09-22-2017 03:13 AM
Setup is as follows, two IAP205 running 126.96.36.199.
IAPs have vlans tagged to them, I use 802.1x for authentication with NPS, so users authenticate and gets dynamic vlan assignment - This works like a charm. I did setup a vlan (72) with dual stack L3-configuration, parallell setup of ipv4/6 with SLAAC on ipv6. It works.
However.... It seems the other wireless networks also gets SLAAC addresses from vlan 72?!
When checking with wireshark on the clients, I can see the router advertisments/solicitation between the router on vlan 72 and the clients on vlan 440/441. What gives?
The problem doesn't exist on the wired network, only on the wireless. I have also tried to route the networks in different routers (Fortigate, Juniper srx, Ubiquiti), but the behaviour is the same. The addresses that belong to vlan 72 obviously doesn't work on the other vlans - It isn't possible to reach the router on 72 from 440/441.
From what I can tell, it looks like the IAP leaks icmpv6 between the vlans, but not much else.
Is this a known bug?
Solved! Go to Solution.
09-27-2017 08:05 AM
Please open a TAC call to have this investigated.
It might be that on Instant IPv6 SLAAC is incompatible with multiple VLANs on the same SSID. Because all clients on a SSID share the same broadcast key, the router advertisements for all VLANs might end up being sent to the client. This results in the first RA received by a client taken for granted and the client IPv6 is picked based on that. That might, or might not be the RA for the correct VLAN. On controllers, all RA are converted to unicast WLAN to overcome this issue. In order to do that, the AP should be IPv6 aware and I'm unsure if that is the case at the moment (it looks like there are IPv6 firewall options in Instant 6.5.3). Please open a TAC case if you need to have that confirmed.
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).