Client Address Learning is configured on switch to learn the wireless client's IPv4 and IPv6 address and clients transition state maintained by the switch on an association, re-association, de-authentication and timeout.
There are three ways for IPv6 client to acquire IPv6 addresses:
Stateless Address Auto-Configuration (SLACC)
Stateful DHCPv6
Static Configuration
For all of these methods, the IPv6 client always sends neighbor solicitation DAD (Duplicate Address Detection) request to ensure there is no duplicate IP address on the network. The switch snoops the client's NDP and DHCPv6 packets to learn about its client IP addresses.
The most common method
for IPv6 client address assignment is Stateless Address Auto-Configuration
(SLAAC). SLAAC provides simple plug-and-play connectivity where clients
self-assign an address based on the IPv6 prefix. This process is achieved
Stateless Address
Auto-Configuration (SLAAC) is configured as follows:
Host sends a router
solicitation message.
Hosts waits for a Router
Advertisement message.
Hosts take the first 64 bits
of the IPv6 prefix from the Router Advertisement message and combines it with
the 64 bit EUI-64 address (in the case of ethernet, this is created from the
MAC Address) to create a global unicast message. The host also uses the source
IP address, in the IP header, of the Router Advertisement message, as its
default gateway.
Duplicate Address Detection
is performed by IPv6 clients in order to ensure that random addresses that are
picked do not collide with other clients.
The choice of algorithm is up
to the client and is often configurable.
The last 64 bits of
the IP v6 address can be learned based on the following 2 algorithms:
EUI-64 which is based on the
MAC address of the interface, or
Private addresses that are
randomly generated.
Figure 1. SLAAC Address
Assignment
The following Cisco
IOS configuration commands from a Cisco-capable IPv6 router are used to enable
SLAAC addressing and router advertisements:
ipv6 unicast-routing
interface Vlan20
description IPv6-SLAAC
ip address 192.168.20.1 255.255.255.0
ipv6 address FE80:DB8:0:20::1 linklocal
ipv6 address 2001:DB8:0:20::1/64
ipv6 enable
end
The use of DHCPv6 is
not required for IPv6 client connectivity if SLAAC is already deployed. There
are two modes of operation for DHCPv6 called Stateless and Stateful.
The DHCPv6 Stateless
mode is used to provide clients with additional network information that is not
available in the router advertisement, but not an IPv6 address as this is
already provided by SLAAC. This information can include the DNS domain name,
DNS server(s), and other DHCP vendor-specific options. This interface
configuration is for a Cisco IOS IPv6 router implementing stateless DHCPv6 with
SLAAC enabled:
ipv6 unicast-routing
ipv6 dhcp pool IPV6_DHCPPOOL
address prefix 2001:db8:5:10::/64
domain-name cisco.com
dns-server 2001:db8:6:6::1
interface Vlan20
description IPv6-DHCP-Stateless
ip address 192.168.20.1 255.255.255.0
ipv6 nd other-config-flag
ipv6 dhcp server IPV6_DHCPPOOL
ipv6 address 2001:DB8:0:20::1/64
end
The DHCPv6 Stateful
option, also known as managed mode, operates similarly to DHCPv4 in that it
assigns unique addresses to each client instead of the client generating the
last 64 bits of the address as in SLAAC. This interface configuration is for a
Cisco IOS IPv6 router implementing stateful DHCPv6 on a local
Switch:
ipv6 unicast-routing
ipv6 dhcp pool IPV6_DHCPPOOL
address prefix 2001:db8:5:10::/64
domain-name cisco.com
dns-server 2001:db8:6:6::1
interface Vlan20
description IPv6-DHCP-Stateful
ip address 192.168.20.1 255.255.255.0
ipv6 address 2001:DB8:0:20::1/64
ipv6 nd prefix 2001:DB8:0:20::/64 no-advertise
ipv6 nd managed-config-flag
ipv6 nd other-config-flag
ipv6 dhcp server IPV6_DHCPPOOL
end
This interface configuration is for a
Cisco IOS IPv6 router implementing stateful DHCPv6 on an external DHCP server:
A Router Solicitation
message is issued by a host controller to facilitate local routers to transmit
Router Advertisement from which it can obtain information about local routing
or perform Stateless Auto-configuration. Router Advertisements are transmitted
periodically and the host prompts with an immediate Router Advertisement using
a Router Solicitation such as - when it boots or following a restart operation.
A Router Advertisement message is
issued periodically by a router or in response to a Router Solicitation message
from a host. The information contained in these messages is used by hosts to
perform Stateless Auto-configuration and to modify its routing table.
IPv6 Neighbor Discovery is a set of messages and processes that determine relationships between neighboring nodes. Neighbor Discovery replaces ARP, ICMP Router Discovery, and ICMP Redirect used in IPv4.
IPv6 Neighbor Discovery inspection analyzes neighbor discovery messages in order to build a trusted binding table database, and IPv6 neighbor discovery packets that do not comply are dropped. The neighbor binding table in the switch tracks each IPv6 address and its associated MAC address. Clients are expired from the table according to Neighbor Binding timers.
The IPv6 addresses of
wireless clients are cached by the
switch. When the
switch receives an NS multicast looking for
an IPv6 address, and if the target address is known to the
switch and belongs to one of its clients, the
switch will reply with an NA message on
behalf of the client. The result of this process generates the equivalent of
the Address Resolution Protocol (ARP) table of IPv4 but is more efficient -
uses generally fewer messages.
Note
The
switch acts like proxy and respond with NA,
only when the
ipv6 nd
suppress command is configured
If the
switch does not have the IPv6 address of a
wireless client, the
switch will not respond with NA and forward
the NS packet to the wireless side. To resolve this, an NS Multicast Forwarding
knob is provided. If this knob is enabled, the
switch gets the NS packet for the IPv6
address that it does not have (cache miss) and forwards it to the wireless
side. This packet reaches the intended wireless client and the client replies
with NA.
This cache miss
scenario occurs rarely, and only very few clients which do not implement
complete IPv6 stack may not advertise their IPv6 address during NDP.
IPv6 clients configure
IPv6 addresses and populate their router tables based on IPv6 router
advertisement (RA) packets. The RA guard feature is similar to the RA guard
feature of wired networks. RA guard increases the security of the IPv6 network
by dropping the unwanted or rogue RA packets that come from wireless clients.
If this feature is not configured, malicious IPv6 wireless clients announce
themselves as the router for the network often with high priority, which would
take higher precedence over legitimate IPv6 routers.
RA-Guard also
examines the incoming RA's and decides whether to switch or block them based
solely on information found in the message or in the switch configuration. The
information available in the frames received is useful for RA validation:
Port on which the
frame is received
IPv6 source
address
Prefix list
The following
configuration information created on the switch is available to RA-Guard to
validate against the information found in the received RA frame:
Trusted/Untrusted
ports for receiving RA-guard messages
Trusted/Untrusted
IPv6 source addresses of RA-sender
Trusted/Untrusted
Prefix list and Prefix ranges
Router Preference
RA guard occurs at the
switch. You can configure the
switch to drop RA messages at the
switch. All IPv6 RA messages are dropped,
which protects other wireless clients and upstream wired network from malicious
IPv6 clients.
//Create a policy for RA Guard//
ipv6 nd raguard policy raguard-router
trusted-port
device-role router
//Applying the RA Guard Policy on port/interface//
interface tengigabitethernet1/0/1 (Katana)
interface gigabitethernet1/0/1 (Edison)
ipv6 nd raguard attach-policy raguard-router
RA throttling allows the controller to enforce limits to RA packets headed toward the wireless network. By enabling RA throttling, routers that send many RA packets can be trimmed to a minimum frequency that will still maintain an IPv6 client connectivity. If a client sends an RS packet, an RA is sent back to the client. This RA is allowed through the controller and unicasted to the client. This process ensures that the new clients or roaming clients are not affected by the RA throttling.
IPv6 unicasting must
always be enabled on the switch and the controller. IPv6 unicast routing is
disabled.
Before You Begin
To enable the
forwarding of IPv6 unicast datagrams, use the
ipv6 unicast-routing command in global configuration mode. To
disable the forwarding of IPv6 unicast datagrams, use the
no form of this command.
SUMMARY STEPS
1.configureterminal
2.ipv6
unicast
routing
DETAILED STEPS
Command or Action
Purpose
Step 1
configureterminal
Example:
Switch# configure terminal
Enters the global configuration mode.
Step 2
ipv6
unicast
routing
Example:
Switch (config)# ipv6 unicast routing
enable the forwarding of IPv6 unicast datagrams
Configuring RA Guard
Policy (CLI)
Configure RA Guard
policy on the
switch to add IPv6 client addresses and
populate the router table based on IPv6 router advertisement packets.
Applying the RA
Throttle policy on a VLAN. By enabling RA throttling, routers that send many RA
packets can be trimmed to a minimum frequency that will still maintain an IPv6
client connectivity.
Before You Begin
SUMMARY STEPS
1.configureterminal
2.vlan
configuration
1
3.ipv6
nd
ra
throttler
attach-policy
ra-throttler1
DETAILED STEPS
Command or Action
Purpose
Step 1
configureterminal
Example:
Switch# configure terminal
Enters the global configuration mode.
Step 2
vlan
configuration
1
Example:
Switch(config)# vlan configuration 1
Configures a
VLAN or a collection of VLANs and enters VLAN configuration mode.
Step 3
ipv6
nd
ra
throttler
attach-policy
ra-throttler1
Example:
Switch(config-vlan)# ipv6 nd ra throttler attach-policy ra-throttler1
Attaches an
IPv6 RA throttler policy to a VLAN or a collection of VLANs.
The IPv6 neighbor discovery (ND) multicast suppress feature stops as
many ND multicast neighbor solicit (NS) messages as possible by dropping them
(and responding to solicitations on behalf of the targets) or converting them
into unicast traffic. This feature runs on a layer 2 switch or a wireless
controller and is used to reduce the amount of control traffic necessary for
proper link operations.
When an address is inserted into the binding table, an address
resolution request sent to a multicast address is intercepted, and the device
either responds on behalf of the address owner or, at layer 2, converts the
request into a unicast message and forwards it to its destination.
Before You Begin
SUMMARY STEPS
1.enable
2.configureterminal
3.ipv6
nd
suppress
policy
DETAILED STEPS
Command or Action
Purpose
Step 1
enable
Example:
Switch(config)# enable
Enables privileged EXEC mode.
Enter your password
if prompted.
Step 2
configureterminal
Example:
Switch# configure terminal
Enters the global configuration mode.
Step 3
ipv6
nd
suppress
policy
Example:
Switch (config)# ipv6 nd suppress policy
Defines the ND suppress policy name and enters ND suppress policy
configuration mode.
To view the IPv6 clients associated
with the
Switch
Before You Begin
Select
Monitor
>
Clients
The Clients page is displayed. The Clients page contains the
following details:
Client MAC Address—
Displays the MAC address of the client.
AP Name— Displays the
access point name to which the client is connected to.
WLAN— Displays the
WLAN associated with the client.
State— Displays the
client authentication.
Protocol— Displays the
protocol used.
To view the client related general details, click the
Client MAC Address
parameter in the Clients page. The
Client > Detail page displays IPv6
addresses of the client under the
General
tab.
Verifying IPv6 Address Learning Configuration
This example displays the output of the show ipv6 dhcp pool command. This command displays the IPv6 service configuration on the switch. The vlan 21 configured pool detail displays 6 clients that are currently using addresses from the pool.
SUMMARY STEPS
1.show ipv6 dhcp pool
DETAILED STEPS
Command or Action
Purpose
Step 1
show ipv6 dhcp pool
Example:
Switchshow ipv6 dhcp pool
DHCPv6 pool: vlan21
Address allocation prefix: 2001:DB8:0:1:FFFF:1234::/64 valid 86400 preferred 86400 (6 in use, 0 conflicts)
DNS server: 2001:100:0:1::1
Domain name: example.com
Active clients: 6
Displays the IPv6 service configuration on the switch.
Additional
References
Related
Documents
Related
Topic
Document
Title
IPv6
command reference
IPv6 Command Reference (Catalyst 3850 Switches)
IP command reference
IP Command Reference (Catalyst 3850 Switches)
Error Message Decoder
Description
Link
To help you research and resolve system error messages in this release, use the Error Message Decoder tool.
The Cisco
Support website provides extensive online resources, including documentation
and tools for troubleshooting and resolving technical issues with Cisco
products and technologies.
To receive
security and technical information about your products, you can subscribe to
various services, such as the Product Alert Tool (accessed from Field Notices),
the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS)
Feeds.
Access to
most tools on the Cisco Support website requires a Cisco.com user ID and
password.