Showing results for 
Search instead for 
Did you mean: 

How to configure IPv6 in SD-Access (SDA) with Cisco DNAC 1.3


Chapter 1 – IPv6 in SD-Access Overview

Starting from Cisco SD-Access 1.3, IPv6 clients are supported. The underlay of the network (RLOC) still remains as IPv4. The detailed use cases are listed below.

Fabric switches need to be on 16.11.1c release. For wireless controller, the minimum software version needs to be 8.8.

To download the images:

IPv6 Host Onboarding

Fabric devices are configured to support onboarding an IPv6 client into the SD-Access fabric that has IPv4 underlay, both for wired and wireless client. IPv4 and IPv6 host are able to coexist in one VLAN, i.e. dual-stack.


Client IP address assignment supports static IP, SLAAC and DHCP. DHCP server is configured to have only IPv6 address.

L3 Handoff

L3 Handoff for IPv6 subnet is supported. IPv6 users should be able to connect to IPv6 content via default border to internet or via fabric border to enterprise DC.

Chapter 2 – IPv6 Configuration in Cisco DNAC

DHCP Address for IPv6

Make sure DHCP server is configured for IPv6. Go to Design > Network Settings > Network and make sure IPv6 DHCP server is enabled.

IPv6 also has a feature called SLAAC which is enabled by default if CIDR is /64. SLAAC can be enabled or disabled only if CIDR is /64. Both DHCP and SLAAC can be enabled at the same time. If so, the host will get IPv6 addresses from both DHCP server and SLAAC. Also, DNS servers can be configured with IPv6. ISE, Syslog and SNMP server still use IPv4. 


IPv6 Address Pool

Address pools can be IPv4 only or dual-stack. IPv6 address assignment can use static IP, SLAAC and/or DHCP. There is no support for IPv6 only.

Dual stack pools cannot be assigned to Infra VN (APs and extended nodes).

Step 1. Make sure IPv6 Address pool for Campus (user access), IoT (user access), BorderHandoff (IP Pool between Border and Fusion Router) is configured.

Go to Design > Network Settings > IP Address Pools > Global and make sure the following IP Address Pools are created:   Campus, IoT, BorderHandoff. Enter IP address details for AP, Campus, IoT, Guest, Border handoff and Multicast Global IP Pools as shown in the following screenshots. 

Screen Shot 2019-07-23 at 6.20.08 PM.png

You should see the following Pools created in Global:


Step 2. Make sure that IP Pool reservation is done for San Jose site. We will be reserving the IP Pools for the site we will be provisioning the devices to. In the hierarchy on the left side, choose Building 22.

When you navigate to the building, the following message appears. It explains the functioning of the hierarchy within Cisco DNA Center and how the network settings can be inherited (assigned) for the child sites in the hierarchy. To prevent its re-appearance, check Don’t show again. Click OK to continue.

On San Jose Site, click Reserve IP Pool to make a reservation for this building. Follow the screenshots shown below to reserve IP Pools (for AP, Campus, IoT, and Border Handoff) for Building 22.

The AP Pool will be IPv4 only. Right now, dual stack is not supported for wireless access points.


You should see the following Pools reserved for SJC at the end of this.


Step 4. Make sure the following VN’s are created in the Policy page:  Campus_VN, IoT_VN, Guest_VN



Provision the Fabric

Step 1. Make sure all the devices in Provision > Global are all assigned to the site and in the Managed State.



Step 2. Make sure all the SJC Fabric and Transit Networks are created.


Step 3. In Fabric, assign the roles of Border, Control Plane, and Edge devices. 



Host Onboarding

Step 4. Configure an IP Pool for each VN in Provision > Fabric > Host Onboarding so that Wired and Wireless Clients can have IPv6 Address.

Go to  Provision > Fabric > Host Onboarding > Virtual Networks.

The AP’s will be part of the INFRA_VN for Cisco DNA Center’s PnP host onboarding feature.  Click on the Infra-VN and click on Add on top right.


In the Add IP Pool section, select the AP-Pool from the drop down menu of IP. Ensure Pool Type is set to AP.  Also, make sure that AP-Pool is only a IPv4 pool and not dual stack as this is not supported currently. Click Update.


We can add more than one pool to the VN or hit x on top right to get to the main screen.


The VN will turn blue indicating there is an active IP Pool associated with it.


Repeat the steps for adding Campus IP Pool to Campus_VN, IoT IP Pool under IoT VN and Guest IP Pool  under Guest_VN.  However, select Data as the Traffic Type. 

Screen Shot 2019-07-23 at 6.29.32 PM.png

Port Assignment

The topology has 2 Windows PC connected to both FE switches on Gig1/0/3 on both. 

Cisco DNA Center allows authentication templates to be applied to all Edge nodes and all ports through the global template configured earlier. Cisco DNAC also allows you to override the template and select a different authentication type. For the AP, we will be using the No Authentication security template, which is different from the global authentication template configured earlier (Closed Authentication). Scroll to the bottom of the Host Onboarding page.

In the Select Port Assignment area, choose FE1-9300-03 from the left-hand side and select ports GigabitEthernet1/0/3 and click Assign.


In the side window that opens, from the Connected Device Type drop-down list, choose User Devices. In Address Pool, select Campus-Pool or IoT-Pool. From the Auth Template drop-down list, choose Closed Authentication. Click Update.


Verify the config and click Apply to push the configuration to the Fabric Edge switches.



This concludes the configuration from Cisco DNAC User Interface.

IPv6 Host

Check if the host connected to the ports got an IP address or not and try to ping the default gateway.




You can go to next section to verify the configuration in CLI.

Chapter 3 – Verify IPv6 Config in CLI

After Provisioning Fabric, go to all the devices in CLI to make sure all the configuration got pushed.

Border Node

Verify VRF config and EID

INT-BOR#sh vrf

  Name                             Default RD            Protocols   Interfaces

  Campus_VN                        1:4099                ipv4,ipv6   Vl3001



  DEFAULT_VN                       1:4098                ipv4,ipv6   Vl3004


  Guest_VN                         1:4100                ipv4,ipv6   Vl3005


  IoT_VN                           1:4101                ipv4,ipv6   Vl3003



  Mgmt-vrf                         <not set>             ipv4,ipv6   Gi0/0

Verify IPv6 interface configuration

In the below output, 2005::1, 2005::5, 2005::9, 2005::D, 2005::11 are IPv6 VLAN interfaces configured by Cisco DNAC based on the IP Pools.


INT-BOR#sh ipv6 interface brief

Vlan1                  [up/up]


Vlan3001               [up/up]



Vlan3002               [up/up]



Vlan3003               [up/up]



Vlan3004               [up/up]



Vlan3005               [up/up]



GigabitEthernet0/0     [administratively down/down]






Verify connectivity to DHCP IPv6 server

INT-BOR#ping vrf Campus_VN ipv6 ACE::1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to ACE::1, timeout is 2 seconds:


Success rate is 100 percent (5/5), round-trip min/avg/max = 2/4/11 ms


Verify VRF on FE

FE1-9300-03#sh vrf

  Name                             Default RD            Protocols   Interfaces

  Campus_VN                        <not set>             ipv4,ipv6   LI0.4099


  DEFAULT_VN                       <not set>             ipv4,ipv6   LI0.4098

  Guest_VN                         <not set>             ipv4,ipv6   LI0.4100

  IoT_VN                           <not set>             ipv4,ipv6   LI0.4101


  Mgmt-vrf                         <not set>             ipv4,ipv6   Gi0/0



Verify connectivity to DHCP IPv6 server

Below output shows that to reach DHCP server IP of ACE::1 we have to go to which is the Border Node and Border Node has access to DHCP server.


FE1-9300-03# lig instance-id 4099 ACE::1

Mapping information for EID ACE::1 from with RTT 132 msecs

ACE::/64, uptime: 00:00:00, expires: 23:59:59, via map-reply, complete

  Locator  Uptime    State      Pri/Wgt     Encap-IID  00:00:00  route-rejec 10/10


INT-BOR#ping vrf Campus_VN ipv6 ACE::1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to ACE::1, timeout is 2 seconds:


Success rate is 100 percent (5/5), round-trip min/avg/max = 2/4/11 ms


Verify Interface Configuration

Below interface gig 1/0/3 is what we Assigned from Cisco DNAC as a Campus Pool. Campus VLAN is 1022 with IPv4 address of and IPv6 address of 2003::1/64.

FE1-9300-03#sh run int gig 1/0/3

Building configuration...

Current configuration : 202 bytes


interface GigabitEthernet1/0/3

 switchport access vlan 1022

 switchport mode access

 device-tracking attach-policy IPDT_MAX_10

 load-interval 30

 no macro auto processing

 spanning-tree portfast




FE1-9300-03#sh run int vlan 1022

Building configuration...

Current configuration : 567 bytes


interface Vlan1022

 description Configured from Cisco DNA-Center

 mac-address 0000.0c9f.f45d

 vrf forwarding Campus_VN

 ip address

 ip helper-address

 no ip redirects

 ip route-cache same-interface

 no lisp mobility liveness test

 lisp mobility Campus-Pool-IPV4

 lisp mobility Campus-Pool-IPV6

 ipv6 address 2003::1/64

 ipv6 enable

 ipv6 nd managed-config-flag

 ipv6 nd other-config-flag

 ipv6 nd router-preference High

 ipv6 dhcp relay destination ACE::1

 ipv6 dhcp relay source-interface Vlan1022

 ipv6 dhcp relay trust