHCPPOOL
Configures the DHCP server on the interface.
Verifying IPv6 Client Address Learning
Verifying IPv6 Address Learning Configuration
This example displays the output of the show ipv6 dhcp pool command. This command displays the IPv6 service configuration on the switch. The vlan 21 configured pool detail displays 6 clients that are currently using addresses from the pool.
SUMMARY STEPS
1.show ipv6 dhcp pool
DETAILED STEPS
Command or Action
Purpose
Step 1
show ipv6 dhcp pool
Example:
Switchshow ipv6 dhcp pool
DHCPv6 pool: vlan21
Address allocation prefix: 2001:DB8:0:1:FFFF:1234::/64 valid 86400 preferred 86400 (6 in use, 0 conflicts)
DNS server: 2001:100:0:1::1
Domain name: example.com
Active clients: 6
Displays the IPv6 service configuration on the switch.
Debugging IPv6 Address Learning
Use the following CLI command to debug IPv6 in the switch.
Command or Action
Purpose
Step 1
debug wcdb ipv6
Example:
Switch# debug wcdb ipv6
IPv6 address all debugging is on
.......
.......
.......
*Jan 3 20:06:38.096: %IOSXE-7-PLATFORM: 1 process wcm: 8853.2EDC.68EC apChanged 0 mscb ipAddr 10.10.19.121, apf RadiusOverride 0x0, numIPv6Addr=2001:db8::25:6
.......
.......
.......
*Jan 3 20:06:38.096: %IOSXE-7-PLATFORM: 1 process wcm: 8853.2EDC.68EC Applying site-specific IPv6 override for station 8853.2EDC.68EC - vapId 6, site 'default-group', interface 'VLAN0019'
.......
.......
.......
This command is used to debug the switch related IPv6 details, errors, events and packets.
Monitoring Client Address Learning
Viewing Interfaces Configured for IPv6 Address Learning
Use this command to see the interfaces configured for IPv6 address learning.
SUMMARY STEPS
1.show ipv6 dhcp interface
DETAILED STEPS
Command or Action
Purpose
Step 1
show ipv6 dhcp interface
Example:
Switch (config)# show ipv6 dhcp interface
Vlan21 is in server mode
Using pool: vlan21
Preference value: 0
Hint from client: ignored
Rapid-Commit: disabled
Viewing IPv6 Address Learning
Use this command to monitor the IPv6 address learning and neighbor discovery.
Command or Action
Purpose
Step 1
showipv6 dhcp binding
Example:
Switch# show ipv6 dhcp binding
Displays the IPv6 dhcp binding details.
Step 2
show ipv6 dhcp relay binding
Example:
Switch# show ipv6 dhcp relay binding
Displays the IPv6 dhcp relay binding details.
Switch (config)# show ipv6 dhcp binding
Client: FE80::99BC:7B03:D2FB:C301 (Vlan19)
DUID: 000100011864E60700188BBF6407
IA NA: IA ID 0x0F88532E, T1 43200, T2 69120
Address: FC00:19:1:0:48DB:C050:B209:83EC
preferred lifetime 86400, valid lifetime 172800
expires at Jan 06 2013 01:37 PM (172747 seconds)
Switch (config)# show ipv6 dhcp relay binding
Summary:
Total number of Relay bindings = 0
Total number of Relay bindings added by Bulk lease = 0
Viewing RA Throttling and NS Suppression
Use this command to see the iRA throttling and NS suppression details.
SUMMARY STEPS
1.show ipv6 nd raguard Mypolicy
2.show ipv6 nd ra-throttler policy Mythrottle
DETAILED STEPS
Command or Action
Purpose
Step 1
show ipv6 nd raguard Mypolicy
Example:
Switch (config)# show ipv6 nd raguard Mypolicy
Shows the IPv6 neighbor discovery RA details.
Step 2
show ipv6 nd ra-throttler policy Mythrottle
Example:
Switch (config)# show ipv6 nd ra-throttler policy Mythrottler
Shows the IPv6 neighbor RA throttle details.
Switch (config)# show ipv6 nd raguard Mypolicy
Policy Mypolicy configuration:
trusted-port
device-role router
Policy Mypolicy is applied on the following targets:
Target Type Policy Feature Target range
Te1/0/3 PORT Mypolicy RA guard vlan all
vlan 19 VLAN Mypolicy RA guard vlan all
vlan 20 VLAN Mypolicy RA guard vlan all
vlan 21 VLAN Mypolicy RA guard vlan all
vlan 23 VLAN Mypolicy RA guard vlan all
Switch (config)# show ipv6 nd ra-throttler policy Mythrottler
Policy Mythrottle configuration:
The throttle period is set to 20 seconds
Capped at no more than 5 unthrottled RAs per throttle period
The policy allows at least 3 and at most 5 RAs per router
The behaviour upon RAs with an RFC 3775 interval option is inherited and defaults to passthrough
Policy Mythrottle is applied on the following targets:
Target Type Policy Feature Target range
vlan 19 VLAN Mythrottle RA throttler vlan all
vlan 20 VLAN Mythrottle RA throttler vlan all
vlan 21 VLAN Mythrottle RA throttler vlan all
vlan 23 VLAN Mythrottle RA throttler vlan all
Configuration Example for IPv6 Client Address Learning
Creating a DHCP Scope
This example configures an IPv6 DHCP scope named vlan21. This DHCP scope provides IPv6 addresses in the 2001:DB8:0:1:FFFF:1234::/64 subnet. The validity and preferred validity of each IPv6 address provided is set to one day (86400 seconds, or 24 hours). The DHCP scope also provide a dns-server IPv6 address option (2001:100:0:1::1), and the domain name for the scope.
Enters the configuration-dhcp mode and configures the address pool and its lifetime on a VLAN.
Step 4
dns-server2001:100:0:1::1
Example:
Switch (config-dhcp)# dns-server 2001:100:0:1::1
Configures the DNS servers for the DHCP pool.
Step 5
domain-name example.com
Example:
Switch (config-dhcp)# domain-name example.com
Configures the domain name to complete unqualified host names.
Step 6
exit
Example:
Switch (config-dhcp)# exit
Returns to the previous mode.
Enabling IPv6 on a Interface and Providing IPv6 Addresses to DHCP Clients
This example configures IPv6 on interface VLAN 21. The first address (fe80::1) is a link local address, the second address (2001:db8:0:1:ffff:1234::1/64) is a global unicast address. IPv6 DHCP clients requesting for address in VLAN 21 are directed to the DHCP pool vlan21. The switch informs IPv6 hosts in VLAN 21 that the DHCP scope provided supports stateful auto-configuration (nd managed-config-flag), and can also provide non-address options, such as domain name or dns server (nd other-config-flag).
SUMMARY STEPS
1.interface vlan 21
2.ipv6 address fe80::1 link-local
3.ipv6 address 2001:db8:0:1:ffff:1234::1/64
4.ipv6 dhcp server vlan 21
5.ipv6 nd managed-config-flag
6.ipv6 nd other-config-flag
DETAILED STEPS
Command or Action
Purpose
Step 1
interface vlan 21
Example:
Switch(config)# interface vlan 21
Enters the configuration mode and configures the IPv6 DHCP pool on the VLAN 21.
Step 2
ipv6 address fe80::1 link-local
Example:
Switch (config-if)# ip address fe80::1 link-local
Configures the IPv6 link local address on VLAN 21.