ipv6 on wifi: you talk too much! not...
TRANSCRIPT
IPv6 on WiFi: You talk too much! NOT anymore. BRKEWN-2666
Andrew Yourtchenko
Technical Leader (IPv6 transition), CCIE#5323
@ayourtch
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Abstract
3
IPv6 on the link is by default chattier than IPv4. This may discourage
IPv6 deployment in larger WiFi installations. In this session we will take a
close look at the "chatty" protocols and their interactions: MLD, ND,
mDNS. We will explore how these interactions can be controlled by
tuning the configurations on the gateways and WLC. We will cover the
emerging best practices to achieve the media usage similar to that of
IPv4, as well as some troubleshooting experiences. The intended
audience of this session is the specialists who deal with planning,
deployment and operation of the WiFi networks. This session is based on
the practical experience gained by implementation and operation of
large-scale networks like CiscoLive.
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Prerequisites
Basic IPv6 knowledge (terminology)
Basic knowledge about Cisco WiFi/802.11
(Glossary is in the end of the slides)
4
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
What The WLAN Experts Tend To Say About IPv6…
Frankie Nord, “You talk too much”
Source: http://www.youtube.com/watch?v=bw4pnQNbBxE
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Agenda
Sample WLC topology
IPv6 vs. IPv4: what’s relevant for WiFi ?
Deep dive and tuning
– Router discovery & maintenance
– Address Assignment (+ first hop)
– Neighbor Resolution & Maintenance
– Neighbor discovery and MLD interaction
– Other traffic optimizations
Security considerations
Troubleshooting IPv6 on WiFi
6
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Sample WLC topology
7
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
IPv6 vs. IPv4: What is relevant for WiFi ?
ARP vs. ICMPv6
– Broadcast vs. multicast
– ARP is Layer 2 (ethertype 0x0806) ICMP is Layer 3.14159
Router Discovery
SLAAC & DHCPv6
– RAs are vital !
Multiple addresses per host
8
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
ND: Router Maintenance
9
RA
IPv6
IPv6
IPv6
RA RA RA
RA Sent
Every 200sec
+/- jitter
Lifetime--
Lifetime--
Lifetime--
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
ND: Router Maintenance
10
RA
IPv6
IPv6
IPv6
RA RA RA
RA Sent
Every 200sec
+/- jitter
Lifetime
Lifetime
Lifetime
Lifetime--
Lifetime--
Lifetime--
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Multicast multicast mode
11
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Multicast CAPWAP packet
12
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
PIM SSM configuration
13
ip pim rp-address 172.16.10.50
ip pim ssm default
interface GigabitEthernet1
ip address 172.17.1.1 255.255.255.0
ip pim sparse mode
ip igmp version 3
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Output “show ip mroute” on the router
14
Outgoing interface flags: H - Hardware switched, A – Assert
Timers: Uptime/Expires
Interface state: Interface, Next-Hop or VCD, State/Mode
(172.17.1.20, 232.1.1.2), 00:12:36/00:02:23, flags: sTI
Incoming interface: GigabitEthernet1, RPF nbr 0.0.0.0
Outgoing interface list:
GigabitEthernet1.118, Forward/Sparse, 00:12:36/00:02:23
(*, 224.0.1.40), 00:24:39/00:02:53, RP 172.16.10.50, flags: SJCL
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
GigabitEthernet1, Forward/Sparse, 00:24:39/00:02:53
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Multicast at a glance on the AP
15
APc47a.fe34.1cc9#show capwap mcast
CAPWAP MULTICAST
Multicast Group: 232.1.1.2, Source: 172.17.1.20
V1 Rpt Sent: 0; V2 Rpt Sent: 2
V3 Rpt Sent: 189; Leave Sent: 1
V1 Query Rcvd: 0; V2 Query Rcvd: 0
V3 Query Rcvd: 188; V1 Rpt Rcvd: 0
V2 Rpt Rcvd: 0; V3 Rpt Rcvd: 0
APc47a.fe34.1cc9#
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Multicast-Multicast and NAT
16
NAT => 💔
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
ND: Router Discovery
17
RA RS
IPv6
IPv6
IPv6
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
The Devil’s in the details…
18
RFC4861, 6.2.6. Processing Router Solicitations
In addition to sending periodic, unsolicited advertisements, a router
sends advertisements in response to valid solicitations received on
an advertising interface. A router MAY choose to unicast the
response directly to the soliciting host's address (if the
solicitation's source address is not the unspecified address), but
the usual case is to multicast the response to the all-nodes group.
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Tcpdump on a host in a large WiFi network
19
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
USB battery vendors, rejoice !
20
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
One more reason to manage the multicast RAs …
21
APc47a.fe34.1cc9#show capwap mcast mgid all | begin RA MGID
RA MGID Information
MGID = 8341
IPv6 mc2uc Clients = 1
MGID = 8343
IPv6 mc2uc Clients = 1
APc47a.fe34.1cc9#show capwap mcast mgid id 8343
Normal Mcast Clients:
Reliable Mcast Clients:
Client: 14cf.929d.740c --- Qos User Priority: 3 State:
ADMITTED
History – Retry Pct: 0 0 0 0 Rate )500Kbps): 0 65535
65535
APc47a.fe34.1cc9#
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
A different approach: RA throttle
22
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Interaction of RA throttle and RA lifetime
Tim
e
Lifetim
e
RA RA
RA
RA RA
RA
RA
RA
RA
RA
RA
RA
RA
RA
RA
RA RA
Mind the gap!
Peri
od
1
Peri
od2
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Short lifetimes and temporary addresses
RFC4941, section 3.4:
– Period: TEMP_PREFERRED_LIFETIME - REGEN_ADVANCE - DESYNC_FACTOR
– REGEN_ADVANCE -- 5 seconds
– DESYNC_FACTOR – random (0..10minutes)
– ‘ifconfig -L’ to see lifetimes
25
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Short lifetimes and temporary addresses
Temporary addresses recycle quickly
Application connections break
Implementation-specific bug^H^Hehaviors
26
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
The best timer values ?
Initial staging
– Agility
– Ease of adjustments
– Quick reaction to configuration changes
– Not too short to avoid artifacts
Production
– With scaling in mind
– Resistance to temporary failures
27
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
IOS vs. NX-OS solicited RA behavior
NX-OS sends unicast solicited RA packets
Periodic RA still sent multicast as expected
Easy (Less need for RA-throttle), but may be harder to debug (ucast vs. mcast)
28
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
IPv6 host setup recap
29
Router Solicitation
IPv6 g.a. DAD NS
DHCPv6 inf req
DHCPv6 req
IPv6 g.a. DAD NS
DHCPv6 reply (DNS)
DHCPv6 reply (address)
IPv6 LL DAD NS Anyone with this addr ?
RtrAdv “M” Pref; “A” “O”
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
DHCPv6 address assignment
Centrally controlled: easy to know which user has which address
(may be) Not dependent on multicast for continuous use
Some clients do not support (Android)
DHCPv6 multicast reply filtering
30
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
ND-based Address Assignment (SLAAC)
On/off by “A” flag in the prefix(es) within RA
Address controlled by the host
Distributed
Network can not learn address in advance except until seeing DAD NS
Dependent on multicast to be maintained
31
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Link-Local addresses: self-assigned
Behavior similar to SLAAC with fe80::/64 prefix
Addresses exist on any IPv6-capable interface
Service discovery protocols use link-locals
Even if you do not “run” IPv6, you probably do !
32
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
DHCP-
server H1 H2 H3
DAD NS [IP source=UNSPEC, target=A1, SMAC=MACH1]
REPLY[XID, IPA21, IPA22]
REQUEST [XID, SMAC = MACH2]
data [IP source=A3, SMAC=MACH3]
NA [IP source=A3, LLA=MACH3]
DAD NS [IP source=UNSPEC, target = A3] DHCP LEASEQUERY
DHCP LEASEQUERY_REPLY
Binding table
ADR MAC VLAN IF
A1 MACH1 100 P1
A21 MACH2 100 P2
A22 MACH2 100 P2
A3 MACH3 100 P3
Preference
X
Y
Y
Z
Address Glean (Binding Table)
33
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Device Tracking (Binding Table)
34
Address glean
DAD NS [IP source=UNSPEC, target = A1]
DAD NS [IP source=UNSPEC, target = A3]
NA [target = A1LLA=MACH1]
– Keep track of device state
– Probe devices when becoming stale
– Remove inactive devices from the binding table
– Record binding creation/deletion/changes
Binding table
ADR MAC VLAN IF
A1 MACH1 100 P1
A21 MACH2 100 P2
A22 MACH2 100 P2
A3 MACH3 100 P3
H1 H2 H3
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Neighbor Binding Timer configuration: defaults
35
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Simplified Binding table state diagram
36
REACHABLE STALE
DOWN
NS/NA exchange for host, DAD probe success
REACHABLE
timer expire
Link is DOWN
(client disassociated)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Binding table maintenance example
37
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Binding table maintenance example
38
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Traffic to node can trigger NUD on the node
39
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Entry is refreshed due to NUD (NS) traffic from host
40
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Host ND: Neighbor Maintenance with NUD
41
REACHABLE
STALE
INCOMPLETE
DELAY
PROBE
REACHABLE timer expires
(~30 sec default)
Traffic to the host Traffic to the host,
No confirmation from ULP
Received NA reply
to unicast NS
Received NA reply
to multicast NS
ULP confirm
reachable
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Increase the reachable time on the IPv6 Router
Less load on the media + first hop router packet processing
Postponing NUD = bigger neighbor table on the first hop router
NUD triggered after RAND(0.5 .. 1.5 * reachable-time)
42
csr1k-ayhome(config)#interface gig1.103
csr1k-ayhome(config-subif)# ipv6 nd reachable-time ?
<0-3600000> Reachability time in milliseconds
csr1k-ayhome(config-subif)# ipv6 nd reachable-time 600000
csr1k-ayhome(config-subif)#^Z
csr1k-ayhome#
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Impact of ND reachable timers on first hop router
Long timers cause accumulation of the entries
– Hardware forwarding tables may overflow
43
ipv6 nd cache expire <14400?> refresh
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
REACHABLE expires on WLC (No 30-sec NUD)
IPv6 host stack does not trigger NUD thanks to the longer REACHABLE timer
The data traffic by itself does not alter the state of the binding table entries
44
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Let’s initiate some ND traffic
45
Ping to a non-existent link-local address creates NS to resolve that address
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
ND traffic from hosts refreshes the entry
46
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Neighbor maintenance & binding interactions
Discuss: What about shorter reachable value on the host than on WLC ?
47
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Less Simplified Binding table state diagram
49
REACHABLE STALE
UNKNOWN(*)
DOWN INCOMPLETE(*)
NS/NA traffic
Timer expiry
Seen LLA
TENTATIVE(*)
VERIFY
Details: RFC6620
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
H1
Binding table
IPv6 MAC VLAN IF
A1 MACA1 100 P1
A21 MACA21 100 P2
A22 MACA22 100 P2
A3 MACA3 100 P3
H2 H3
Address glean
– Allow traffic sourced with known IP/SMAC
– Deny traffic sources with unknown IP/SMAC and triggers
address glean process
P1:: data, src= A1, SMAC = MACA1
P2:: data src= A21, SMAC = MACA21
P3:: data src= A3, SMAC = MACA3
P3 ::A3, MACA3
DAD NS [IP source=UNSPEC, target = A3]
NA [target = A1LLA=MACA3]
DHCP LEASEQUERY
DHCP LEASEQUERY_REPLY
What happens if the address not in table ?
50
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Initiate some traffic with entry not in table
51
More granular for
production !
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Binding table prepopulated by data plane
52
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Binding table entry verified using DAD NS exchange
53
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
L2 address resolution with IPv6
54
NS: B ?
A=me
Solicited mcast B
NA: B=me
Unicast GW
A B
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Neighbor solicitation and solicited node address
55
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Solicited-Node Multicast Address
For each Unicast and Anycast address configured there is a corresponding solicited-node multicast (Layer 3 address)
Used in neighbor solicitation (NS) messages
Multicast address with a link-local scope
Solicited-node multicast consists of
– FF02::1:FF & {lower 24 bits from IPv6 Unicast interface ID}
High 40 Bits 64 Bits Low 24 bits
Interface ID
0000 Low 24 0001 0000 FF 0000 0000 FF02
Routing Prefix
104 Bits
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Host Joins Solicited Node Multicast Group
57
Different IIDs =
different multicast
groups
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Global multicast enable/disable
58
Basic IPv6 support does NOT
Need this checkbox checked
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Turning global multicast on …
59
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
MLD / IGMP packets sent per client
60
Many IPv6 addresses -> many solicited node multicast groups
One MLD query -> many MLD reports.
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
MLD/IGMP query timing and timer values tuning
61
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Turned Multicast On ? Meet mDNS !
62
Total Packet quantity ~ NumAdvertisers * NumListeners * k
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Brute-force approach to mDNS overload: create ACL…
63
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Brute-force approach to mDNS overload: …and apply it!
64
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Bonjour Gateway: a kinder, gentler, flexible way
65
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
What about LLMR ?
Link-local Multicast Name Resolution
– Used to resolve the names of hosts on the local link
Defined in RFC4795
Used by Windows Vista, Windows Server 2008, Windows 7 and Windows 8
Run over multicast UDP to port 5355
Practical experience: Mostly harmless
66
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Address Stealing: taken care of
68
See also: BRKSEC-3003
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
P2P blocking: good for security, bad for P2P
69
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
IPv6 “Off-link clients”: communicate via the router
70
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
IPv6 “Off-link clients”: router configuration
71
Interface GigabitEthernet1.103
encapsulation dot1Q 103
ipv6 address 2001:470:73CD:DF03::1/64
ipv6 nd reachable-time 3600000
ipv6 nd prefix 2001:470:73CD:DF03::/64 86400 1800 off-link
ipv6 nd ra dns server 2001:4860:4860::8888
no ipv6 redirects
csr1k-ayhome# sh run | inc route 2001:470:73CD:DF03::/64
ipv6 route 2001:470:73CD:DF03::/64 GigabitEthernet1.103
csr1k-ayhome#
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Off-link prefix effect on the client
72
Before:
After (need reconnect!):
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Troubleshooting strategies for “No IPv6 Address”
RA received Client stack issue
Firewall on the client
DAD failure ?
Intermittent loss of RAs
– Multicast-unicast & microbursts ?
– Multicast-multicast and too much multicast traffic ?
No RA received
– Multicast on CAPWAP ?
74
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Strategies for debugging client connectivity issues
Usually falls back to IPv4 if total IPv6 blackhole
Define the IPv6 source address being used
Tools to use on the clients allow selection of address family
75
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Connectivity issues: verify the binding table
Client doing DaD too early, client having too many addresses too quickly
76
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Troubleshoot “wrong address”
RA leakage ?
Stack not deleting the old addresses ?
Most of the time: wireshark on the client or “near” client
77
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Troubleshoot in the roaming scenario
Multicontroller config needs to be in sync
Use AP groups
– Isolate a “debug” AP
– AP-group manipulations cause SSID flip, do only off-hours!
Use multi-channel sniffers
Capture CAPWAP traffic on the wire
– If not encrypted
78
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Capture packets on iOS devices
79
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Conclusions
You can control IPv6 chattiness quite well
Use the WLC features
Complement with IPv6 protocol tuning
80
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
IPv6 on WiFi: You talk too much ?
81
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Maximize your Cisco Live experience with your
free Cisco Live 365 account. Download session
PDFs, view sessions on-demand and participate in
live activities throughout the year. Click the Enter
Cisco Live 365 button in your Cisco Live portal to
log in.
Complete Your Online Session Evaluation
Give us your feedback and you could win fabulous prizes. Winners announced daily.
Receive 20 Cisco Daily Challenge points for each session evaluation you complete.
Complete your session evaluation online now through either the mobile app or internet kiosk stations.
82
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Glossary
RA
– Router Advertisement: periodically sent by any IPv6 router on a segment.
– Can be Periodic (default: 200s +/- jitter) and Solicited (triggered by RS)
– More info: RFC4861
RS
– Router Solicitation: a packet sent by the host to trigger Solicited RA
– More info: RFC4861
NUD
– Neighbor Unreachability Detection: part of Neighbor Discovery protocol, uses NS/NA exchange + state machine and feedback from upper layer protocols to verify the bidirectional reachability of the neighbor
– More info: RFC4861
85
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Glossary
NA
– Neighbor Advertisement: an ICMPv6 message containing the Link Layer address for a given IPv6 address. Can be solicited by Neighbor Solicitation or sent gratuitously.
– More info: RFC4861
NS
– Neighbor Solicitation: a packet sent to the Solicited Node Multicast address derived from the target address in order to resolve the Link-Layer address corresponding to the target IPv6 address
– More info: RFC4861
DAD
– Duplicate Address Detection: a check performed by an IPv6 stack before using an IPv6 address to ensure an this address is not already used by another node on the link.
– More info: RFC4861
86
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Blocking attempts of directed Link-Local traffic (1/2)
87
Set the last 3 bytes of the interface ID of the link-local address to the known value
If you can not do P2P
blocking
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Blocking attempts of directed Link-Local traffic (2/2)
88
Permit solicited node multicast for the default router (this example is for fe80::1)
Deny solicited node multicast for everything else
If you can not do P2P
blocking
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Capturing and triggering router advertisements
89
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
CiscoLive 2014 dualstack SSID config (high level)
91
Internet North South User vlan 4 User vlan 204
Main Backup
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
Configuration design goals
Must allow any distribution of access points between the two controllers
– All access points on North, all access points on South, split between the two
L3 roaming of clients while between North and South, on IPv4 and IPv6
– The client keeps their original link, the data is sent in/out the anchor controller
Minimize the amount of chatter – save batteries
– Use RA Throttler on WLC with 30 minute timer.
Minimize the size of the neighbor caches on the devices
– Very large link, many small devices
Allow for possible full reassociation vs of L3 roaming
– Prefix does change but the connectivity must be recovered quickly
92
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
South SVI configuration
interface Vlan4
description !!! WIRELESS CLIENTS !!! CiscoLive2014 !!!
.. IPv4 configuration omitted ..
ipv6 address FE80::1 link-local
ipv6 address 2001:4D38:A:400::1/64
ipv6 nd reachable-time 1800000
ipv6 nd prefix default 86400 9000 off-link no-autoconfig
ipv6 nd prefix 2001:4D38:A:400::/64 604800 86400 off-link
ipv6 nd prefix 2001:4D38:A:6800::/64 604800 0 off-link
ipv6 nd router-preference High
ipv6 nd ra lifetime 9000
no ipv6 redirects
no ipv6 unreachables
ipv6 verify unicast source reachable-via rx
ipv6 ospf network point-to-point
ipv6 ospf flood-reduction
ipv6 ospf 1 area 0
End
ipv6 route 2001:4D38:A:400::/64 vlan4
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public
North SVI configuration
94
interface Vlan204
description !!! WIRELESS CLIENTS !!! CiscoLive2014 !!! DO NOT USE VLAN4 on NORTH !!!
.. IPv4 configuration omitted ..
ipv6 address FE80::1 link-local
ipv6 address 2001:4D38:A:6800::1/64
ipv6 nd reachable-time 1800000
ipv6 nd prefix default 86400 9000 off-link no-autoconfig
ipv6 nd prefix 2001:4D38:A:400::/64 604800 0 off-link
ipv6 nd prefix 2001:4D38:A:6800::/64 604800 86400 off-link
ipv6 nd router-preference High
ipv6 nd ra lifetime 9000
no ipv6 redirects
no ipv6 unreachables
ipv6 verify unicast source reachable-via rx
ipv6 ospf network point-to-point
ipv6 ospf flood-reduction
ipv6 ospf 1 area 0
End
Ipv6 route 2001:4D38:A:6800::/64 Vlan204