Wireless Access

Hi Airheads,

 

I have a running deployment with 7240xm (Standalone) with ArubaOS 8.5.0.8 installed , recently i looked over the user-table via CLI and notice a lot of records of IPv6 client.

Screenshot:

 

In the running-cfg i triple check , there is no ipv6 enabled in anyway or interface, i even just to be sure ran the command no ipv6 enable...but yet..client with ipv6 address are poping at the user-table.

 

Please advise. (Any fix? anyone also bumped into it?)

 

 

 

No ipv6 enable  https://www.arubanetworks.com/techdocs/ArubaOS_86_Web_Help/Content/arubaos-solutions/1cli-commands/ipv6-enable.htm?Highlight=ipv6

 

no ipv6 firewall

 https://www.arubanetworks.com/techdocs/ArubaOS_86_Web_Help/Content/arubaos-solutions/1cli-commands/ipv6-firewall.htm?Highlight=firewall%20ipv6

 

 

 

Hi ,

Thanks for the response,As i wrote in my post.

 

no ipv6 enable .... i triple did it (even due there isnt any ipv6 enabled in the running-cfg

 

regarding the no ipv6 firewall. ... (even due that in the GUI there isnt any V marked on the firewall ipv6 section , i notice the ipv6 firewall command at the running-cfg) BUT there isnt no command for ipv6 firewall,screenshot attached

is this the cause? why it's running ?! i didn't checked ON ipv6 in stage of the deployment: 

Please advise.

 

 

 

 

I apologize.  Wrong command.

 

What is the output of "show ipv6 global" on the controller?

Disabled.

 

Did you try a "aaa user delete" to see if those users return when deleted?

0 users deleted - even due it's on on the user-table (every day)

 

Also....

( I tried name & IP ) even due it's not an IPv4 address at all.

try aaa user delete all.

 

If that doesn't work, it is time to open a support case.

OK.
the IPv6 records are poping on daily base , even after full controller reboot.

So i think i will go with that to TAC.

Thanks for all the syntax debug with me

The fe80:: IPv6 addresses are link-local IPs and many clients these days automatically get those, which doesn't mean you should see them in the user table. The default 'validuser' acl even blocks these out for appearing in the user table. Did you modify the validuser acl?

ip access-list session validuser
    network 127.0.0.0 255.0.0.0 any any deny
    network 169.254.0.0 255.255.0.0 any any deny
    network 224.0.0.0 240.0.0.0 any any deny
    host 255.255.255.255 any any deny
    network 240.0.0.0 240.0.0.0 any any deny
    any any any permit
    ipv6 host fe80:: any any deny
    ipv6 network fc00::/7 any any permit
    ipv6 network fe80::/64 any any permit
    ipv6 alias ipv6-reserved-range any any deny
    ipv6 any any any permit
!

I agree that if IPv6 is disabled that I would not expect to see IPv6 user entries. Please open a support case if you see those.