Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN

Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6
Deployment Guide, CUWN Release 8.0
Last Updated:
Phase1—Client IPv6 Support in Release 7.2 to 7.6.
Phase 2—Infrastructure IPv6 Support in Release 8.0.
Phase 1—Client IPv6 Support in WLC Release 7.2 to 7.6
This document provides information about the theory of operation and configuration for Cisco’s Unified Wireless LAN
solution as it pertains to supporting IPv6 clients.
The Phase 2—Infrastructure IPv6 Support in WLC Release 8.0 and Later, page 19 section of this document provides
information about the Infrastructure support for IPv6 protocols in the Unified controllers in Release 8.0.
IPv6 Wireless Client Connectivity Supported in Release 7.2 and Later
The IPv6 feature set within the Cisco Unified Wireless Network software release version 7.2 allows the wireless network
to support IPv4, Dual-Stack, and IPv6-only clients on the same wireless network. The overall goal for the addition of IPv6
client support to the Cisco Unified Wireless LAN is to maintain feature parity between IPv4 and IPv6 clients including
mobility, security, guest access, quality of service, and endpoint visibility.
Up to eight IPv6 client addresses can be tracked per client. This allows IPv6 clients to have a link-local, SLAAC address,
DHCPv6 address, and even addresses in alternative prefixes to be on a single interface. Work Group Bridge (WGB) clients
connected to the uplink of an Autonomous Access Point in WGB mode can also support IPv6.
Every IPv6 enabled interface must contain at least, 1 Loopback and 1 Link-Local address. Optionally, every interface can
have multiple Unique-Local and Global IPv6 addresses.
Solution Components

Wireless controllers 2500 series, 5500 series, WiSM2, 7500 series, 8500 series, and vWLC

Cisco AP 1040, 1130 (feature parity with release 7.6; release 8.0 features are not supported), 1140, 1240 (feature
parity with release 7.6; release 8.0 features are not supported), 1250, 1260, 1600, 2600, 2700, 3500, 3500p, 3600,
3700, Cisco 600 Series OfficeExtend Access Points, AP 702, AP 702W, AP 801, and AP 802
Cisco Systems, Inc.
1
www.cisco.com
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Phase 1—Client IPv6 Support in WLC Release 7.2 to 7.6

Cisco Aironet 1530 series outdoor 802.11n mesh access points, Cisco Aironet 1550 (1552) series outdoor 802.11n
mesh access points, Cisco Aironet 1520 (1522, 1524) series outdoor mesh access points
Note: The 1520 and 1550 series APs with 64 MB does not support PPPoE and PMIPv6.

An IPv6-capable Router and/or Switch
Prerequisites for Wireless IPv6 Client Connectivity
To enable wireless IPv6 client connectivity, the underlying wired network must support IPv6 routing and an address
assignment mechanism such as SLAAC or DHCPv6. The wireless LAN controller must have L2 adjacency to the IPv6
router, and the VLAN must be tagged when entering the controller interfaces. Prior to Release 8.0, APs did not require
connectivity to an IPv6 network, as all traffic is encapsulated inside the IPv4 CAPWAP tunnel between the AP and the
controller.
SLAAC Address Assignment
The most common method for IPv6 client address assignment is Stateless Address Auto Configuration (SLAAC). SLAAC
provides simple plug and play connectivity where clients self-assign an address based on the IPv6 prefix. This process
is achieved by the IPv6 router sending out periodic Router Advertisement messages which inform the client of the IPv6
prefix in use (the first 64 bits) and of the IPv6 default gateway. From that point, clients can generate the remaining 64
bits of their IPv6 address based on either the MAC address of the adapter or randomly. Duplicate address detection is
performed by IPv6 clients to ensure random addresses that are picked do not collide with other clients. The address of
the router sending advertisements is used as the default gateway for the client.
The following configuration example from a Cisco-capable IPv6 router has the necessary commands to enable SLAAC
addressing and router advertisements:
interface Vlan20
description IPv6-SLAAC
ip address 192.168.20.1 255.255.255.0
ipv6 address 2001:DB8:0:20::1/64
ipv6 enable
end
2
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Phase 1—Client IPv6 Support in WLC Release 7.2 to 7.6
DHCPv6 Address Assignment
CAPWAP
IPv6
Router
DHCPv6 Server
2001:db8:0:20::100/64
DHCPv6 Request
353114
2001:db8:0:20::1/64
CAPWAP
The use of DHCPv6 is not required for IPv6 client connectivity if SLAAC is already deployed. There are two modes of
operation for DHCPv6 called Stateless and Stateful.
The DHCPv6 Stateless mode is used to provide clients with additional network information not available in the router
advertisement. This information can include the DNS domain name, DNS server(s), and other vendor-specific options.
The following interface configuration example is for an IPv6 router implementing stateless DHCPv6 with SLAAC enabled:
interface Vlan20
description IPv6-DHCP-Stateless
ip address 192.168.20.1 255.255.255.0
ipv6 enable
ipv6 address 2001:DB8:0:20::1/64
ipv6 nd other-config-flag
ipv6 dhcp relay destination 2001:DB8:0:20::100
end
The DHCPv6 Stateful mode operates similar to DHCPv4, that is, it assigns addresses to each client instead of the client
generating the address as in SLAAC. The following interface configuration is for an IPv6 router implementing stateful
DHCPv6 with SLAAC turned off:
interface Vlan20
description IPv6-DHCP-Stateful
ip address 192.168.20.1 255.255.255.0
ipv6 enable
ipv6 address 2001:DB8:0:20::1/64
ipv6 nd prefix 2001:DB8:0:20::/64 no-advertise
ipv6 nd managed-config-flag
ipv6 nd other-config-flag
ipv6 dhcp relay destination 2001:DB8:0:20::100
3
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Phase 1—Client IPv6 Support in WLC Release 7.2 to 7.6
end
IPv6 Client Mobility
In order to deal with roaming IPv6 clients across controllers, the ICMPv6 messages such as NS, NA, RA, and RS must be
dealt with specially to ensure that a client remains on the same Layer 3 network. The configuration for IPv6 mobility is
the same as for IPv4 mobility and requires no separate software on the client side to achieve seamless roaming. The only
required configuration is the controllers must be part of the same mobility group/domain.
The process of IPv6 client mobility across controllers is as follows:
1. If both controllers have access to the same VLAN the client was originally on, the roam is simply a Layer 2 roaming
event where the client record is copied to the new controller and no traffic is tunneled back to the anchor controller.
2. If the second controller does not have access to the original VLAN the client was on, a Layer 3 roaming event will
occur, meaning all traffic from the client must be tunneled via the mobility tunnel (Ethernet over IP) to the anchor
controller. In a mixed deployment with Release 7.x and 8.x, Ethernet over IP is used. In pure 8.0 deployments, we
support CAPWAP tunnel for IPv6 mobility tunnel.
a. To ensure that the client retains its original IPv6 address, the Router Advertisements from the original VLAN are
sent by the anchor controller to the foreign controller where they are delivered to the client using L2 Unicast from
the AP.
b. When the roamed client goes to renew its address via DHCPv6 or generate a new address via SLAAC, the Router
Solicitation, Neighbor Advertisement, and Neighbor Solicitation packets continue to be tunneled to the original
VLAN so that the client receives an IPv6 address that is applicable to that VLAN.
Note: Mobility is based on VLAN information. It is not based on the IPv4 subnet or IPv6 prefix in use. This means that
IPv6 client mobility is not supported on untagged VLANs.
4
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Phase 1—Client IPv6 Support in WLC Release 7.2 to 7.6
Support for Interface Groups
Router 1
Interface
VLAN 100
Group
RA From
VLAN 100
VLAN 200
RA
VLAN = 100
CAPWAP
CAPWAP Tunnel
353116
RA
VLAN = 200
RA From
VLAN 200
Router 2
The interface groups feature allows an organization to have a single WLAN with multiple VLANs configured on the
controller to permit load balancing of wireless clients across these VLANs. This feature is commonly used to keep IPv4
subnet sizes small while enabling a WLAN to scale to thousands of users across multiple VLANs in the group. To support
IPv6 clients with interface groups, no additional configuration is required as the system automatically sends the correct
router advertisement to the correct clients via L2 wireless unicast. By unicasting the router advertisement, clients on the
same WLAN, but a different VLAN, do not receive the incorrect RA.
Note: It is not recommended to mix IPv4 and IPv6 dual stack clients in the same Interface Group.
First Hop Security for IPv6 Clients
Router Advertisement Guard
IPv6
802.11
IPv6
CAPWAP
VLAN
Ethernet
802.11
353117
CAPWAP
Tunnel
IPv6 RA
CAPWAP
The RA Guard feature increases the security of the IPv6 network by dropping router advertisements coming from wireless
clients. Without this feature, misconfigured or malicious IPv6 clients could announce themselves as a router for the
network, often with a high priority, which could take precedence over legitimate IPv6 routers.
By default, RA guard is enabled at the AP (but can be disabled) and is always enabled on the controller. Dropping RAs
at the AP is preferred as it is a more scalable solution and provides enhanced per-client RA drop counters. In all cases,
the IPv6 RA is dropped at some point, protecting other wireless clients and upstream wired network from malicious or
misconfigured IPv6 clients.
5
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Phase 1—Client IPv6 Support in WLC Release 7.2 to 7.6
DHCPv6 Server Guard
The DHCPv6 Server guard feature prevents wireless clients from handing out IPv6 addresses to other wireless clients or
wired clients upstream. To prevent DHCPv6 addresses from being handed out, all DHCPv6 advertise packets from
wireless clients are dropped. This feature operates on the controller, requires no configuration and is enabled
automatically.
IPv6 Source Guard
The IPv6 source guard feature prevents a wireless client spoofing an IPv6 address of another client. This feature is
analogous to IPv4 source guard. IPv6 source guard is enabled by default.
IPv6 Access Control Lists
In order to restrict access to certain upstream wired resources or block certain applications, IPv6 Access Control lists
can be used to identify traffic and permit or deny it. IPv6 Access Lists support the same options as IPv4 Access Lists
including source, destination, source port, and destination port (port ranges are also supported). The wireless controller
supports up to 64 unique IPv6 ACLs each with 64 unique rules in each. The wireless controller continues to support an
additional 64 unique IPv4 ACLs with 64 unique rules in each for a total of 128 ACLs for a dual-stack client.
AAA Override for IPv6 ACLs
In order to support centralized access control through a centralized AAA server such as Cisco’s Identity Services Engine
(ISE) or ACS, the IPv6 ACL can be provisioned on a per-client basis using AAA Override attributes. To use this feature,
the IPv6 ACL must be configured on the controller and the WLAN must be configured with the AAA Override feature
enabled. The actual named AAA attribute for an IPv6 ACL is Airespace-IPv6-ACL-Name similar to the
Airespace-ACL-Name attribute used for provisioning an IPv4-based ACL. The AAA attribute contents must be equal to
the name of the IPv6 ACL as configured in the controller.
Network Resource Efficiency for IPv6 Clients
Neighbor Discovery Caching
MAC
IPv6 Address
00:24:56:75:44:33
00:44:22:11:66:44
2001:db8:0:20::2
2001:db8:0:20::1
CAPWAP
Neighbor Solicitation (NS)
353118
CAPWAP
Neighbor Advertisement(NA)
The IPv6 neighbor discovery protocol (NDP) utilizes Neighbor Advertisement (NA) and Neighbor Solicitation (NS) packets
in place of ARP to allow IPv6 clients to resolve the MAC address of other clients on the network. The NDP process initially
uses multicast addresses to perform address resolution. This process consumes valuable wireless airtime because the
multicast addresses are sent to all the clients in the network segment.
6
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Phase 1—Client IPv6 Support in WLC Release 7.2 to 7.6
To increase the efficiency of the NDP process, neighbor discovery caching allows the controller to act as a proxy and
responds back to the NS queries that it can support address resolution and duplicate address detection. Neighbor
discovery caching is made possible by the underlying neighbor binding table present in the controller. The neighbor
binding table keeps track of each IPv6 address and its associated MAC address. When an IPv6 client attempts to resolve
another client’s link-layer address, the neighbor solicitation packet is intercepted by the controller that responds back
with a neighbor advertisement packet.
Router Advertisement Throttling
Router Advertisement (RA) throttling allows the controller to enforce rate limiting of RAs headed towards the wireless
network. By enabling RA throttling, routers that are configured to send RAs frequently (every 3 seconds) can be trimmed
back to a minimum frequency that will still maintain IPv6 client connectivity. This allows airtime to be optimized by
reducing the number of multicast packets that must be sent. In all cases, if a client sends a Router Solicitation (RS), then
an RA will be allowed through the controller and unicast to the requesting client. This is to ensure that new clients or
roaming clients are not negatively impacted by RA throttling.
Note: When RA throttling occurs, only the first IPv6 capable router are allowed through. For networks that have multiple
IPv6 prefixes being served by different routers, RA throttling must be disabled.
IPv6 Guest Access
The wireless and wired guest features present for IPv4 clients work in the same manner for dual-stack and IPv6-only
clients. Once the guest user associates, they are placed in a “WEB_AUTH_REQ” run state until the client is authenticated
via the IPv4 or IPv6 captive portal. The controller will intercept both IPv4 and IPv6 HTTP and HTTPS traffic in this state
and redirect it to the virtual IP address of the controller. Once the user is authenticated via the captive portal, their MAC
address is moved to the run state and both IPv4 and IPv6 traffic is allowed to pass.
To support the redirection of IPv6-only clients, the controller automatically creates an IPv6 virtual address based on the
IPv4 virtual address configured on the controller. The virtual IPv6 address follows the convention of [::ffff:<virtual
IPv4 address>]. For example, a virtual IP address of 192.0.2.1 would translate into [::ffff:192.0.2.1].
Enter an IPv6 enabled URL such as www.ipv6.google.com or an IPv6 address of a web site, for example—[2001::120].
The controller will intercept IPv6 HTTP and HTTPS traffic in this state and redirect it to the IPv6 virtual IP address of the
controller as shown below:
7
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Phase 1—Client IPv6 Support in WLC Release 7.2 to 7.6
When using a trusted SSL certificate for guest access authentication, ensure that both the IPv4 and IPv6 virtual address
of the controller is defined in DNS to match the SSL certificates hostname. This ensures that clients do not receive a
security warning stating that the certificate does not match the hostname of the device.
IPv6 VideoStream
VideoStream enables reliable and scalable wireless multicast video delivery, sending each client VideoStream in a
unicast format. The actual multicast to unicast conversion (of L2) occurs at the AP providing a scalable solution. In
Release 8.0, the controller sends the IPv6 video traffic inside an IPv4 or IPv6 CAPWAP multicast tunnel which allows
efficient network distribution to the AP.
8
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Phase 1—Client IPv6 Support in WLC Release 7.2 to 7.6
IPv6 Quality of Service
IPv6 packets use a similar marking to IPv4’s use of DSCP values supporting up to 64 different traffic classes (0 – 63). For
downstream packets from the wired network, the IPv6 “Traffic Class” value is copied to the header of CAPWAP tunnel
to ensure that QoS is preserved end-to-end. In the upstream direction, the same occurs because client traffic marked
at Layer 3 with IPv6 traffic class will be honored by marking the CAPWAP packets destined for the controller.
IPv6 and FlexConnect
FlexConnect—Local Switching WLANs
FlexConnect in local switching mode supports IPv6 clients by bridging the traffic to the local VLAN, similar to IPv4
operation. Client mobility is supported for Layer 2 roaming across the FlexConnect group.
The following IPv6-specific features are supported in FlexConnect mode:

IPv6 RA Guard

IPv6 Bridging

IPv6 Guest Access
The following IPv6-specific features are not supported in FlexConnect local switching mode:

IPv6 Access Control Lists

IPv6 Source Guard

Neighbor Discovery Caching
9
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Phase 1—Client IPv6 Support in WLC Release 7.2 to 7.6

DHCPv6 Server Guard

Router Advertisement Throttling

Layer 3 Mobility

IPv6 VideoStream
FlexConnect—Central Switching WLANs
In release 8.0, FlexConnect can join CAPWAP multicast group. The controller should be set to Multicast - Multicast
mode for both AP Multicast mode and IPv6 AP Multicast mode.
Note: FlexConnect mode APs will join IPv4 or IPv6 Multicast group if AP Multicast mode is configured as Multicast
in release 8.0; however, there will be slight Data through-put degradation impact in the FlexConnect centrally
switched scenario compared to AP Multicast mode configured as Unicast.
Note: Smart AP image upgrade does not work on the 7500 controllers when the Master AP is connected over
CAPWAPv6.
The following IPv6 specific features are not supported in FlexConnect central switching mode:

Layer 3 Mobility

IPv6 VideoStream
Configuration for Wireless IPv6 Client Support
Configuring Global Controller (Screen Shots from Release 8.0)
Complete these steps:
1. Go to the Controller tab under the General page, do the following:

From the AP Multicast Mode drop-down list, choose Multicast and enter a valid multicast group address in the
Multicast Group Address text box.

From the AP IPv6 Multicast Mode drop-down list, choose Multicast and enter a valid IPv6 multicast group address
in the IPv6 Multicast Group Address text box. The IPv6 multicast group address must be in the FFXX::/16 range
which is scoped for IPv6 multicast applications.
10
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Phase 1—Client IPv6 Support in WLC Release 7.2 to 7.6
Note: It is important to perform this step for configuring the 2500 Series Wireless Controller. To enable efficient multicast
transmission, perform this step in all wireless controller.
If the FlexConnect mode APs are used for centrally switched IPv6 WLANs, do the following:
—
From the AP Multicast Mode drop-down list, choose Unicast.
—
From the AP IPv6 Multicast Mode drop-down list, choose Unicast.
2. Connect an IPv6 capable client to the wireless LAN. To validate that the client receives an IPv6 address, go to
Monitor > Clients > Detail.
11
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Phase 1—Client IPv6 Support in WLC Release 7.2 to 7.6
Configuring IPv6 Multicast
The controller supports MLDv1 snooping for IPv6 multicast allowing it to intelligently keep track of and deliver multicast
flows to clients that request them.
Note: Unlike previous versions of releases, IPv6 Unicast traffic support does not mandate that “Global Multicast Mode”
be enabled on the controller. IPv6 Unicast traffic support is enabled automatically.
Complete these steps:
1. Go to the Controller tab > Multicast page. To support multicast IPv6 traffic, check the Enable MLD Snooping check
box. In order for IPv6 Multicast to be enabled, the Enable Global Multicast Mode of the controller must be enabled
as well.
2. To verify that IPv6 multicast traffic is being snooped, go to the Monitor tab > Multicast page. Notice that both IPv4
(IGMP) and IPv6 (MLD) multicast groups are listed. Click the “MGID” to view the wireless clients joined to that group
address.
12
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Phase 1—Client IPv6 Support in WLC Release 7.2 to 7.6
Configuring IPv6 RA Guard
Complete these steps:
1. Go to the Controller tab and then IPv6 > RA Guard page.
2. From the IPv6 RA Guard on AP drop-down list, choose Enable. RA Guard on the controller cannot be disabled.
Along with RA Guard configuration, this page also displays any clients that have been identified as sending RAs.
13
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Phase 1—Client IPv6 Support in WLC Release 7.2 to 7.6
Configuring IPv6 Access Control Lists
Complete these steps:
1. Go to the Security tab.
2. In the left pane, click Access Control Lists.
3. Click New.
4. Enter a unique name for the ACL, change the ACL Type to IPv6, and click Apply.
5. Click the new ACL that was created in the above steps.
14
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Phase 1—Client IPv6 Support in WLC Release 7.2 to 7.6
6. Click Add New Rule, and enter the desired parameters for the rule, and click Apply. Leave the sequence number
blank to place the rule at the end of the list. The Direction option of Inbound is used for traffic coming from the
wireless network, and Outbound for traffic destined for wireless clients. Remember, the last rule in an ACL is an
implicit deny-all.
7. IPv6 ACLs are applied on a per WLAN/SSID basis and can be used on multiple WLANs concurrently. To apply the
IPv6 ACL, navigate to the WLANs tab and click the WLAN ID of the SSID in question. Click the Advanced tab and
change the Override Interface ACL for IPv6 to the ACL name.
15
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Phase 1—Client IPv6 Support in WLC Release 7.2 to 7.6
Configuring IPv6 RA Throttling
Complete these steps:
1. Go to the Controller tab.
2. In the left pane, click IPv6 > RA Throttle Policy.
3. Check the Enable RA Throttle Policy check box. Adjust the throttle period and other options as required. However,
the default is recommended for most deployments.
16
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Phase 1—Client IPv6 Support in WLC Release 7.2 to 7.6
Each RA Throttling option is described below:

Throttle Period: The period of time that throttling takes place. RA throttling takes effect only after the “Max Through”
limit is reached for the VLAN.

Max Through: This is the maximum number of Router Advertisements on the VLAN before throttling kicks in. The “No
Limit” option allows an unlimited amount of RAs through with no throttling.

Interval Option: The interval option allows the controller to act differently based on the RFC 3775 value set in the IPv6
RA.
—
Passthrough – This value allows any RAs with an RFC3775 interval option to go through without throttling.
—
Ignore – This value will cause the RA throttler to treat packets with the interval option to be treated as a regular
RA and subject to throttling if in effect.
—
Throttle – This value will cause the RAs with the interval option to always be subject to rate limiting.

Allow At-least: The minimum number of Router Advertisements per router that will be sent as multicast before
throttling takes effect.

Allow At-most: The maximum number of Router Advertisements per router that will be sent as multicast before
throttling takes effect. The “No Limit” option will allow an unlimited amount of RAs through for that router.
The numerical values of the Allow At-least option must be less than the Allow At-most option which should be less than
Max Through option.
Configuring the IPv6 Neighbor Binding Table
Complete these steps:
1. Go to the Controller tab.
17
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Phase 1—Client IPv6 Support in WLC Release 7.2 to 7.6
2. In the left pane, click IPv6 > Neighbor Binding.
3. Adjust the Down Lifetime, Reachable Lifetime, and Stale Lifetime as required. The default values should be sufficient
for most deployments.
Each lifetime timer refers to the state that an IPv6 address can be in:

Down Lifetime – The down timer specifies how long IPv6 cache entries should be kept if the interface goes down.

Reachable Lifetime – This timer specifies how long an IPv6 address will be marked active, which means traffic has
been received from this address recently.

Stale Lifetime – This timer specifies how long to keep IPv6 addresses in the cache which have not been seen within
the “Reachable Lifetime”.
Configuring IPv6 VideoStream
Complete these steps:
1. Ensure Global VideoStream features are enabled on the controller.
Refer to Cisco Unified Wireless Network Solution: VideoStream Deployment Guide for information on enabling
VideoStream on the 802.11a/g/n network as well as the WLAN SSID.
2. Go to the Wireless tab on the controller.
3. In the left pane, click Media Stream > Streams.
4. Click Add New to create a new stream.
18
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Phase 2—Infrastructure IPv6 Support in WLC Release 8.0 and Later
5. Name the stream and enter the start and end IPv6 addresses. When using only a single stream, the start and end
addresses are equal. After adding the addresses, click Apply to create the stream.
Phase 2—Infrastructure IPv6 Support in WLC Release 8.0 and Later
This section provides a set of instructions to effectively configure native IPv6 features based on WLC Release 8.0.
The following are the Infrastructure IPv6 configuration items:

Address assignment

PING for IPv6

Management access (Wired and Wireless)—Telnet/SSH/HTTP/HTTPs

CAPWAPv6
19
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Phase 2—Infrastructure IPv6 Support in WLC Release 8.0 and Later

UDP Lite for IPv6

Tunnel switch

CAPWAP Preferred mode

Data DTLS

Mobility Configuration – L3

Auto Anchor/Guest Access

WebAuth for pure IPv6 client

NTP over IPv6

Syslog over IPv6

Radius Over IPv6

CDP v6

Flex Connect Central/Local switching with CAPWAP IPv4/IPv6 but IPv4 clients only

Service port SLAAC configuration
This section will not discuss standard controller features that were covered in earlier configuration and deployment
guides.
Enabling IPv6 on Your IOS Infrastructure Device
Enabling IPv6 on an individual infrastructure device to which wireless controller will be connected.
Refer to the following Cisco documentations for configuring IPv6 on other IOS devices.
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/configuration/15-2mt/ipv6-15-2mt-book.pdf
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_55_se/configuration/guide/
scg3750/swipv6.html
See Appendix A, page 46 for sample IPv6 configurations on the 3750 switch.
Controller Configuration for IPv6 Support
Controller configuration for the native IPv6 support is similar to that of the IPv4 controller with the exception of the few
interfaces accepting the IPv6 addresses as demonstrated in the following examples:

Management solution supports one IPv6 address (+ LLA address).

Dynamic interfaces support only IPv4 addresses.

Dynamic AP manager supports only IPv4 addresses.

Redundancy management/Redundancy port (HA interfaces support IPv4 only) supports only IPv4 addresses.

Service-port can get an IPv6 address statically or using SLAAC (Only SLAAC interface is supported on the WLC).

LAG is required for IPv6 AP load balancing.
DHCPv6 Proxy is not supported on dynamic interfaces (Only IPv6 DHCP bridging is supported- like 7.6 legacy).
20
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Phase 2—Infrastructure IPv6 Support in WLC Release 8.0 and Later
1. To configure the IPv6 address for WLC, from the WLC’s main menu, go to Controller > Interfaces > Management.
a. In the Interface Address area, enter the Primary IPv6 Address in the 2001:XX:XX:X0::XX format. Enter the Prefix
Length as 64. In Primary IPv6 Gateway text box, assign the Link-Local address of the VLAN X0.
b. Login/telnet to the default gateway and run the command:
show ipv6 int brief or show ipv6 int vlanX0.
c. Now, copy/paste the specific link-local address to the WLC Primary IPv6 Gateway.
The following screenshot displays an example of the link local address for VLAN10 on a sample Core-Switch.
When you copy/paste the Link Local IPv6 address in the Primary IPv6 Gateway text box, ensure that there is no
space in the beginning and end of the Link local IPv6 address. Click Apply to save the settings.
21
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Phase 2—Infrastructure IPv6 Support in WLC Release 8.0 and Later
The Management Interface is assigned a Link Local address by default. Global Unicast or Unique Local address must
be configured on the management interface.
Gateway must be the Link-Local address of the next hop router.
A Management Link-Local address is assigned automatically to the management interface, but the Primary address
must be a globally unique address.
2. Configure Dynamic interfaces:

No IPv6 address is used, IPv4 address is used on the Dynamic Interface.

An IPv6 address can exist on an IPv6 enabled switch/router because traffic is bridged on the VLAN.

A DHCPv6 server or relay must exist on the VLAN interface at the switch/router
3. Once the IPv6 address is assigned to the WLC management interface, try accessing the WLC GUI, that is, launch
https://[2001:10:10:X0::2] through your respective wired client connected to your controller.
22
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Phase 2—Infrastructure IPv6 Support in WLC Release 8.0 and Later
4. Associate a wireless client, that is, your iPhone/iPad/laptop, to your respective controller WLAN and check if the
client is able to receive the IPv4 and IPv6 addresses. Also, go to WLC > Monitor > Clients and click the client MAC
address to view the IPv4 and IPv6 addresses.
The following screenshots display a client running MacOS, where the client is connected to the WLAN. The client
receives both IPv4 and IPv6 addresses. Also, the client is able to ping the IPv6 address.
23
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Phase 2—Infrastructure IPv6 Support in WLC Release 8.0 and Later
24
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Phase 2—Infrastructure IPv6 Support in WLC Release 8.0 and Later
Mobility Group Configuration in Release 8.0
To support Mobility group configuration for Guest Anchor or Auto Anchor, the Guest Anchor should be on the 8.0 code
to support controllers in release 8.0. This allows 8.0 WLCs sharing the mobility group to connect by using the CAPWAPv6
tunnel, and the WLCs running prior to release 8.0 will join by using the EoIP tunnel.
There is no need for New Mobility with this configuration. In this configuration mode, both ends of the Mobility tunnels
have to be configured with IPv4 addresses. In pure 8.0 and later deployments, IPv6 addresses can be assigned and
CAPWAPv6 can be used.
Guest Anchor
Rel 8.0
CAPWAPv6 tunnel
EoIP tunnel
Mobility Group
Rel 7.6
353147
Rel 8.0
AP Join Prefer-Mode in Release 8.0
The Prefer-mode option allows administrators to configure IPv4 and IPv6 CAPWAP L3 transport through which APs will
join the WLC based on the primary, secondary or tertiary configuration.
25
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Phase 2—Infrastructure IPv6 Support in WLC Release 8.0 and Later
There are three levels of the prefer-mode option:
1. AP Group Specific
2. Global
3. Static IP configuration
CAPWAP Prefer-Mode Configuration
1. AP Group specific “prefer-mode” will be pushed to AP if the “prefer-mode” of the AP Group to which the AP belongs
is configured.
2. Global prefer-mode will be pushed to default-group APs and to those AP Groups that do not have prefer-mode
configured.
3. By default, AP Group prefer-mode will be un-configured and Global prefer-mode is set to IPv4.
4. If an AP tries to join the WLC with configured prefer-mode and it fails to join, then it will fall back to choose the AP
manager of the other transport and joins the same WLC. When both transports fail, the AP will move to the next
discovery response.
26
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Phase 2—Infrastructure IPv6 Support in WLC Release 8.0 and Later
5. The Static IP configuration takes precedence over prefer-mode.
For example:
—
Preferred mode configured as IPv4.
—
Static IPv6 configuration on AP using CLI or GUI.
—
AP joins the WLC using the IPv6 transport mode.
6. XML support of prefer-mode CLIs is provided.
7. Trap log is used when there is a failure in pushing the prefer-mode configuration to the AP.
Configuring Preferred-Mode from the GUI
Complete these steps:
1. As indicated above, Global prefer-mode will be pushed to default-group APs and to those AP Groups that do not
have prefer-mode configured. The following example displays the Global prefer-mode configuration in the GUI,
where the IPv4 or IPv6 address is chosen for the CAPWAP preferred-mode.
27
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Phase 2—Infrastructure IPv6 Support in WLC Release 8.0 and Later
2. AP Group specific prefer-mode will be pushed to AP if prefer-mode of the AP Group is configured to the AP it
belongs. Global prefer-mode will be pushed to default-group APs and to those AP Groups that do not have
prefer-mode configured. To configure in the GUI CAPWAP preferred mode for the AP Group, see the following
example:
3. The following is an example of a Static IPv6 configuration for the CAPWAP preferred mode. As noted earlier, the
Static IP configuration will take precedence over the prefer-mode.
28
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Phase 2—Infrastructure IPv6 Support in WLC Release 8.0 and Later
Configuring Preferred-Mode from the CLI
config ap preferred-mode ipv4/ipv6 <apgroup>/<all>
This CLI command is used to configure the prefer-mode of the AP Group and all APs. Global prefer-mode is not applied
to APs if the AP Group prefer-mode is already configured. After configuration, the AP restarts the CAPWAP to join with
the configured prefer-mode after choosing the WLC based on its primary/secondary/tertiary configuration.
config ap preferred-mode disable <apgroup>
This CLI command is used to disable (unconfigure) the prefer-mode of the AP Group. APs that belong to <apgroup>
restarts the CAPWAP and joins back with the global prefer-mode.
show ap prefer-mode stats
This CLI command is used to display the statistics of the prefer-mode configuration. Statistics are not cumulative, but is
updated for the last executed CLI configuration of prefer-mode.
show wlan apgroups
This CLI command displays the prefer-modes that are configured for all the AP groups.
show network summary
29
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Phase 2—Infrastructure IPv6 Support in WLC Release 8.0 and Later
Ping IPv6 address of the GW in the AP using ping 2001:10:10:x0::1.
The AP rejoins the controller with pure IPv6 tunnel.
Configuring Additional IPv6 Features on the WLC
AP IPv6 Discovery Mechanism
Broadcasting is not supported in IPv6 addresses, so APs must use the following mechanisms to join a WLC via
CAPWAPv6.
30
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Phase 2—Infrastructure IPv6 Support in WLC Release 8.0 and Later
AP Boots UP
Reset
Image Data
DTLS Setup
Run
Join




Config
353154
Discovery
DHCPv6 Option 52:
—
OPTION_CAPWAP_AC_V6 (52) RFC 5417.
—
As part of the DHCPv6 response, the server provides the IPv6 WLC management IPv6 address.
—
The AP begins Unicast CAPWAP discovery.
Multicast Discovery:
—
IPv6 address does not support broadcast.
—
Sends CAPWAP discovery messages to all APs multicast address (FF01::18C).
Using DNS:
—
Configure the DNS server to resolve cisco-capwap-controller.domain-name
—
The domain-name is returned from the DHCPv6 server.
AP Priming:
—
Preconfiguring the AP with a primary, secondary, and tertiary IPv6 address of the WLC management interface.
Selecting Primary, Secondary, and Tertiary Controllers
When selecting a primary, secondary, or tertiary controller, the process is similar to CAPWAPv4. The WLC management
IP address can either be IPv4 or IPv6, it does not matter as long as the address is reachable. It is not possible to add
both the IPv4 and IPv6 address because only one entry is allowed per WLC.
31
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Phase 2—Infrastructure IPv6 Support in WLC Release 8.0 and Later
WLC2
CAPWAP
Primary: WLC1
Secondary: WLC2
Tertiary: WLC3
WLC3
CAPWAP
CAPWAP
Primary: WLC2
Secondary: WLC3
Tertiary: WLC1
Primary: WLC3
Secondary: WLC2
Tertiary: WLC1
353155
WLC1
Once the AP selects a WLC, the AP chooses to join via CAPWAPv4 or CAPWAPv6, depending on the CAPWAP
preferred-mode selected on the WLC.
PING IPv6 and IPv4 Addresses
You can ping IPv6 and IPv4 addresses from the controller interface. The following example shows how to use the ping
protocol in an IPv6 management interface:
ping <ipv4/ipv6 address>
Similar process can be followed in a switch interface.
Management Access (Wired and Wireless)—Telnet/SSH/HTTP/HTTPs
The WLC (wired/wireless) is accessed in the IPv6 Management Interface using:

Telnet

SSH
32
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Phase 2—Infrastructure IPv6 Support in WLC Release 8.0 and Later

HTTP

HTTPS
Dynamic interfaces do not have IPv6 addresses.
SNMP Trap Receiver
Mgmt: 2001:db8:a::2/64
10.10.10.2
IPv4/v6 router
2001:db8:a::1/64
10.10.10.1
33
IP: 2001:db8:a::5/64
SNMP trap receiver
353160
In controller Release 8.0, SNMP MIBs are sent to the IPv6 destination. Prime Infrastructure will support IPv6 in Release
2.2 and later.
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Phase 2—Infrastructure IPv6 Support in WLC Release 8.0 and Later
UDP Lite for IPv6

Enabling UDP Lite speeds up the packet processing time.

UDP Lite computes checksum on the pseudo header of the datagram.

The IP protocol ID is 136 and it uses the same CAPWAP ports as UDP.

Enabling UDP Lite requires that the network firewall allows protocol 136.

Switching between UDP and UDP Lite causes all APs to re-join the WLC.

UDP Lite is enabled by default.
Configuring UDP Lite
Complete these steps:
1. UDP lite can be configured per AP or globally for all APs.
2. Check the UDP Lite configuration using the show ipv6 summary command.
34
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Phase 2—Infrastructure IPv6 Support in WLC Release 8.0 and Later
Data DTLS Enable
Like CAPWAPv6, DTLS also uses the AP’s IPv6 address. DTLS is enabled by default on the APs. To verify this, enter the
following command:
show dtls connections
Configuring Data DTLS
DTLS can be enabled on an individual AP or globally for all APs with the command below:
config ap link-encryption <enable/disable>
35
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Phase 2—Infrastructure IPv6 Support in WLC Release 8.0 and Later
Note: Data DTLS for CAPWAP APs joining over IPv6 tunnel is not available in release 8.0 for vWLC platform.
Web-Auth with Pure IPv6 Client
On the controller, the configuration is similar to IPv4. Before client authentication, it is displayed in the WEBAUTH_REQD
state as shown below.
Access an IPv6 enabled website such as www.ipv6.google.com or enter an IPv6 address of a website, for
example—[2001::101].
36
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Phase 2—Infrastructure IPv6 Support in WLC Release 8.0 and Later
To verify that the WebAuth is in the RUN state, check the controller.
37
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Phase 2—Infrastructure IPv6 Support in WLC Release 8.0 and Later
NTP Over IPv6
The NTP server configuration is supported on the controller in the native IPv6 mode, and NTP version 3 is now supported
using MD5 encryption.
Syslog Over IPv6
Mgmt: 2001:db8:a::2/64
10.10.10.2
IPv4/v6 router
2001:db8:a::1/64
10.10.10.1
The following is an example of the IPv6 Syslog Server configuration.
38
IP: 2001:db8:a::5/64
10.10.10.10
Syslog Server
353170
In Release 8.0, the native IPv6 syslog server is supported.
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Phase 2—Infrastructure IPv6 Support in WLC Release 8.0 and Later
As an example, on Syslog Watcher you can see logs from the controllers. In this release, both syslog v4 and syslog v6
are generated.
39
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Phase 2—Infrastructure IPv6 Support in WLC Release 8.0 and Later
Radius Over IPv6
RADIUS authentication server IPv4 and IPv6 are supported in this release natively.
Accounting servers IPv4 and IPv6 are also supported.
40
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Phase 2—Infrastructure IPv6 Support in WLC Release 8.0 and Later
In the figure below, the IPv6 servers are mapped to the WLAN.
CDP IPv6
CDPv6 works natively on the controller Release 8.0.
To see the CDPv6 on the controller, execute the following command:
Show cdp entry all
As shown in the example below, IPv4 and IPv6 neighbors are displayed:
41
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Phase 2—Infrastructure IPv6 Support in WLC Release 8.0 and Later
The same can be executed from any neighbor switch and the controller will be displayed in the CDPv6 list.
The Controller CDP command can also be executed for APs:
show ap cdp neighbors
all—Displays cdp neighbor information for all Cisco APs.
ap-name—Displays cdp neighbor information for a specific Cisco AP.
detail—Displays detailed cdp neighbor information for a Cisco AP.
Flex Connect Central/Local Switching with CAPWAP IPv4/IPv6 but IPv4 Clients
Only
IPV6 and IPv4 are supported on the Flex Connect APs in the Centrally switched mode only. In the Locally switched mode,
IPv4 clients work as before with no issues.
Service Port SLAAC
SLAAC is only applicable for the Service port.
42
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Phase 2—Infrastructure IPv6 Support in WLC Release 8.0 and Later
To disable the SLAAC interface on the Service port, enter the following command:
The SLAAC interface can also be enabled in the WebUI interface on the Service port as shown below:
43
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Phase 2—Infrastructure IPv6 Support in WLC Release 8.0 and Later
Rogue APs Origin Based Service Discovery
Rogue services are working as before on the controller with IPv6. See example below:
44
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Phase 2—Infrastructure IPv6 Support in WLC Release 8.0 and Later
Features Not Supported in Release 8.0



Deployment Modes:
—
Flexconnect – Local switched
—
Mesh/Outdoor
—
Teleworker/OEAP
—
Converged Access
Services:
—
Bonjour
—
AVC
—
Trustsec
—
Mobility Multicast
Unsupported APs:
—
Bridge mode APs/AP with 64 Mb RAM
• OEAP 600
• ISR 800/802
• 1130/1240/1250
• 1310/1410
• 1550 with 64 Mb
• 1520
Note: See Controller Release Notes for complete details.


Misc. Configuration Options
—
Internal DHCPv6 Server
—
DHCPv6 Proxy
—
Auto configuration
—
Dynamic interfaces
—
RA Interfaces
—
OSCP and CA Server URL
—
VLAN pooling
Protocols
—
NTP v4
—
MLD v2
—
IPsec v3 and IKE v2
45
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Appendix A
—
RLDP and CIDS
—
PMIP v6 on the WLC
—
New Mobility
Appendix A
Loading Images to Your IOS Switch
It is recommended that you download the entire “universal” “.tar” image that has web-based access to the IOS switch
as well.
For example, Cisco Catalyst 3750E IOS images can be downloaded from the link below:
http://software.cisco.com/download/release.html?mdfid=280831063&flowid=2587&softwareid=280805680&release=
15.0.2-SE6&relind=AVAILABLE&rellifecycle=ED&reltype=latest
It is recommended that IOS 15.2SE4 images or later be used for IPV6 support:
Catalyst 3750e - c3750e-c3750e-universalk9-tar.150-2.SE4
Catalyst 3750x - c3750e-c3750-ipservicesk9-tar.150-2.SE4
To install images on your IOS switch, use the following CLI under the privilege mode:
archive download-sw /overwrite /reload tftp://<tftp server ip>/<path>/<filename> flash:
For example:
archive download-sw /overwrite /reload
tftp://9.1.0.150/wnbu/c3750e-universalk9-tar.150-2.SE.tar flash:
The IOS switch replaces the older IOS image and does the necessary delete and so on and reloads.
46
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Appendix A
Post IOS Switch Reboot
To enable the IPv4/IPv6 stack (dual) on your IOS switch, do the following:
enable
configure terminal
license boot level ipservices
sdm prefer dual-ipv4-and-ipv6 default
write memory
reload
yes
Before the sdm command:
After: sdm prefer dual-ipv4-and-ipv6 default
47
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Appendix A
Enable IPv6 on the Required Interfaces
Example: Add an IPv6 address to the uplink port interface gi 1/0/24 with the command ipv6 address fd09:9:x::x/64.
Add the IPv6 address to VLAN interfaces with ipv6 address fd09:9:x:x::x/64.
Add the IPv6 address to the VLAN interfaces with ipv6 address 2001:9:x:x::x/64.
Address fd09:: is an IPv6 Unique Local Address, that is used for private networks.
Address 2001:: is an IPv6 Global Address.
Enable IPv6 Routing on the Required Interfaces
The following commands are examples for RIP routing configuration:
IPv6 unicast-routing
IPv6 router RIP user_id
(For example: Cisco-user, follow this strictly so there is no duplication.)
Example: Go to interface gi 1/0/24 and run the ipv6 rip cisco_user enable command (this interface is the uplink of
your own IOS switch Core, if it is different from gi1/0/24, replace with the appropriate uplink port).
Run the ipv6 rip cisco_user enable command in all the VLAN interfaces for routing.
Sample output of a IPv6 configured IOS switch:
Uplink Port Config
interface GigabitEthernet3/0/24
description ****Uplink to distribution switch *****
no switchport
ip address 9.12.0.26 255.255.255.0
48
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Appendix A
ipv6 address FD09:9:12::26/64
ipv6 address 2001:9:12::26/64
ipv6 rip cisco-user enable
Global Config
ipv6 unicast-routing
ipv6 mld snooping
ipv6 router rip miadler
L3 Vlan Interface Config
interface Vlan128
ip address 9.12.128.1 255.255.255.0
ip helper address 9.1.0.100
ip pim sparse-dense-mode
ip igmp version 3
ipv6 address FD01:1:10:70::2/64
ipv6 address 2001:1:10:70::2/64
ipv6 enable
ipv6 nd autoconfig default-route
ipv6 nd managed-config-flag (for stateful DHCPv6 use)
ipv6 nd router-preference High
ipv6 dhcp relay destination 2001:9:6:40::XX
Configuring DHCPv6 Server Functions
The DHCPv6 server function can be enabled on individual IPv6-enabled interfaces.
The DHCPv6 server can provide those configuration parameters that do not require the server to maintain any dynamic
state for individual clients, such as DNS server addresses and domain search list options. The DHCPv6 server may be
configured to perform prefix delegation.
All the configuration parameters for clients are independently configured into the DHCPv6 configuration pools, which are
stored in NVRAM. A configuration pool can be associated with a particular DHCPv6 server on an interface when it is
started. Prefixes to be delegated to clients may be specified either as a list of preassigned prefixes for a particular client
or as IPv6 local prefix pools that are also stored in NVRAM. The list of manually configured prefixes or IPv6 local prefix
pools can be referenced and used by DHCPv6 configuration pools.
The DHCPv6 server maintains an automatic binding table in its memory to track the assignment of some configuration
parameters, such as prefixes between the server and its clients. The automatic bindings can be stored permanently in
the database agent, which can be for example, a remote TFTP server or local NVRAM file system.
49
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Appendix A
Configuration Information Pool
A DHCPv6 configuration information pool is a named entity that includes information about available configuration
parameters and policies that control assignment of the parameters to clients from the pool. A pool is configured
independently of the DHCPv6 service and is associated with the DHCPv6 service through the command-line interface
(CLI).
Each configuration pool can contain the following configuration parameters and operational information:

Prefix delegation information, which could include:
—
A prefix pool name and associated preferred and valid lifetimes.
—
A list of available prefixes for a particular client and associated preferred and valid lifetimes.

A list of IPv6 addresses of DNS servers.

A domain search list, which is a string containing domain names for DNS resolution.
Configuring DHCPv6 Configuration Pool
This task explains how to create and configure the stateful DHCPv6 configuration pool and associate the pool with a
server on an interface.
Summary Steps
1. enable
2. configure terminal
3. ipv6 dhcp pool vlan-90-clients
4. address prefix FD09:9:5:90::/64
5. address prefix 2001:9:5:90::/64
6. dns-server 2001:9:5:90::115
7. domain-name test.com
8. information refresh 1
9. exit
10. interface type number
11. ipv6 dhcp server poolname [rapid-commit] [preference value] [allow-hint]
Configuring DHCPv6 Relay on L3 VLAN Interfaces
A DHCP relay agent that resides on the client’s link, is used to relay messages between the client and server. The DHCP
relay agent operation is transparent to the client. A client locates a DHCP server using a reserved, link-scoped multicast
address. Therefore, it is a requirement that for direct communication between the client and the server, the client and
the server must be attached to the same link. However, in some situations where management, economy, or scalability
is a concern, it is desirable to allow a DHCP client to send a message to a DHCP server that is not connected to the same
link.
This task describes how to enable the DHCPv6 relay agent function and specify relay destination addresses on an
interface.
50
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Appendix A
Summary Steps:
1. enable
2. configure terminal
3. interface type number
4. ipv6 dhcp relay destination ipv6-address [interface-type interface-number]
For example, if you want to add DHCPv6 relay to Vlan128 in your IOS switch, do the following:
configure t
interface vlan128
ipv6 dhcp relay destination 2001:9:6:40::XX
Implementing DHCPv6 Option 52 on Microsoft and Linux Based DHCP Servers
DHCPv6 Option 52 Overview
The CAPWAP protocol allows a lightweight access point (AP) to use DHCP to discover a wireless controller to which it
is connected to. Cisco lightweight APs running 8.0 and above support DHCP discovery for both IPv4 and IPv6 networks:

IPv4—Cisco lightweight APs implement DHCP option 43 to supply the IPv4 management interface addresses of the
primary, secondary, and tertiary wireless controllers (see the guide).

IPv6—Cisco lightweight APs implement DHCPv6 option 52 (RFC 5417) to supply the IPv6 management interface
addresses of the primary, secondary, and tertiary wireless controllers.
In 8.0 and above, Cisco lightweight APs support both stateless and stateful DHCPv6 addressing modes. In stateless
mode, the APs obtain an IPv6 addressing using SLAAC while additional network information (not obtained from router
advertisements) is obtained from a DHCPv6 server. In stateful mode, the APs obtain both IPv6 addressing and additional
network information exclusively from DHCPv6 (similar to DHCPv4). In both modes, a DHCPv6 server is required to provide
option 52 if wireless controller discovery using DHCPv6 is required. If a DHCPv6 server is not available, an alternative
discovery method such as DNS or AP Priming is required.
Cisco lightweight APs request DHCPv6 options using DHCPv6 Solicit and Request packets which are forwarded to all
DHCP servers multicast address (FF02::1:2). Request packets are forwarded in stateless mode while both Solicit and
Request packets are forwarded in stateful mode. The Solicit and Request packets include an Option Request field that
the APs use to request additional network information from the DHCPv6 server. The requested options include option 23
(Name Server), option 24 (Domain Search List) and option 52 (CAPWAP access controllers).
51
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Appendix A
Figure 1
Option Request Field in a Solicit and Request Packets
If the requested option 52 is defined within the IPv6 scope servicing the APs, the DHCPv6 server includes option 52
values in the DHCPv6 Advertise and Reply responses forwarded to the APs. The option 52 values forwarded to the APs
may include up to three wireless controller management IPv6 addresses in order of preference.
52
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Appendix A
Figure 2
DHCPv6 option 52 field in Advertise and Reply Packets
Option Formatting
Each DHCP server is unique and includes different pre-defined options from the server vendor. Unfortunately, option 52
is not pre-defined on Microsoft Windows Server 2008, Windows Server 2012, or Linux ISC which requires option 52 to
be globally defined before the option and values can be assigned to a IPv6 scope.
When defining option 52 on DHCPv6 server, it is important to note that the option must be defined using a specific format.
If not, the supplied wireless controller management interface IPv6 addresses will be rejected by the APs. To be supported
by Cisco lightweight APs, option 52 must be defined as an array of IPv6 addresses and cannot be defined as a string or
other type. If the option is not formatted correctly, the APs will reject the Advertise and Reply packets and fail to obtain
an IPv6 address.
DHCPv6 Server Configuration Examples
Internet Systems Consortium (ISC) DHCP Server
This section describes the configurations necessary on a Linux ISC DHCP server (4.1 and above) to define DHCPv6
option 52 and then assign the option and values to an IPv6 scope.
Configuration File
1. Modify the dhcpd6.conf file (typically, /etc/dhcp/dhcpd6.conf). Define a new unique option name (example,
dhcp6.capwap-ac-v6) as shown in the following example. The option code value must be set to 52 and type set to
array of ip6-address:
53
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Appendix A
2. Locate the IPv6 scope servicing your Lightweight APs. Under the IPv6 range, add the newly defined option name
(example, dhcpv6.capwap-ac-v6) followed by the management interface IPv6 addresses of the primary WLC.
Optionally, define secondary and tertiary management interface IPv6 addresses if required. Note that a comma must
separate each IPv6 address.
3. Restart the ISC DHCPv6 Service:
Microsoft Windows Server 2008 / 2012
This section describes the configurations necessary on a Microsoft Windows Server 2008 / 2012 to define DHCPv6
option 52 and then assign the option and values to a IPv6 scope.
Defining DHCPv6 Option 52 Globally
1. Open the DHCP Manager and expand the DHCP tree. Right-click IPv6 and then select Set Predefined Options.
54
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Appendix A
The Predefined Options and Values for v6 window appears.
2. In the Option class drop-down list, select DHCP Standard Options, and then click Add.
The Option Type window appears.
3. Enter a Name for the new option (for example, capwap-ac-v6), and then set the Data type to IPv6 Address. Check
the Array check box, and then enter the Code value of 52. Click OK and then OK again. The new option is now
defined and can be assigned to IPv6 scopes.
55
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Appendix A
Assigning the DHCPv6 Option 52 and Values to an IPv6 Scope
1. Expand the first IPv6 scope servicing your Lightweight APs. Right-click Scope Options and then select Configure
Options.
The Scope Options window appears.
2. In the Available Options list, select the option 00052 capwap-ac-v6. In the New IPv6 address field, enter the
management interface IPv6 address of the primary WLC and then click Add.
56
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Appendix A
3. (Optional) Define secondary and tertiary IPv6 addresses if required. Click Apply and then OK.
The WLC management IPv6 addresses are assigned to the IPv6 scope servicing the Lightweight APs.
57
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Appendix A
Verifying Cisco Lightweight Access Points
You can verify that a Cisco Lightweight Access Point (AP) has received an IPv6 address and options by logging into an
AP and issuing the show ipv6 dhcp interface command. The output displays any assigned IPv6 addresses along with
options and values:
IOS DHCPv6 Relay
In most enterprise deployments, the first hop router is configured to relay DHCPv6 messages to a centralized DHCP
server. You can verify that the DHCPv6 packets are being exchanged between an AP and DHCPv6 server on an IOS
device by issuing the debug ipv6 dhcp relay command.
58
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Appendix A
In the above example, the DHCPv6 Solicit and Request packets from the AP are relayed to the DHCPv6 server with the
IPv6 address 2001:470:52C5:A::7. The Advertise and Reply packets from the DHCPv6 server are relayed back to the
APs link local address FE80::F27F:6FF:FEE8:1214.
59
Draft Label—Cisco Confidential
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Appendix A
Linux ISC (dhcpd.conf)
60