IPv6 Support on MX Security & SD-WAN Platforms - LAN
LAN
There are several options for configuring IPv6 Prefixes supported by the MX. In this section, we will cover the different options available, how to configure them, and how to view available prefixes.
Note:
-
By default, IPv6 is disabled on the LAN side and must be configured for existing VLANs if desired.
-
Auto is enabled by default for WAN 1 and WAN 2 when IPv6 is set to enable.
-
SLAAC is used to provide clients’ IPv6 addresses within their respective IPv6 enabled VLANs.
-
As of now, we only support SLAAC on LAN with limited RA options (like prefix information, MTU, source-link layer address). We do not support DHCPv6-NA server functions.
-
ULA addresses may be configured on the LAN side of the MX, but it is recommended to leverage GUA addresses.
-
One prefix is always delegated to the source NAT on the WAN side. Hence, users should include N+1 /64 prefixes, where N is the number of VLANs. Users can also leverage the prefix starvation reports to administer this behaviour. If ULA is used, NAT66 will be used for the source NAT operation.
-
Assignment of an IP address from a DHCPv6-PD prefix is only supported on the LAN. It is not supported on WAN or Cellular.
Please note that disabling IPV6 on the LAN side of the MX will not automatically disable IPV6 on the WAN of the MX.
Auto (DHCPv6-PD)
It is the simplest way to configure IPv6 allowing the MX to obtain IPv6 Prefixes directly from the WAN ISPs and automatically assigning them to IPv6 enabled VLANs. Please note this requires the ISP to support DHCPv6-PD for it to work. Currently, MX does not support DHCPv6 options in MX17.
Configuration:
-
Go to Security & SD-WAN > Configure > Addressing & VLANs > Select [or add] the VLAN you want IPv6 enabled on
-
Configure the VLAN Name, VLAN ID, Group Policy (optional) and VPN (optional) & click Next
-
Ensure IPv6 Config is set to Enabled and the appropriate WANs to Auto and click preview
-
Confirm, double check the changes, and select Update
-
Remember to save the configuration via the Security & SD-WAN > Configure > Addressing & VLANs page so the changes are applied to the MX.
-
Once the configuration is complete, the MX will send DHCPv6-PD requests via the enabled IPv6 Uplinks to obtain IPv6 Prefixes to use on the IPv6 enabled VLANs.
Manual Prefixes (Auto delegation)
You can configure Manual prefixes if your ISP doesn’t support DHCPv6-PD or if you are using your own Independent Prefix space. The MX will in turn automatically assign /64 prefixes to each VLAN as configured and available.
Note:
-
When a manual prefix is added per origin (WAN1 or WAN2), this disables auto delegated prefixes from DHCPv6-PD for the respective origin (WAN1 or WAN2). This means that automatic VLAN assignments will not obtain a prefix from the auto delegated prefix pool from DHCPv6-PD. More on this in Manual Prefixes (VLAN overrides).
Configuration:
-
Go to Security & SD-WAN > Monitor > Appliance status page
-
Click on the IPv6 Prefixes tab and click Add new prefixes on the right hand side
-
Enter the source name, Prefix, select the appropriate origin and click save
Manual Prefixes (VLAN overrides)
Individually override the VLAN configuration with specific desired prefixes you want that VLAN to use. This is only recommended if you have non changing prefixes (typically Static from an ISP or your own Independent prefix space)
When performing VLAN overrides, make sure the following rules are met for the end device to receive an IP (if not, you will receive dashboard alerts):
-
If WAN_X uplink gets a ULA prefix from upstream, then you can enable IPv6 for the VLAN and configure VLAN override for the WAN_X origin with matching WAN_X ULA prefix in the Addressing & VLANs page (where X= WAN1 or WAN2)
-
If WAN_X uplink gets a GUA prefix from upstream, then you can enable IPv6 for the VLAN and configure VLAN override for the WAN_X origin with matching WAN_X GUA prefix (where X= WAN1 or WAN2)
-
If you want to enable IPv6 for the VLAN and configure VLAN override with a GUA/ULA prefix for Independent origin > then user must configure the same GUA/ULA prefix for Independent origin in the delegation prefix table
Configuration:
-
Go to Security & SD-WAN > Configure > Addressing & VLANs page > Select [or add] the VLAN you IPv6 enabled on
-
Configure the VLAN Name, VLAN ID, Group Policy (optional) and VPN (optional) & click Next
-
Select Enable button for IPv6 and Select Manual for WAN 1 / WAN 2 or Independent
-
The WAN selection defines that the IPv6 prefix will route to the uplink network via the select WAN (Origin).
-
-
Click Save and preview your changes, then click the Update button
-
Remember to save the configuration go to the Security & SD-WAN > Configure > Addressing & VLANs page so the changes are applied to the MX
Recursive DNS Server (RDNSS)
RNDSS support requires a minimum firmware version of MX 18.205
RDNSS allows for the specification of IPv6 DNS servers so clients are able to look up IPv6 AAAA records without the need for an IPv4 intermediary. Once the servers are configured they will be advertised as part of the IPv6 Router Advertisement (RA) process.
Configuration:
-
Go to Security & SD-WAN > Configure > DHCP page.
-
Input IPv6 address of your DNS sever in the the Custom nameservers field, this can be in addtion to any IPv4 DNS servers.
- If the dropdown box for DNS nameservers is used to select a predefined option, both IPv4 and IPv6 addresses will be automatically configured.
- If IPv4 addresses are provided using the "specified nameservers" option, but no IPv6 addresses are provided, the MX will advertise its VLAN interface addresses as IPv6 DNS servers to clients and begin proxying DNS queries as though the "proxy to upstream DNS" option is in use
Cellular
The MX67C and MX68CW are now capable of obtaining a /64 prefix from the cellular provider network to use as its cellular WAN. Since IPv6 requires additional prefixes to function on the LAN, either DHCPv6-PD needs to be supported by the cellular provider or an Independent prefix should be configured so that LAN clients can communicate using IPv6 over the cellular network.
Note:
-
A ULA prefix is recommended to be configured as Independent in the IPv6 Prefix tab so it can be leveraged for Cellular assignment. This will allow LAN clients to receive IPv6 addresses via SLAAC on VLANs enabled for independent, and when a client uses IPv6 from the LAN to the Internet over cellular, the MX will translate the LAN address to the single /64 on the cellular interface and use of the IPv6 cellular network.
Configuration:
-
Go to Security & SD-WAN > Configure > Addressing & VLANs > Select [or add] the VLAN you want IPv6 enabled on
-
Configure the VLAN Name, VLAN ID, Group Policy (optional) and VPN (optional) & click Next
-
Ensure IPv6 Config is set to Enabled and the appropriate WANs to Auto and click preview
-
Confirm, double check the changes, and select Update
-
Remember to save the configuration go to the Security & SD-WAN > Configure > Addressing & VLANs page so the changes are applied to the MX
-
Once the configuration is complete, the MX will send DHCPv6-PD requests via the enabled IPv6 Uplinks to obtain IPv6 Prefixes to use on the IPv6 enabled VLANs.
Link-Local and Solicited Node Multicast (SNMC) Visibility
Link-Local and Solicited Node Multicast address information can be found under the Security & SD-WAN > Configure > Addressing & VLANs page, inline with the related IPv6 information for each VLAN.
Dynamic VLAN Objects
With the dynamic nature of IPv6 (DHCPv6-PD), configuring prefixes manually is not a real solution. To accommodate this challenge we are introducing a new way to configure Firewalls on the MX. You can now configure the VLAN by name on the firewall page as source or destination
-
Specify Dual-Stack (Covers both IPv4 and IPv6)
-
Configure IPv6 or IPv4 only offsets for specific IPs
Configuration:
-
Browse to Security & SD-WAN > Configure > Firewall page
-
Click “Add new” button to Inbound or Outbound firewalls as desired
-
Start creating your rule, but instead of adding a local source or destination prefix, type the VLAN name
-
Select the desired source and destination VLANs and complete your rule
-
Click Finish editing to review your changes and select save
In this example, rule #4 is denying TCP traffic sourced from “Guest” VLAN to “Data” VLAN destination. “Data” VLAN is configured as VLAN 12 encompassing dual-stack prefixes.
After saving:
Refer to the main KB: IPv6 Support on MX Security & SD-WAN Platforms [Core Fundamentals]