Meraki

Community

IPv6 Disabled on VLAN but Clients Still Getting IPv6 SLAAC Addresses

bigjon
Here to help
Tuesday
Tuesday

IPv6 Disabled on VLAN but Clients Still Getting IPv6 SLAAC Addresses

This is very confusing to me. I am working on a large Meraki deployment where the ISP is handing out IPv4 and IPv6 addresses to the WAN interface. Meraki doesn't allow you to disable IPv6 on WAN - Annoying, but fair enough.

 

  • VLAN SVIs on the LAN terminate to the MX logically from a Layert 3 perspective.
  • SVIs have IPv6 disabled.
  • In Network Client list, clients are getting IPv6 addresses when connected to wireless.
  • Wired clients aren't getting IPv6 addresses

 

From what I can figure out, Meraki MX forward the ISPs IPv6 subnet as a IPv6 RA and clients allocate their own IPs using SLAAC. Client doesn't want to disable IPv6 on workstations (as WFH option may require it).

 

Some questions I am hoping people can answer:

  1. Is my understanding/explanation of how IPv6 addresses are allocated on the MX correct?
  2. Why are clients getting IPv6 addresses if SVIs have IPv6 disabled on MX?
  3. Why would only wireless clients be getting IPv6 addresses?
  4. What methods are available to disable clients from getting IPv6 addresses?
0 Kudos
6 Replies 6
Mloraditch
Kind of a big deal
Kind of a big deal
Tuesday
Tuesday

My understanding of SLAAC is if a client sees an RA packet and has IPv6 enabled it will assign itself an IP. You should be able to see what that is in a packet capture. It could be another device misconfigured on the network. That device would  have to be reconfigured, taken offline, etc.

The only reason I can see wireless clients only getting it would be if you bridge wireless to a separate VLAN than wired and the RA advertising device is only on that VLAN. I'm not aware and can't find any documentation that suggests IPv6 exists in NAT mode yet. (https://documentation.meraki.com/Wireless/Product_Information/Compatibility_and_Firmware/IPv6_Suppor...)

Regardless the only way to completely prevent the clients using IPv6 is disabling it on the clients. 

Others may  have better insight, we don't really use IPv6 in our environments so my experience is limited, but hopefully the above helps, but I do think the capture is the best bet, find the RA packet, get it's mac and hunt it down.

 

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to Mloraditch
bigjon
Here to help
Tuesday
Tuesday

We don't want to use IPv6... which is why SVIs have it disabled. Regardless, clients have IPv6 addresses showing up. The IPs are in the same IPv6 subnet as the WAN carriage so I assume it's SLAAC from the ISP pool. I've read annecdotal advice suggesting that MX will generate a RA. You're right though, I will have to chase down a packet capture to see what is going on with RAs.

There is a setting in Network --> Configure --> General that specifies "Wireless IPv6 Bridging" : Enabled (default) that I am pondering... I don't think it's related though based on its description.

0 Kudos
bigjon
Here to help
Tuesday
Tuesday

Ok. I may have a smoking gun. It looks like the workstations have a 4G local NIC on them and Meraki might simply be gleaning IPv6 information indirectly about client state (i.e. a IPv6 ND).

I was under impression WAN IP was same IPv6 subnet as the phantom IPv6 addresses on clients, but on second look and interrogration via a BGP looking glass, they're actually different ISP hosted routes.


This is leading me to believe Meraki MX is just gleaning IPv6 information.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
yesterday
yesterday

Any reason not to enable IPv6?

 

I've actually been pulled up in two security audits for not enabling IPv6 in customer LAN environments.  The security risk is that an attacker DOES deploy IPv6 (such as an IPv6 DNS resolver), or sets up an IPv6 default gateway (and does a man-in-the-middle attack).

 

It is no longer possible to simply say "disable IPv6 on the workstations" because of all the IPv6 IoT devices.

 

I am starting to turn it on everywhere so my clients can get clean security audits.

In response to PhilipDAth
bigjon
Here to help
yesterday
yesterday

The customer has a quite diverse third-party and platform ecosystem with separate SASE application controls on workstations with their own security controls, 802.1x on LAN as well. They don't use IPv6 internally which is what the MX/SDWAN is providing access to.

Basically, I'm trying to keep the MX/SDWAN config managable as there is no internal IPv6 use within corporate network. Enabling IPv6 confuses this SDWAN deployment. That is a kind of thin excuse though I admit.

I personally accept there might be some obscure attack vectors with IPv6 by not enabling it. I have actually asked the customer architects whether they want IPv6 to be enabled officially. The increase in attack vectors by enabling IPv6 is also a consideration though which invites operational overhead/complexity which this customer definitely doesn't need. Security is a journey... this customer is not ready for that level of policy management in my opinion... but we'll see what they say regarding IPv6 requirements.

IvanJukic
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
yesterday
yesterday

Hi @bigJ 

 

IPv6 is disabled on the LAN side of the MX by default. Has it been mistakenly enabled?

https://documentation.meraki.com/SASE_and_SD-WAN/MX/Design_and_Configure/Configuration_Guides/Networ...



Cheers,

Ivan Jukić,
Meraki APJC

If you found this post helpful, please give it kudos. If it solved your problem, click "accept as solution" so that others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.