IPv6 MX64 Hot standby subnetting

CharlieCrackle
A model citizen

IPv6 MX64 Hot standby subnetting

I am trying to add IPV6 to and existing network.  The network has 2 MX64 in hot standby.

 

Q1:    Is Hot standby supported in IPv6 ?  (does not seem to be support for static shared address)  (my current static route points to primary [see picture])

 

Because in hot standby I need to use 1 subnet of /64 on the outside between MX64   and the rest on the internal vlans  (see picture)

 

I have setup static addressing on the WAN and this is working

I have setup static addressing on the LAN and this is working.  

 

Q2  I do not understand how to get an IPV6 DNS server to the clients on LAN,  ipv6 is working buy they are using IPV4 for DNS   Where do you set the DNS server they get ??

 

I added  xxxx:yyyy:zzzz:dd/48 to the IPv6 prefixes  as I don't have any AUTO vlans  (or should I be adding multiple /64 prefixes for every vlan ?? )

 

In the VLAN Assignments   all the VLAN show with the correct Subnet prefix  and the status is active

 

IPv6 works.

 

but I then found the next day the VLAN Assignments tables went to expiring soon and then empty  and IPv6 was not working..

 

Q3 Am I doing it totally wrong ????

 

I configured the Cisco router instead to be a IPV6 dhcp server and setup Prefix pool 

 

ipv6 local pool MERAKI_POOL xxxx:yyyyy:zzzz::/40 56

ipv6 dhcp pool MY_V6
prefix-delegation pool MERAKI_POOL
dns-server xxxx:yyyy:101::1
dns-server xxxx:yyyy:101::2
domain-name xxx.com.au

 

and then put all all meraki IPv6 settings on auto.

both mx64 got IP address xxxx:yyyy:zzzz:ddff::

and the IPv6 prefix got the address from auto

it then gave xxxx:yyyy:zzzz:dd01:   /dd:02 / dd:03  to each vlan.

this worked.  But VLan60 had the wrong IPv6 address  and the static route required in router to point to pri MX would fail if the MX got a different address.

 

Either I canSnap4.pngnot find it or the IPv6 configuration for meraki is hard to find.

 

 

 

I would love some insight  from the IPv6 experts......

 

 

Q4) When testing IPv6  some of the testing sites say IPV6 relies on some ICMP IPv6 messages.

Is this best practice ???  should I be adding a firewall rule to outside to allow ICMPv6 traffic any to xxxx:yyyy:zzzz:dd:: ??

8 Replies 8
alemabrahao
Kind of a big deal
Kind of a big deal

Check this:

 

https://documentation.meraki.com/?title=MX/Other_Topics/IPv6_Support_on_MX_Security_%26_SD-WAN_Platf...

 

https://documentation.meraki.com/?title=MX/Firewall_and_Traffic_Shaping/IPv6_Support_on_MX_Security_...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal

I don't know the answer.

 

What I expect is that your hosts should be learning the IPv6 DNS server to use from the RA announcement from the MX.

 

When in "auto" mode this should be easy.  The MX gets a prefix from the ISP (which includes the IPv6 DNS servers to use).  Part of that larger prefix gets assigned to each VLAN, and those existing DNS servers can be re-used in the RA announcement.

 

What happens when you use manual mode in Meraki?  I'm not sure.  At a minimum, you would need IPv6 DNS servers configured on the WAN interface.  Have you got those?

The next problem I see is when you specify manually configure the IPv6 prefixes for the VLANs - there is nowhere to specify the DNS servers.  So either it has to guess which DNS servers to use from the available WAN ports, or I guess do nothing.

 

The other thing to check is to see if your hosts actually learned IPv6 DNS servers, and are simply preferring to use their IPv4 DNS server entries.

 

CharlieCrackle
A model citizen

I logged this case with support and so far have no info to help me move forward

 

only answer so far is 

 

HA is supported

 

   if it is where do you put the virtual IP V6 address ???

 

 

Is there no Meraki IP V6 experts on forum ??  support are not helpful so far.

 

 

 

CptnCrnch
Kind of a big deal
Kind of a big deal

For the internal IP addresses, I'd assume that it behaves the same as in the IPv4 world: you don't need a virtual address. 

 

Or are you referring to the external interfaces?

CharlieCrackle
A model citizen

the issue is that I am splitting the ISP supplied address range between inside and outside    for for a while then stops. 

CharlieCrackle
A model citizen

Yes I was referring to external address.

CharlieCrackle
A model citizen

Just and update the latest Firmware  17.8  has fixed the issue of the IPV6 just stopping after a while  when the IPV6 Prefixes would just disappear from the "IPv6 Prefixes" Tab  for Manually Assigned IPv6 Addresses.

 

Also the allow  incoming IPV6 ICMP firewall rule I had just started working.

 

I removed the Secondary MX  and all seems much more stable and the dash board now displays the status correctly (all the fields line up correctly on the Uplink Tab with secondary removed)  Think I will leave this disabled till the IPV6 external virtual ip address support is there.

 

Still have 1 unresolved issue and that is how do the clients behind the meraki on IPV6 get the DNS servers ?  Is the Mx advertising any IPV6 servers.   My switches have IPV6 address on AUTO  but are not getting IPV6 DNS.  is the ONLY way to get DNS to have STATIC IPv6 Address and STATIC IPv6 DNS servers ?? (latest firmware also fixed the bug that the IPV6 interface is on the correct VLAN and not VLAN 1.  Yay !)

 

 

Snap307.png

 

 

When testing IPv6 some of the testing sites say IPV6 relies on some ICMP IPv6 messages.

Any IPV6 Experts out there is this best practice ???

Should I be leaving a firewall rule to outside to allow ICMPv6 traffic any to xxxx:yyyy:zzzz:dd:: ??

PhilipDAth
Kind of a big deal
Kind of a big deal

I'm finding 17.8 better as well, but I also do not get any IPv6 DNS servers.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels