I have 4 AP's, model IAP325, running ArubaOS v8.5.0.3. The uplink port of each AP is in tunnel mode.
On one of my SSID's I have set a default VLAN of 20. Authentication is via a local Radius server, that server passes back a VLAN tag of 10 for selected users. This works correctly for IPv4, the AP's place the mobile devices in the appropriate VLAN and the devices correctly obtain an IP address via DHCP from the range for that VLAN.
However I am seeing problems with IPv6, where I rely on auto configuration. Mobile devices sometimes autoconfigure with addresses from the wrong VLAN, or from both VLANs. When I monitor traffic on a mobile device, I see IPv6 router advertisements for both VLANs, whlie I should be seeing advertisements only for the VLAN the mobile device is a member of.
It looks like the AP's are not handling tagged IPv6 packets correctly, that they are forwarding VLAN20 packets to VLAN10, and VLAN10 packets to VLAN20. I have seen this problem with ArubaOS v8.3.0.9, v8.4.0.4, and v8.5.0.3. Has anyone encountered this problem before, and if so were you able to solve it?
For info, I have a second SSID which defaults to VLAN30. Dynamic VLAN allocation is not enabled for this SSID. I see no leakage of IPv6 packets to or from this VLAN.