Note: Any IPv6 functionality that is not explicitly listed below is not supported.
Note: The mandatory DHCP option under Access Control should be disabled in order for clients connected to a Bridge mode SSID to have IPv6 connectivity. This applies to both IPv6-only and dual-stack (IPv4/IPv6) clients since the client is only allowed to use IPv4 addresses received via DHCPv4 with this option enabled.
MR Uplink Configuration Options Over IPv6
MR access points can be configured for an IPv6 address on the management interface using one of the following methods:
Stateless Address Autoconfiguration (SLAAC)
Static IPv6 address assignment via Dashboard or Local status page
Note: MR access points can connect to the Dashboard in dual-stack (IPv4/IPv6), IPv4-only, and IPv6-only networks. However, it is recommended to use dual-stack IPv4/6 in your networks with MRs for full functionality until we archive the full parity between IPv4 and IPv6 features.
Warning: Since most of the IPv6 features listed here are firmware-dependent and require MR 28.1+, we highly suggest that you create and/or modify your wireless Meraki networks to ensure that all access points are able to run MR 28.X firmware. For example, if you have an older AP in the network that cannot run MR 28 firmware some features might not work as expected.
If a network with IPv6 functionality is downgraded to MR 27.X or older firmware this will result in a loss of IPv6 functionality on MR access points.
Stateless Address Configuration (SLAAC)
An MR access point will perform these steps to configure an IPv6 address on the management interface:
Once MR boots up, it will generate a link-local address using the EUI-64 process.
MR will perform a Duplicate Address Detection (DAD) on its link-local address by sending a Neighbor Solicitation (NS) to the Solicited Node Multicast address it generates from its link-local address. If there is conflict, a corresponding event will be logged to the Event log.
An MR will use this unique link-local address as a source address to send a Router Solicitation (RS) to the all-routers multicast address of ff02::2.
The IPv6 router on the link receives the Router Solicitation (RS) and responds with a Router Advertisement (RA) sourced from its own link-local address, and targeting either the link-local unicast address of the requesting MR or the all-nodes multicast address ff02::1.
The Router Advertisement (RA) message includes various information. At a minimum, it should include the global IPv6 prefix, prefix length, IPv6 DNS servers (this means that the upstream device sending the RA should be configured to support RDNSS per https://tools.ietf.org/html/rfc8106). MR will use the link-local address of the router it received the RA from as an IPv6 default gateway.
Note: The prefix length received in the RA must be between /1 and /64.
An MR will combine the received global prefix with its EUI-64 formatted MAC address to form a global unicast IPv6 address used to route traffic to external destinations like the Meraki Dashboard.
An MR will perform a DAD on its global unicast address. If there is conflict, a corresponding event will be logged to the Event log.
Static IPv6 Address Assignment via Dashboard
MR access points can be configured for a static IPv6 address on the AP details page.
Note: This method requires that the AP is an active gateway. It also means that the AP needs to be online in Dashboard and have either an active IPv4 address received via DHCP lease, a currently functioning static IPv4 address, IPv6 address configured via SLAAC, or a statically configured IPv6 address. This method does not work for devices acting as repeaters.
Browse to dashboard.meraki.com and login to Dashboard.
Navigate to Wireless > Monitor > Access Points and click the name of the AP you would like to configure.
On the device status page, click the Edit icon to the right of the current IPv6 information to expand the configuration for that device.
Note: The prefix length that you configure must be between /1 and /64.
Input the appropriate IPv6 information and click the "Save" button.
As soon as the AP updates its configuration to include the new static IPv6 address, it will attempt to use that address on the network. If the AP is not able to reach the configured default gateway on this static assignment, it will fail back to SLAAC. Please inspect the static IPv6 configuration and the VLAN configuration being used on the network if this happens.
Note: If a VLAN is specified in the static IP configuration, management traffic from the AP will be sent out with an 802.1q tag for that VLAN. In this case, it is expected that return Management traffic should also be tagged appropriately.
Static IPv6 Address Assignment via Local Status Page
DNS requests to IPv4 and IPv6 servers for ap.meraki.com's A record should be intercepted and receive "10.128.128.126".
DNS requests to IPv4 and IPv6 servers for ap.meraki.com's AAAA record should be intercepted and receive "fd0a:9b09:1f7:200::126".
HTTP requests to both of these addresses should show the ap.meraki.com page.
The page should display the client's IPv4/IPv6 address respectively depending on which IP version was used to reach the web page.
Connect to the Access Point and open the Local Status Page.
Note: The local status page may be accessed in the following ways:
Global unicast IPv6 address of the MR (management IPv6 address)
Predefined link-local address fd0a:9b09:1f7:200::126
On this page, click Configure.
The page should now prompt for login credentials. If local login credentials were configured via Dashboard, please use these credentials. Otherwise, the default login is the device's serial number as the username and a blank password.
On the Configure page, input the new static IPv6 information under “IPv6 Assignment”, then click Save.
Note: The link-local address option will only work if the client is on the same segment and connected to the MR. Remember to use brackets  in your web browser when specifying IPv6 addresses.
Wireless IPv6 Bridging
Network-wide > General > Wireless IPv6 Bridging has two options - Disabled and Enabled.
When set to “Enabled”, MR will pass IPv6 traffic to clients connected to a Bridge mode SSID, MR Tools like Ping and Traceroute will work for IPv6 traffic, and MR will be able to use its IPv6 management address to check-in to the Dashboard over an IPv6-only upstream network.
When set to “Disabled”, MR will not pass IPv6 traffic to clients connected to a Bridge mode SSID, and MR Tools like Ping and Traceroute will not work for IPv6 traffic. However, MR will be able to use IPv6 on the uplink for management and Meraki dashboard connectivity purposes.
MR Live Tools
The Ping tool supports both IPv4 and IPv6 addresses as well as hostnames. If a provided hostname resolves to both an IPv4 and IPv6 address, the AP will perform a ping test to both IP addresses.
The Traceroute tool supports both IPv4 and IPv6 addresses as well as hostnames. If a provided hostname resolves to both an IPv4 and IPv6 address, the AP will perform a traceroute test to both IP addresses.
Layer 3 IPv6 Firewall Rules
IPv4 KB: MR Firewall Rules
MR access points support outbound layer 3 firewall rules with destination IPv4 and IPv6 addresses. To create a new rule, navigate to Wireless > Configure > Firewall & traffic shaping. Select an appropriate SSID from the dropdown on the top of the page and click “Add new”.
Specify an Action (Allow/Deny), IP version (IPv4/IPv6), Protocol (TCP, UDP, ICMP, Any). Destination (IPv4 or IPv6 address), Destination port, and rule description. While in the edit mode, you can add more rules, rearrange configured rules using the icon with two parallel lines on the left of each rule, as well as use the menu with three dots on the right of each rule to add additional rules on above/below the currently selected rule, and delete and edit a rule. Once done, click “Finish editing” or click “Cancel” to cancel changes.
Note: It’s only allowed to specify one IPv4 or IPv6 address per the “destination” field.
Click “Save Changes” at the bottom of the page.
An example set of IPv4 and IPv6 Layer 3 rules:
IPv6 RADIUS Support
All enterprise RADIUS authentication types support both IPv4 and IPv6 addresses.
Note: FQDNs are not supported for RADIUS authentication with MR access points.
LDAP over IPv6
LDAP IPv6 servers are supported for Splash sign-on.
More information abound Splash sign-on with LDAP can be found here in Configuring Splash Page Authentication with an LDAP Server
Walled Garden IPv6 Support
Walled garden accepts IPv6 addresses.
Old access control page:
New Access Control page:
Active Directory over IPv6
SNMP polling via their IPv6 LAN address of MR access points
MR access points can be polled via IPv6 uplink address over SNMP.
Note: SNMP polling via their IPv6 LAN address of MR access points refers to the capability of IPv6 reachability over SNMP and not the support for IPv6-MIB.
snmpwalk -v2c -t 10 -c meraki12345 udp6:[IPv6 address of the AP]
IPv6 Event Types in the Event Log
Clients IPv6 addresses appear in the Event log.
Syslog over IPv6
Note: Currently, you can only set up IPv6 Syslog servers in wireless networks and not combined networks.
Syslog output example:
Meraki Health IPv6 Support
The Client History tab supports IPv6 event types (DHCPv6, DNSv6, RADIUSv6)
Here is an example of RADIUSv6 server failure captured by Meraki Health: