Hello,
We are running a dev system AOS 8.10, 1xMC, 2 controller cluster (and 2 controller backup cluster) all 7220s
We have a newish FW and want to play with ipv6, now trying to get it working on a client VLAN. Of course we have limited IPv6 experience!
We have:
- enabled IPv6 globally on all controllers
- given each controller (and MM) a static IPv6 global address on their management VLANs and set this to be the controller-ip (this all appears to work fine)
- set the IPv6 default gateway address
- have _not_ set a loopback address (we don't currently have this set on any controllers
- routing for all VLANs that we are playing with (MD management and client VLANs) takes place on the FW
- set an IPv6 address on client VLAN interface on all cluster members (this VLAN is native IPv6)
- our FW chap has tried setting SLAAC and DHCPv6 (on the FW) but clients always fail to get an address - though strangely a device that was _already_ connected to the test SSID that drops onto the IPv6 client VLAN looked like it did pick up what looked like valid addresses though as soon as the owner tried to disconnect and reconnect it failed to connect, feels like this is a red herring or some product of circumstance but I mention it anyway.
- APs are on IPv4 mgmt addresses
- I am testing on a RAP from home. It's a tunnelled SSID (testing version of eduroam)
I'm not sure what we are missing. On the client VLAN interfaces on the controllers what do we need to configure as a minimum? Do we have to configure DHCP helpers? MLD? Neighbour Discovery? The FW guy is fairly confident he has done what is necessary on the FW.
The logon user role has default rules which I assume should allow IPv6 to work:
v6-logon-control
----------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Denylist Mirror DisScan IPv4/6 Contract Mark Description
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- -------- ------ ------- ------ -------- ---- -----------
1 user any udp 546 deny Low 6
2 any any svc-v6-icmp permit Low 6
3 any any svc-v6-dhcp permit Low 6
4 any any svc-dns permit Low 6
5 any fc00::/7 any-v6 permit Low 6
6 any fe80::/64 any-v6 permit Low 6
7 any ipv6-reserved-range any-v6 deny Low 6
The SSID dot1x (test version of eduroam which works fine on an IPv4 VLAN)
In the user table it is interesting because my device IPv6 link-local address appears, and is in the 'open' (post-auth) role. But even so adding a v6-allowall to that role makes no difference. My Android phone client just gets stuck on Obtaining IP address.
I have been trying to follow the deployment guide but there is a lot to take in and it often just assumes we will know what we need.
Any ideas what we are missing please? Or is there a step by step guide for this? Any help much appreciated
Thanks,
Guy