Understanding IPv6 Exceptions and Best Practices

The IPv6 best practices are provided below:

Ensure that you enable IPv6 globally.
The uplink port must be trusted. This is the same behavior as IPv4.
Ensure that the validuser session ACL does not block IPv6 traffic.
There must not be any ACLs that drop ICMPv6 or DHCPv6 traffic. It is acceptable to drop DHCPv6 traffic if the deployment uses Stateless Address Auto Configuration (SLAAC) only.
If an external device provides RA:
It is not recommended to advertise too many prefixes in RA.
The controller supports a maximum of four IPv6 user entries in the user table. If a client uses more than four IPv6 addresses at a time, the user table is refreshed with the latest four active entries without disrupting the traffic flow. However, this may have some performance impact.
Enable BCMC Optimization under interface VLAN to drop any random IPv6 multicast traffic. DHCPv6, ND, NS, and RA traffic are not dropped when you enable this option.


It is recommended to enable BCMC Optimization only if mDNS traffic is not used in the network, as mDNS traffic gets dropped if this option is enabled.

It is not recommended to enable preemption on the master redundancy model. If preemption is disabled and if there is a failover, the new primary controller remains the primary controller even when the original master is online again. The new primary controller does not revert to its original state unless forced by the administrator. Disabling preemption prevents the master from “flapping” between two controllers and allows the administrator to investigate the cause of the outage.
While selecting a source address, the number of common bits between each source address in the list, is checked from the left most bit. This is followed by selection of the source address that has the maximum number of matching bits with the destination address. If more than one source addresses has the same number of matching bits with the destination address, the kernel selects that source address that is most recently configured on the system. It is essential that the administrator/user configures the network appropriately, if a particular VLAN interface needs to be selected as the source. For example, in case of Dot1x authentication the administrator/user can configure the source interface appropriately so that it is selected for authentication process. For more information on IPv6 source address selection, see RFC 3848.

ArubaOS does not support the following functions for IPv6 clients:

The controller offers limited routing services to IPv6 clients, so it is recommended to use an external IPv6 router for a complete routing experience (dynamic routing).
VoIP ALG is not supported for IPv6 clients.
Remote AP supports IPv6 clients in tunnel forwarding mode only. The Remote AP bridge and split-tunnel forwarding modes do not support IPv6 clients. Secure Thin Remote Access Point (STRAP) cannot support IPv6 clients.
IPSec is not supported over IPv6.
IPv6 Auto configuration and IPv6 Neighbor Discovery mechanisms does not apply to IPv6 tunnels.
Tunnel Encapsulation Limit, Tunnel-group, and MTU discovery options on IPv6 tunnels are not supported.
IPSec is not supported in this release, so IPv6 GRE cannot be used for master-local setup.