WE Need IPV6 Support in MX

SOLVED
cantechit
New here

WE Need IPV6 Support in MX

Subject says it all...  We need proper IPV6 support in the MX Platform...    Even IPV6 tunnelling doesn't work at this point.

 

Anyone else have soem comments?

1 ACCEPTED SOLUTION

Hi all, thank you for your continued patience on this topic. We’d like to provide an update and bring further transparency on the IPv6 status for Cisco Meraki products.  Firstly, we want to acknowledge the clear gap in supporting IPv6 across the Meraki portfolio and sincerely understand the frustration that’s been expressed. 

 

Each Cisco Meraki product has a different set of IPv6 requirements and technical complexities. IPv6 is not a single feature but rather a suite of features and capabilities that need to be enabled as a journey; which, unfortunately, is not a quick undertaking especially since we need to solve for effective management of IPv6 functionality in addition to enabling IPv6 data plane capabilities. 

 

On our IPv6 journey, we have identified the key functions to be delivered across the Cisco Meraki portfolio. Our primary objective is to deliver IPv6 in a phased manner that is as simple and streamlined as possible to adopt for our existing and future customers.  IPv6 is one of our strategic cross-product initiatives and this is backed by engineering resources we have aligned to it.

 

We know you have asked for details, and we don’t yet have publicly-sharable specifics, but please rest assured that we have a comprehensive plan for IPv6 support that we are aggressively driving and are committed to providing continued updates on our progress.  As such, please expect the next update by the end of September 2019 on our IPv6 @ Meraki thread.

 

Thank you for your continued partnership,

 

The Cisco Meraki team

 

 

[Mod comment: We are marking this post as the solution to this thread. This is not because the issue is solved, but because we want to make the new location for updates from Meraki on this topic easier to access. That topic is: IPv6 @ Meraki.]

View solution in original post

277 REPLIES 277

I have been reluctant to jump on the IPv6 bandwagon because of the need for Toredo tunnelling and for dual stacks, in most environments. In some implementations I have seen, dual stacking disables hardware offloading, which can have a big impact upon throughput.

 

So I would ask that a pure IPv6 implementation be introduced sooner rather than later. At that point, I'll switch over. All the AV kit, Playout devices, Smart TVs, workstations etc do IPv6 already, only the network kit doesn't,

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
pstewart
Getting noticed

We dropped Meraki about a year ago because of some bugs that seemed like they were never going to get fixed and for me the major issue is lack of IPv6.  How does Meraki expect us to be taken seriously with our customers when they are asking for IPv6 and we couldn’t give them a straight answer?  I voted with my wallet and moved to FortiNet - not to start a debate on Cisco vs X but FortiNet supports IPv6 and has a much richer feature set at a lower price point.... 

I hear you, we have been actively tearing Cisco & Meraki out and will continue to do so. They want their money for licenses and will turn your networks off, but they will not fix what they have promised.

I switched our MXs to Fortinet, as well. There was a bit of a learning curve, but I'm glad I did change. In two months, I have not had a single issue, particularly with the remote users VPN. I got my work-life balance back in balance. I plan to drop the rest of my Meraki stack next year when the licenses expire.

I have a feeling that when our licenses expire we will find a new solution to go with as well.  At this point, not having IPv6 on the WAN just isn't cutting it.

And the final nail in the IPv4 coffin was slammed in this monday at 15:35 (UTC+1) on 25 November 2019 - And why..? We are absolutely, definitively, completely and utterly out of IPv4 addresses now...

 

The RIPE NCC has run out of IPv4 Addresses
Today, at 15:35 (UTC+1) on 25 November 2019, we made our final /22 IPv4 allocation from the last remaining addresses in our available pool. We have now run out of IPv4 addresses.

 

Our announcement will not come as a surprise for network operators - IPv4 run-out has long been anticipated and planned for by the RIPE community. In fact, it is due to the community's responsible stewardship of these resources that we have been able to provide many thousands of new networks in our service region with /22 allocations after we reached our last /8 in 2012.

 

https://www.ripe.net/publications/news/about-ripe-ncc-and-ripe/the-ripe-ncc-has-run-out-of-ipv4-addr...

I'm surprised Europe was able to hold on this long .. in North America we ran out back in 2012 officially.

Well, not quite I think:

 

ARIN’s free pool of IPv4 address space was depleted on 24 September 2015. As a result, we no longer can fulfill requests for IPv4 addresses unless you meet certain policy requirements that reserved blocks of IPv4 addresses for special cases, such as:

•NRPM 4.10: organizations may request a /24 of IPv4 address space to facilitate the transition to IPv6
•NRPM 4.4: micro-allocations to critical Internet infrastructure providers such as exchange point operators and core DNS service providers

 

But your are right about ARIN hold back on IPv4, and have done so for quite a while now - and only provide IPv4 for special purpose now...

 

It is now close enough to mid-December when another announcement is expected.

 

Given the complexity of the task and the perceived glacial speed in progress, I am not expecting an early IPV6 Christmas present.  It is sad though.  Instead of dreaming about sugar plum fairies, I am dreaming of IPV6. 

Dave Anderson
GIdenJoe
Kind of a big deal
Kind of a big deal

You'll find an announcement from end September on this thread:

https://community.meraki.com/t5/Full-Stack-Network-Wide/IPv6-Meraki/m-p/53677#U53677

Are they releasing a Christmas Present to us (this year)?

Any update on this?  Last update was a while ago.

They posted an update in December here. They're building out IPv6 on their infrastructure before deploying it to the users.

at least some progress at the backend:

Selection_999(3501).png

 

anyway, i request a *much higher* frequency of updates. once every three months, that's way too less!

nothing new here:

 

root@www:~# host dashboard.meraki.com
dashboard.meraki.com is an alias for n1.meraki.com.
n1.meraki.com is an alias for sdg333.meraki.com.
sdg333.meraki.com has address 108.161.147.44

burnz
Getting noticed

root@www:~# host dashboard.meraki.com
dashboard.meraki.com has address 108.161.147.44
dashboard.meraki.com has IPv6 address 2620:12f:c000:0:92e2:baff:fecd:3f94
DHAnderson
Head in the Cloud

When the time comes, I would be interested in beta testing IPV6 for MX or other hardware.

 

I have Charter as an ISP and when I was using a Soniclwall firewall I had four IPV6 subnets.  The MR33 was able to get an IPV6 address from the Sonic wall, and devices in the WiFi also could get IPV6 addresses.

 

 

- Dave

Dave Anderson
AAVH
Here to help

The failure of Meraki to support IPv6 in a timely manner is now really causing me big issues. 
COVID-19 has caused my company to send everyone to work from home and VPN into the office. 
Of course, many of the users who have never had to use our VPN are trying to use it and discovering they can't due to IPv6. 

I've had to bung in a couple of pfSense firewalls in on spare IP addresses (using 2 retired Dell servers) and give these users OpenVPN for connectivity. I'm now wondering when it comes to license renewal time, why I should bother as we now have 2 perfectly serviceable pfSense firewalls in place with auto failover, VPN, Suricata, pfBlockerNg, and fully supporting IPv6. The only downside being that they're far more difficult to manage and configure than our MXs.

 

CharlieCrackle
Building a reputation

Just for info.  I have been having the same issue.  If users are getting IP v6 addresses, Telstra (Australia)  IPV6 to ipv4 GW does not support L2tp VPN.  What I have found is if I disable the IPV6 protocol on the WIFI or Ethernet adapter that the VPN is running on  then the device gets and IP v4 address and the GW is bypassed and it works.   but we do need IPV6 support and a Better VPN client for windows  ASAP.  it is Meraki biggest short coming.   Need Client VPN to work like SDWAN does.  "It just works"  without me having to team viewer to clients machine to set it up every time.

@Meraki-PM-Team, this is a serious situation RIGHT NOW!

 

in the name of all your patient and loyal customers and resellers: PROVIDE A QUICK FIX RIGHT ***NOW***!

 

focus on the client VPN part and LET OUR USERS - WHO *WANT*/*NEED* TO WORK FROM HOME IN THIS DIFFICULT AND URGENT SITUATION - ACCESS OUR INTERNAL NETWORKS!!!

 

i am currently stopping linux updates of libreswan, because DH2/modp1024 is not anymore supported as of v3.30 (February 2020) "pluto: Disable support for DH2/modp1024 at compile time [Paul]", but required by client VPN. ipsec supports more then 1 ike algo in phase1, but support can only *switch* to DH14/modp2048.

 

… and by the way, the docs on https://documentation.meraki.com/MX/Client_VPN/Client_VPN_Overview#Encryption_Method do still speak about DH5/modp1536 which is not possible to switch to regarding the support team. [Case 04926942].

Hopefully some of Meraki’s team will be able to concentrate more on getting this sorted if they are working from home themselves!!!

I'm getting ready to pitch the OpenVPN Access Server seriously at work right now due to this. Most people don't have an issue connecting, but when they do I have to rebuild the damn VPN connection every time 😞

@CharlieCrackle 
"Just for info.  I have been having the same issue.  If users are getting IP v6 addresses, Telstra (Australia)  IPV6 to ipv4 GW does not support L2tp VPN.  What I have found is if I disable the IPV6 protocol on the WIFI or Ethernet adapter that the VPN is running on  then the device gets and IP v4 address and the GW is bypassed and it works.   but we do need IPV6 support and a Better VPN client for windows  ASAP.  it is Meraki biggest short coming.   Need Client VPN to work like SDWAN does.  "It just works"  without me having to team viewer to clients machine to set it up every time."

That works for BT over here in the UK but not for Sky Internet and for some inexplicable reason we have many users on Sky.  

Selection_999(3766).png

nikiwaibel

 

I agree with your sentiment. But for a VPN to work over IPV6, the MX would need to have have IPV6 address management, subnet management, routing management and perhaps even 6 to 4 and 4 to 6 if your internal network is IPV4 only.

 

The next update from Meraki on IPV6 will come in April.  Perhaps there will be an Alpha or Beta then.

Dave Anderson

We now have half of our employees using my thrown together pfSense/OpenVPN solution due to the IPv6/VPN issues with the Meraki MX. It's not looking good for license renewal for Meraki right now. We may as well just move everyone over and wave Meraki good bye and send the other guys who assist me with infrastructure on pfSense courses. It won't be easy to persuade the boss to pay up after all the grief we've been having. 

 

 

 

Thorsten
Getting noticed

Personally, to use Meraki MX as my home office firewall, these are the IPv6 features I am using now with "not-an-MX" and am looking for in an MX.

- Prefix Delegation with Prefix Hint
- Dynamic assignment of delegated /64 prefixes from the larger /60 or /56 (see hint) to different interfaces - some physical some VLAN
- DHCPv6-lite to hand out DNS (others, NOT Android)
- RDNSS to hand out DNS (Android, others)
- Option to use either delegated or "system" DNS for DHCPv6-lite / RDNSS

That gets me going as a replica of my current setup. 

Nice to have would be:
DNS64/NAT64 including the ability to have that work from PD-assigned prefixes

And of course v6 firewalling / content inspection / VPN features.

I know the potential list of v6 capabilities is far greater, and Enterprises will have an additional wish list. The above is what I consider "the essentials" for a SOHO setup.

All opinions mine, not speaking as an employee, and so on.

I am running out of solution for customers now.   Telstra is Australia is using IPV6 on their  mobile network with a IP6 to IP4 GW  which does not support l2tp VPN

 

Up till now I have been disabling IPV6 on the client to get around this

 

I now have IOS devices with the same issue and you can NOT disable IPV6 on IOS.  so VPN on IOS does not work any more.

 

Need IPV6 support   or anyconnect VPN client support..  URGENTLY  as now supplying non meraki gear to fix these issues.

I had to put the Meraki in Pass through mode, and using PFSense on my front end for Router, there I configure VPN. Open VPN etc.  Then use Ipsec as forwards to the Meraki so its still in play.

I have brand new MX100 sitting on rack waiting for iPV6 Options till then pfsense is boss.

@Dudleydogg Given the VPN issues we are seeing with our MX64 I am really close to switching to a pfSense box at the office. We are all work from home right now and most people have multiple VPN pauses a day, not working too well for us 😞

We've migrated nearly everyone over to the pfSense/OpenVPN I set up on a couple of old Dell servers we had lying around. We're getting much more reliable connections and don't have any IPv6 issues. The number of support calls has really dropped and the pfSense servers are hardly breaking a sweat. 

 

 

@AAVH, given how pfSense is currently offering FREE “zero to ping” its really tempting to me.

smccloud1,

Please keep in mind that the specs for a MX64 is a maximum of 50 concurrent VPN users and a total of 100mbps VPN throughput.

- Dave

Dave Anderson

@DHAnderson We have around 36 users and a 50Mbps connection, and problem happens even with a single user on the VPN.

I to have abandoned Meraki and went Fortigate firewall and Ubiquiti switches/wifi.  If anyone needs Fortigate pricing let me know.

micah-cmedics,

This board is for Community based support for Meraki, not a general product board. Please refrain from trying to sell competing products here.
Dave Anderson

Interesting you mentioned the Fortigate. We just moved most our equipment to them. Couldn't be happier. Full IPv6 support. And the VPN works great. Certainly a larger learning curve but if you already know firewalls this is the way to go.

 

Also, the security is muuuuuch better on the Fortigate. We ran a a test and put a fortigate between our MX our our switches with port mirroring on to see what the MX was missing. In 7 days the MX missed over 34,000 IPS attemps. Pretty sad.

 

I love my Meraki's don't get me wrong... but..... they are way way behind now. Its sad to watch such a great brand die.

Its not too bad, meraki is allow all and block things you dont want, where fortigate is more of granular allow what you want and get very specific, but its not over daunting.

 

i have used all the firewall players over the years and currently very happy.  I would love to see meraki do something, its really is that with current times, to little to late.

micah-cmedics
 
The main strength of Meraki is that they are cloud managed from the start.  They did not take a local managed device, slap a dongle on it and make a the same dated interface in the cloud. 

The second strength of Meraki is the Dashboard.  All devices, all clients. The Dashboard benefits goes on and on.

The third strength of Meraki is zero touch deployment.  Configure the device once you get Claim key.  The device lands is some distance city, or state, or country and gets mounted and powered up and is working in minutes.  And there it is, in the Dashboard.

The 4th strength of Meraki is the extras, the API, Insight and Systems Manager.

So while an individual piece of Meraki hardware may be missing a feature, the overall benefit is still tremendous compared to competitors.
Dave Anderson

I totally agree. The remote management and ease of configuration on the Meraki devices is absolutely brilliant. Saves me a world of headaches in that I can delegate management to other guys without needing to send them on courses or hold their hands. And if there is a visit from Captain Cockup you can always fix it remotely. Something no other firewall devices have that I'm aware of. Its a great comfort blanket. 

However, despite all those wonderful features (which is why we all bought Meraki in the first place), if they don't fulfil a fundamental functionality need you have right now then they may as well be paperweights and right now that's what they are for my company with the entire company working from home. We've migrated everyone to pfSense/OpenVPN due to the issues with Meraki client VPN. 

 

We have a 100MBit Internet connection and a 20 user maximum at any one time as the company operates in two shifts. We've been peaking at about 15 users and averaging 10 or 11 since the outbreak.  

 

Bovie2K
Getting noticed

Meraki Team, Please show this thread to management. IPv6, IKEv2 and Anyconnect for client VPN are HUGE missing features. You see many customers a jumping ship because they have no choice they are complaining because they WANT to continue to use the product but can't. We know you are working on it but we as customers need/deserve a roadmap and timeline of when these features will be live so we can plan accordingly. Please no more an update in x months.

In their February IPV6 update, Meraki said that if they stay on schedule, there will be "exiting" news in April.  Let's hope they are staying on schedule!

 

 

Dave Anderson

@DHAnderson you mean they will start on it in April?

smccloud1,

No. In the IPv6 @ Meraki they did not mention what the exciting news was, just that there would be some, if schedules go as planned. Given the shift to working at home due to Covid19, I would be surprised if schedules don't slip.

They also stated there could be beta testing over the next couple of months, so the news could be a formal announcement of a beta plan.

We have 30 days to find out

Dave Anderson

Hi Everyone!

 

I am a long time lurker not poster, but here goes since I noticed an update in the IPv6 @ Meraki thread and wanted to get it in front of everyone in this thread as some may not be aware off or following the update thread.


TLDR: Improvements to client VPN functionality to handle IPv6 only clients to connect through a NAT64 from their providers

https://community.meraki.com/t5/Full-Stack-Network-Wide/IPv6-Meraki/m-p/81683/highlight/true#M1465

If you have IPv6 only connectivity and are leveraging NAT64, I urge you to share it with the community your ISP and if your setup works or doesn't.

 

Stay safe & healthy!

 

Cheers,

 

-Raul

Hi Hi together!
Big thanks to you Meraki Guys and that finally started to implement IPv6!
Recognized it round about a week ago, when my switch got an IPv6 addresse after a reboot.

Just Lovely!

 

For your request:

ISP:
1&1 Versatel Germany

Outgoing connections:
All perfect

 

Ingoing:
Client to FW
-not possible-

What model switch and what version firmware?

Before I replaced my Sonicwall firewall with a MX65, I had it setup to get an IPV6 /60 subnet from Charter. My MS220-8P and MR33 picked up the correct subnet and IPV6 addresses.  They also passed on Router Announcements to clients who also got IPV6 addresses on the correct subnet.

 

So while there may be more work on the complete product line, the big push is most likely re-architecting the MX to support a new more complex IP protocol, and the work they have done making sure the Meraki site, dashboard and backend support IPV6.

Dave Anderson

My switches used to have IPV6 addresses and it went away and the setting is grayed out now.

what did you do to enable this feature?

SopheakMang
Building a reputation

currently MX seem not yet support IPV6 solution

T-4 Days before time runs out for an IPV6 announcement that was forecast  last February. 

 

Kudos tothe team for testing out the NAT64 VPN! I wonder if  Covid19 has had a negative impact on the development schedule in other ways.

Dave Anderson

The Meraki IPV6 team made their April announcement.

 

Understandably, the schedule has slipped.  In a former life I was a software developer then software development manager, then director of product development.  I am so glad I do not have that responsibility now.  Covid 19 shelter in place will butcher any development schedule.  I cannot imagine trying to write software at home if their are children present!  The power of a team is also broken as communication and commadary is pushed through a tiny set of wires.

 

 

Dave Anderson

Where did they make their announcement?

@JackTaugher 

 

The made their post in this forum:

 

IPv6 @ Meraki

Dave Anderson

Does anyone know if the MX is capable of tunneling IPv6 over IPv4?

 

Related to GIF (Generic tunnel Interface) / NAT passing IP protocol 41?

 

https://tools.ietf.org/html/rfc2473

cmr
Kind of a big deal
Kind of a big deal

@tfriedrich I don't believe so, there is progress on ipv6 for MR that is in closed beta but I don't believe there is an MX ipv6 beta yet available.

tfriedrich
Getting noticed

Can someone explain what effect having ipv6 in just the MR would have without the MX?  You couldn't route IPv6 to Internet without MX right?  Even if MS and MR lines had 100% support for ipv6, unless it's purely for internal site traffic, what is the benefit without the MX's involvement?

Been wondering that myself. It seems to me that IPv6 support at the edge is the most important thing to get fixed. There isn't a shortage of private IPv4 addresses. They should make the MX the priority for IPv6 support. 

 

cmr
Kind of a big deal
Kind of a big deal

Not everyone is full stack Meraki.  We have ~150 Meraki devices including ~25MXs but they are not used for corporate Internet edge.  Our existing Internet edge devices do have full ipv6 support so MR and MS ipv6 support would have some value to us, albeit it would be much more useful if the MX SD-WAN tunnels could carry ipv6 over ipv4 even if they didn't have full ipv6 support.

nikiwaibel
Getting noticed

as of https://community.meraki.com/t5/Full-Stack-Network-Wide/IPv6-Meraki/m-p/96763/highlight/true#M1593, we should get an update in the next few days:


We expect our next official update to be in October. In the meantime, stay safe and healthy.

hopefully they read the stuff in this thread as well. roadmap and timeline would be nice.

October has come and gone, November is also done My license will expire before I can use my MX, Meraki should offer license extensions for anyone using an MX that paid for a license but can't use the device as public-facing on WAN. 

MichelRueger
Building a reputation

I am on the last Beta Software an still no Support for IP V6!! only Pas true Modus.

I agree with all of you since Meraki has joined Cisco it is not going better.

The MX license I bought is withering away and the router is sitting in a box waiting.  

i found out that the page with the order formular for meraki trial installations is not working with ipv6, you will be redirected immediately to the dashboard login page instead of showing the correct trial formular. If you disable IPv6 on your device everything works fine.. strange situation which should be fixed.

 Have we STILL not got IPv6 support???? All I want to be able to do is VPN into my MX64 from a mobile phone, which unfortunately beyond my control is ipv6!

 

The Error message I get whenever I attempt a client VPN connection:

 

msg: unsupported ID type 5

 

it's been years now!!!!! COME ON MERAKI!!!!

Meraki, please make sure your most routable device, being an MX gets IPv6 fully compliant.

LAN + WAN +DHCP, DNS, VPN tunnels, and NETSEC L3

This is a very weird fact, Meraki is very reluctant to answer and provide a proper roadmap and very slow at incorporate it in their ecosystem.

 

I understand, Meraki is an enterprise solution, but even then IPv6 cannot be ignored any longer.

 

Competitors are much further on the IPv6 roadmap:

 

SD-WAN configuration for IPv6 (fortinet.com)

cmr
Kind of a big deal
Kind of a big deal

@Peter-Loyen I'd agree, but DHCP isn't often part of the IPv6 spec as SLAAC is supposed to be used and implemented by default on BT's HomeHub for example. 

DHAnderson
Head in the Cloud

 

I agree Meraki is behind the market for IPV6 compatibility.  That said, they have been implementing IPV6 on the MS and MR line, as well as getting the dashboard available by IPV6.

 

The MX is the toughest as it has the most IPV6 features to implement.  I do not know what the internal architecture is, but I am willing to bet it was not designed to be dual stack.

 

There is supposed to.be another IPV6 announcement in January, so it should come soon

Dave Anderson

February Now Still sitting on the Shelf my pretty MX100 Licence expiring and it has 0 hours usage.

Lets hope something happens soon, but if this thread is correct and Dual-Stack is not possible, that mean we have to replace all our current equipment?

I did not say Dual Stack was not possible, just that the original software was likely not designed with dual stack in mind. 

 

It is always possible to redesign software, it just takes time to get it right.

 

-Dave

Dave Anderson

Did Meraki announce anything about IPv6 yet this year like they were going to?

Noah_Salzman
Meraki Alumni (Retired)
Meraki Alumni (Retired)

This thread is where Meraki posts the latest developments regarding IPv6.

 

https://community.meraki.com/t5/Full-Stack-Network-Wide/IPv6-Meraki/m-p/53677

SLAAC serves LAN subnets (i.e /64 subnets).

Larger deployments /subnets, or dynamic WAN IPv6 assignment, benefits from DHCPv6 and RA.

Look it from the pov of an ISP / MSP

 

I think both should be possible

 

Do you agree?

cmr
Kind of a big deal
Kind of a big deal

@Peter-Loyen I do agree I would want DHCPv6, just not sure it will form part of the first iteration as a lot of MX installs could get by without it.

 

We use DHCP on about 1/3 of our MXs for instance, the others are all gateways for networks where the switches run the DHCP service and as that is per local VLAN it *could* be done via SLAAC in an IPv6 world if needed.

Dudleydogg
A model citizen

We are not Full-Stack because we are actively using IPV6 I have MX's sitting new in the box waiting

I had to put my old Sonicwall in front of my MX so I could join the beta for the MR.

 

One reason to start with the MR is that is Meraki has sold more MR devices than MS or MX.  So you are giving the most users IPV6.

 

Another reason is that the MX is most likely the most complicated.  It probably requires a new architecture.

 

- Dave

Dave Anderson
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels