Skip to main content

 

Cisco Meraki Documentation

MR 29.X Firmware Release - Supported IPv6 Features

MR Uplink Duplicate Address Detection (DAD) Failover Address

The IPv6 Duplicate Address Detection (DAD) feature ensures that all the global IPv6 addresses assigned to MRs on a particular segment are unique. MRs can perform DAD, determine if the global IPv6 address is a duplicate, and select a new non-duplicate (“failover”) address.

Note: DAD on an MR uplink is supported starting at MR 28.1 firmware. The ability to automatically select a new non-duplicate (“failover”)  address if a duplicate address was detected during DAD requires MR 29.1 or more recent firmware. An AP would try a maximum of 3 times to generate a DAD compliant IPv6 address for the uplink.

There are two ways an MR can get an IPv6 address for its uplink: static configuration or autoconfiguration via SLAAC. MRs will select a failover address depending on the IPv6 assignment method. 

  • If a global IPv6 address were statically assigned, an MR would return to autoconfiguration via SLAAC.

  • If a global IPv6 address were configured via SLAAC, MR would select a new random MAC address using the following rules:

  • High 32 bits of the host address are randomly changed

  • EUI-64 static byte is zeroed out

  • For example, 2607:fea8:c360:2e3f:bff0:fef2:3026 may become 2607:fea8:c360:6721:aaa1:00f2:3026

 

Navigate to Network-wide > Monitor > Event log to view DAD-related uplink events such as:

  • IPv6 uplink duplicate address detection (MR 28.1 and more recent firmware)

DAD_CONFLICT (1).png

  • IPv6 uplink auto-configuration failover (MR 29.1 and more recent firmware)

DAD_SLAAC.png

  • IPv6 uplink static configuration failover (MR 29.1 and more recent firmware)

DAD_STATIC.png

Layer 2 wireless client isolation works for IPv6 wireless clients with SLAAC or static IPv6 addresses, unlike Layer 2 isolation for IPv4 clients, which only works if clients received IPv4 addresses via DHCP. Please refer to Wireless Client Isolation for how L2 isolation works for IPv4 wireless clients. Isolation of IPv6 clients with static IPv6 addresses is possible because MRs snoop IPv6 Router Advertisement (RA) packets to determine gateway and DNSv6 information and build an internal table to only allow traffic to the IPv6 gateway and DNSv6 servers. Therefore, gateway and DNS information is not available to AP when IPv4 clients use static addresses.

When a Layer 2 isolation is enabled, only the following types of traffic are allowed:

  • Traffic to the client’s IPv6 gateway

  • DNSv6 traffic from an IPv6 client

  • DAD NS / NA traffic from an IPv6 client

  • IPv6 wireless client traffic to internal or external L3 networks and inbound unicast and multicast IPv6 traffic from wired LAN clients is allowed similarly to Layer 2 isolation for IPv4 clients. 

Note: All ingress traffic (destined to an IPv6 client) is always allowed.

Multicast to Unicast Conversion and IPv6 Multicast Listener Discovery (MLD) Snooping

MLD snooping allows MR access points to inspect MLD join/leave packets and maintain a table of multicast groups and members. The IPv4 equivalent of MLD snooping is​ Internet Group Management Protocol (IGMP) snooping. MRs use the MLD table to send unicast copies of multicast packets to interested clients.

Below there some benefits of using MLD snooping in your network:

  • Reliable packet delivery. Multicast packets are not acknowledged (an ACK packet is not sent when a multicast packet is received). However, when a multicast packet is converted to unicast with the help of MLD snooping, these unicast packets are acknowledged.

  • Extended Battery Life. Since a wireless client does not have to “wake up” to receive a multicast packet that is potentially not meant for this client, the battery life of a client is extended.

  • Bandwidth optimization. By reducing the amount of multicast traffic, network bandwidth is conserved.

  • Increased wireless throughput. Unicast packets can be sent using the highest feasible data rate supported by that particular client, while multicast packets are sent using the lowest data rate supported by all clients.

  • Increased network security. MLD snooping can prevent Denial of Service (DoS) attacks that rely on sending multicast IPv6 traffic.

MLD Snooping is implicitly turned on when the Network-wide > Wireless Multicast to Unicast Conversion feature is enabled. Please refer to Multicast-Unicast Conversion for more information.

Screenshot at Apr 14 15-53-54.png

Note:

  • Both MLDv1 and MLDv2 are supported

  • MLD keeps working after Layer 2 roam between APs

  • MLD also works for wired clients connected to Ethernet ports on two- and four-port MRs using port profiles

Unsolicited Neighbor Advertisements are sent without receiving a neighbor solicitation message. 

In wireless environments, filtering unsolicited NAs saves available bandwidth. Additionally, part of the Hotspot 2.0 release 3 requirements is not sending unsolicited multicast neighbor advertisements to wireless clients. Instead, MR access points will filter unsolicited multicast NAs that are not Duplicate Address Detection (DAD) responses and unicast the DAD responses back to the requestor.

This feature is enabled by default if Hotspot 2.0 is enabled in the network and disabled by default if HotSpot 2.0 is not in use. Please refer to Hotspot 2.0 for more information.

MR access points support Bonjour forwarding for IPv6 traffic and IPv4 traffic. 

Please refer to Bonjour Forwarding for more information.

 

 

  • Was this article helpful?