Skip to main content
Cisco Meraki Documentation

IPv6 Support on MX Security & SD-WAN Platforms - LAN

LAN

There are several options for configuring IPv6 Prefixes supported by the MX.  In this section, we will cover the different options available, how to configure them, and how to view available prefixes.

Note:

  • By default, IPv6 is disabled on the LAN side and must be configured for existing VLANs if desired.

  • Auto is enabled by default for WAN 1 and WAN 2 when IPv6 is set to enable.

  • SLAAC is used to provide clients’ IPv6 addresses within their respective IPv6 enabled VLANs.

  • As of now, we only support SLAAC on LAN with limited RA options (like prefix information, MTU, source-link layer address). We do not support DHCPv6-NA nor DHCPv6-PD server functions.

  • ULA addresses may be configured on the LAN side of the MX, but it is recommended to leverage GUA addresses.

  • One prefix is always delegated to the source NAT on the WAN side. Hence, users should include N+1 /64 prefixes, where N is the number of VLANs. Users can also leverage the prefix starvation reports to administer this behaviour. If ULA is used, NAT66 will be used for the source NAT operation.

Please note that disabling IPV6 on the LAN side of the MX will not automatically disable IPV6 on the WAN of the MX. 

clipboard_eb5ce15096cceca03c4eb691e68034983.png

Auto (DHCPv6-PD)

It is the simplest way to configure IPv6 allowing the MX to obtain IPv6 Prefixes directly from the WAN ISPs and automatically assigning them to IPv6 enabled VLANs. Please note this requires the ISP to support DHCPv6-PD for it to work. Currently, MX does not support DHCPv6 options in MX17.

Configuration

  • Go to Security & SD-WAN > Configure > Addressing & VLANs > Select [or add] the VLAN you want IPv6 enabled on

  • Configure the VLAN Name, VLAN ID, Group Policy (optional) and VPN (optional) & click Next

  • Ensure IPv6 Config is set to Enabled and the appropriate WANs to Auto and click preview

  • Confirm, double check the changes, and select Update

  • Remember to save the configuration via the Security & SD-WAN > Configure > Addressing & VLANs page so the changes are applied to the MX.

  • Once the configuration is complete, the MX will send DHCPv6-PD requests via the enabled IPv6 Uplinks to obtain IPv6 Prefixes to use on the IPv6 enabled VLANs.

Manual Prefixes (Auto delegation)

You can configure Manual prefixes if your ISP doesn’t support DHCPv6-PD or if you are using your own Independent Prefix space.  The MX will in turn automatically assign /64 prefixes to each VLAN as configured and available.

Note:

  • When a manual prefix is added per origin (WAN1 or WAN2), this disables auto delegated prefixes from DHCPv6-PD for the respective origin (WAN1 or WAN2). This means that automatic VLAN assignments will not obtain a prefix from the auto delegated prefix pool from DHCPv6-PD. More on this in Manual Prefixes (VLAN overrides).

Configuration:

  • Go to Security & SD-WAN > Monitor > Appliance status page

  • Click on the IPv6 Prefixes tab and click Add new prefixes on the right hand side

  • Enter the source name, Prefix,  select the appropriate origin and click save

Manual Prefixes (VLAN overrides)

Individually override the VLAN configuration with specific desired prefixes you want that VLAN to use.  This is only recommended if you have non changing prefixes (typically Static from an ISP or your own Independent prefix space)

When performing VLAN overrides, make sure the following rules are met for the end device to receive an IP (if not, you will receive dashboard alerts):

  • If WAN_X uplink gets a ULA prefix from upstream, then you can enable IPv6 for the VLAN and configure VLAN override for the WAN_X origin with matching WAN_X ULA prefix in the Addressing & VLANs page (where X= WAN1 or WAN2)

  • If WAN_X uplink gets a GUA prefix from upstream, then you can enable IPv6 for the VLAN and configure VLAN override for the WAN_X origin with matching WAN_X GUA prefix (where X= WAN1 or WAN2)

  • If you want to enable IPv6 for the VLAN and configure VLAN override with a GUA/ULA prefix for Independent origin > then user must configure the same GUA/ULA prefix for Independent origin in the delegation prefix table

Configuration

  • Go to Security & SD-WAN > Configure > Addressing & VLANs page > Select [or add] the VLAN you IPv6 enabled on

  • Configure the VLAN Name, VLAN ID, Group Policy (optional) and VPN (optional) & click Next

  • Select Enable button for IPv6 and Select Manual for WAN 1 / WAN 2 or Independent

    • The WAN selection defines that the IPv6 prefix will route to the uplink network via the select WAN (Origin).

clipboard_e613d33d2f4b70208dc8b3aa1b778e0fe.png

  • Click Save and preview your changes, then click the Update button

  • Remember to save the configuration go to the Security & SD-WAN > Configure > Addressing & VLANs page so the changes are applied to the MX

Recursive DNS Server (RDNSS)

RNDSS support requires a minimum firmware version of MX 18.205

RDNSS  allows for the specification of IPv6 DNS servers so clients are able to look up IPv6 AAAA records without the need for an IPv4 intermediary. Once the servers are configured they will be advertised as part of the IPv6 Router Advertisement (RA) process.

Configuration:

  • Go to Security & SD-WAN > Configure > DHCP page.

  • Input IPv6 address of your DNS sever in the the Custom nameservers field, this can be in addtion to any IPv4 DNS servers. 

clipboard_ed2aa9a41553ae4ed4dd1e06a19747090.png

If the dropdown box for DNS nameservers is used to select a predefined option, both IPv4 and IPv6 addresses will be automatically configured.

Cellular

The MX67C and MX68CW are now capable of obtaining a /64 prefix from the cellular provider network to use as its cellular WAN.  Since IPv6 requires additional prefixes to function on the LAN, either DHCPv6-PD needs to be supported by the cellular provider or an Independent prefix should be configured so that LAN clients can communicate using IPv6 over the cellular network.

Note:

  • A ULA prefix is recommended to be configured as Independent in the IPv6 Prefix tab so it can be leveraged for Cellular assignment. This will allow LAN clients to receive IPv6 addresses via SLAAC on VLANs enabled for independent, and when a client uses IPv6 from the LAN to the Internet over cellular, the MX will translate the LAN address to the single /64 on the cellular interface and use of the IPv6 cellular network.

Configuration:

  • Go to Security & SD-WAN > Configure > Addressing & VLANs > Select [or add] the VLAN you want IPv6 enabled on

  • Configure the VLAN Name, VLAN ID, Group Policy (optional) and VPN (optional) & click Next

  • Ensure IPv6 Config is set to Enabled and the appropriate WANs to Auto and click preview
    Cellular Add VLAN IPv6 dual stack

  • Confirm, double check the changes, and select Update
    Cellular Add VLAN IPv6 dual stack preview

  • Remember to save the configuration go to the Security & SD-WAN > Configure > Addressing & VLANs page so the changes are applied to the MX

  • Once the configuration is complete, the MX will send DHCPv6-PD requests via the enabled IPv6 Uplinks to obtain IPv6 Prefixes to use on the IPv6 enabled VLANs.

Link-Local and Solicited Node Multicast (SNMC) Visibility

Link-Local and Solicited Node Multicast address information can be found under the Security & SD-WAN > Configure > Addressing & VLANs page, inline with the related IPv6 information for each VLAN. 

IPv6 Addressing and VLANs

Dynamic VLAN Objects

With the dynamic nature of IPv6 (DHCPv6-PD), configuring prefixes manually is not a real solution. To accommodate this challenge we are introducing a new way to configure Firewalls on the MX. You can now configure the VLAN by name on the firewall page as source or destination

  • Specify Dual-Stack (Covers both IPv4 and IPv6)

  • Configure IPv6 or IPv4 only offsets for specific IPs

Configuration:

  • Browse to Security & SD-WAN > Configure > Firewall page

  • Click “Add new” button to Inbound or Outbound firewalls as desired

  • Start creating your rule, but instead of adding a local source or destination prefix, type the VLAN name

  • Select the desired source and destination VLANs and complete your rule

  • Click Finish editing to review your changes and select save

In this example, rule #4 is denying TCP traffic sourced from “Guest” VLAN to “Data” VLAN destination. “Data” VLAN is configured as VLAN 12 encompassing dual-stack prefixes.

Screen Shot 2022-11-02 at 2.10.51 PM.png

After saving:

 

 

Refer to the main KB: IPv6 Support on MX Security & SD-WAN Platforms [Core Fundamentals]

  • Was this article helpful?