Tuesday, January 1, 2013

DHCPv6 on cisco IOS routers

Today's blogs is about DHCPv6 server setup on cisco IOS routers. Everybody seems to remember SLAAC and it's stateless autoconfig ( aka autoconf ) setup, but most people always forget their's a DHCPv6 component. Since ipv6 networks space are huge, we need a mean for easy addressing for individuals clients.


To start off, my dhcp-server is a simple 3825ISR router in these examples for both the server and client  software =C3825-ADVENTERPRISEK9-M), Version 15.1(4)M4

Okay so let's get to work. The order of task are simple;

1st we build a pool;


  ipv6 dhcp pool myip6pool
   address prefix 2001:111::/64
   dns-server 2001:200::1
   dns-server 2001:200::2
   domain-name hyperfeed.net
   sip address 2001:333::1
   sip address 2001:333::2
   sntp address 2001:222::111
   sntp address 2001:222::112
   information refresh 1
  !
2nd  we  validate the pool

  router3825#show ipv6 dhcp pool
  DHCPv6 pool: myip6pool
    Address allocation prefix: 2001:111::/64 valid 172800 preferred 86400 (0 in use, 0 conflicts)
    DNS server: 2001:200::1
    DNS server: 2001:200::2
    Domain name: hyperfeed.net
    SIP server address: 2001:333::1
    SIP server address: 2001:333::2
    SNTP server address: 2001:222::111
    SNTP server address: 2001:222::112
    Information refresh: 86400
   Active clients: 0
  router3825#


3rd we  apply the pool to the interface. This is opposite the classic ipv4 method, where the dhcp-server configuration is globally

  !
  interface GigabitEthernet0/1
   ipv6 address 2001:111::1/64
   ipv6 enable
   ipv6 nd dad attempts 3
   ipv6 nd managed-config-flag
   ipv6 nd other-config-flag
   ipv6 nd router-preference High
   ipv6 dhcp server myip6pool
 end

key points to take away here that we need to apply; The managed and other config-flags has to be set under our interface ipv6 neighbordiscovery settings. Now that we set the  server side up let's look at the client.  The client setup is simple as 1 -2- 3

1st we enable ipv6 and  set the address to be  dhcp


  config t
    int gi 0/1
      description "yet another cisco router being a ipv6  dhcp-client"
      ipv6 enable
      ipv6 address dhcp
  end


2nd

And here's how the client looks;

cisco3825#show ipv6 interface gi0/1       
GigabitEthernet0/1 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::221:D8FF:FE63:E11
  No Virtual link-local address(es):
  Global unicast address(es):
    2001:111::349D:B08F:6170:3D6, subnet is 2001:111::349D:B08F:6170:3D6/128
  Joined group address(es):
    FF02::1
    FF02::2
    FF02::1:FF63:E11
    FF02::1:FF70:3D6
  MTU is 1500 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ICMP unreachables are sent
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds (using 30000)
  ND advertised reachable time is 0 (unspecified)
  ND advertised retransmit interval is 0 (unspecified)
  ND router advertisements are sent every 200 seconds
  ND router advertisements live for 1800 seconds
  ND advertised default router preference is Medium
  Hosts use stateless autoconfig for addresses.
cisco3825#show ipv6 interface gi0/1 prefix
IPv6 Prefix Advertisements GigabitEthernet0/1
Codes: A - Address, P - Prefix-Advertisement, O - Pool
       U - Per-user prefix, D - Default
       N - Not advertised, C - Calendar

PD default [LA] Valid lifetime 2592000, preferred lifetime 604800
AD 2001:111::349D:B08F:6170:3D6/128 [LA] Valid lifetime 2592000, preferred lifetime 604800
cisco3825#


cisco3825#sh run int gi 0/1
Building configuration...

Current configuration : 125 bytes
!
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
 media-type rj45
 ipv6 address dhcp
 ipv6 enable
end

and here's the dhcp6server  binding on the DHCP server

router3825#show ipv6 dhcp binding
Client: FE80::221:D8FF:FE63:E11
  DUID: 000300010021D8630E10
  Username : unassigned
  IA NA: IA ID 0x00030001, T1 43200, T2 69120
    Address: 2001:111::349D:B08F:6170:3D6
            preferred lifetime 86400, valid lifetime 172800
            expires at Jan 04 2013 02:05 AM (172611 seconds)
router3825#


Okay let's looking at some debugging on the cisco console. You might want to understand what's happening between the 2.

config t
logging console
do debug ipv6 dhcp detail
!
!
!
default int gi 0/1
shut
!
ipv6 enable
ipv6 address dhcp
no shut
!


*Jan  2 02:20:47.319: IPv6 DHCP: Unconfiguring DNS server 2001:200::1
*Jan  2 02:20:47.319: IPv6 DHCP: Unconfiguring DNS server 2001:200::2
*Jan  2 02:20:47.319: IPv6 DHCP: Unconfiguring domain name hyperfeed.net
*Jan  2 02:20:47.319: IPv6 DHCP: IPv6 not ready on GigabitEthernet0/1, message not sent
*Jan  2 02:20:47.319: IPv6 DHCP: DHCPv6 address changes state from OPEN to RELEASE (ADDR_SHUTDOWN) on GigabitEthernet0/1
*Jan  2 02:20:48.407: IPv6 DHCP: IPv6 not ready on GigabitEthernet0/1, message not sent
*Jan  2 02:20:49.491: IPv6 DHCP: IPv6 not ready on GigabitEthernet0/1, message not sent
*Jan  2 02:20:51.567: IPv6 DHCP: IPv6 not ready on GigabitEthernet0/1, message not sent
*Jan  2 02:20:55.467: IPv6 DHCP: DHCPv6 address changes state from RELEASE to IDLE (ADDR_TIMEOUT) on GigabitEthernet0/1

and are you ready :)

cisco3825(config)#default interface gi 0/1
GigabitEthernet0/1: Setting default media-type to RJ45
Interface GigabitEthernet0/1 set to default configuration
cisco3825(config)#
*Jan  2 02:38:36.115: IPv6 DHCP: Unconfiguring DNS server 2001:200::1
*Jan  2 02:38:36.115: IPv6 DHCP: Unconfiguring DNS server 2001:200::2
*Jan  2 02:38:36.115: IPv6 DHCP: Unconfiguring domain name hyperfeed.net
*Jan  2 02:38:36.115: IPv6 DHCP: IPv6 not ready on GigabitEthernet0/1, message not sent
*Jan  2 02:38:36.115: IPv6 DHCP: DHCPv6 address changes state from OPEN to RELEASE (ADDR_SHUTDOWN) on GigabitEthernet0/1
*Jan  2 02:38:37.067: IPv6 DHCP: IPv6 not ready on GigabitEthernet0/1, message not senti
*Jan  2 02:38:38.127: IPv6 DHCP: IPv6 not ready on GigabitEthernet0/1, message not sent
% Ambiguous command:  "i"
cisco3825(config)#int
*Jan  2 02:38:40.119: IPv6 DHCP: IPv6 not ready on GigabitEthernet0/1, message not sentgi 0/1
cisco3825(config-if)#ipv6
*Jan  2 02:38:43.983: IPv6 DHCP: DHCPv6 address changes state from RELEASE to IDLE (ADDR_TIMEOUT) on GigabitEthernet0/1 ad
dress dhcp
cisco3825(config-if)#
*Jan  2 02:38:51.111: IPv6 DHCP: IPv6 not ready on GigabitEthernet0/1, message not sent
*Jan  2 02:38:52.219: IPv6 DHCP: IPv6 not ready on GigabitEthernet0/1, message not sent
*Jan  2 02:38:54.315: IPv6 DHCP: IPv6 not ready on GigabitEthernet0/1, message not sent
cisco3825(config-if)#
*Jan  2 02:38:58.179: IPv6 DHCP: IPv6 not ready on GigabitEthernet0/1, message not sentipv6 en
cisco3825(config-if)#
*Jan  2 02:39:03.951: IPv6 DHCP: Sending SOLICIT to FF02::1:2 on GigabitEthernet0/1
*Jan  2 02:39:03.951: IPv6 DHCP: detailed packet contents
*Jan  2 02:39:03.951:   src FE80::221:D8FF:FE63:E11
*Jan  2 02:39:03.951:   dst FF02::1:2 (GigabitEthernet0/1)
*Jan  2 02:39:03.951:   type SOLICIT(1), xid 16496220
*Jan  2 02:39:03.951:   option ELAPSED-TIME(8), len 2
*Jan  2 02:39:03.951:     elapsed-time 0
*Jan  2 02:39:03.951:   option CLIENTID(1), len 10
*Jan  2 02:39:03.951:     000300010021D8630E10
*Jan  2 02:39:03.951:   option ORO(6), len 4
*Jan  2 02:39:03.951:     DNS-SERVERS,DOMAIN-LIST
*Jan  2 02:39:03.951:   option IA-NA(3), len 12
*Jan  2 02:39:03.951:     IAID 0x00030001, T1 0, T2 0
*Jan  2 02:39:03.951: IPv6 DHCP: Received ADVERTISE from FE80::21D:70FF:FE39:7F01 on GigabitEthernet0/1
*Jan  2 02:39:03.951: IPv6 DHCP: detailed packet contents
*Jan  2 02:39:03.951:   src FE80::21D:70FF:FE39:7F01 (GigabitEthernet0/1)
*Jan  2 02:39:03.951:   dst FE80::221:D8FF:FE63:E11 (GigabitEthernet0/1)
*Jan  2 02:39:03.951:   type ADVERTISE(2), xid 16496220
*Jan  2 02:39:03.951:   option SERVERID(2), len 10
*Jan  2 02:39:03.951:     00030001001D70397F00
*Jan  2 02:39:03.951:   option CLIENTID(1), len 10
*Jan  2 02:39:03.951:     000300010021D8630E10
*Jan  2 02:39:03.951:   option IA-NA(3), len 40
*Jan  2 02:39:03.951:     IAID 0x00030001, T1 43200, T2 69120
*Jan  2 02:39:03.951:     option IAADDR(5), len 24
*Jan  2 02:39:03.951:       IPv6 address 2001:111::79E7:8A77:46FC:9F8D
*Jan  2 02:39:03.951:       preferred 86400, valid 172800
*Jan  2 02:39:03.951:   option DNS-SERVERS(23), len 32
*Jan  2 02:39:03.951:     2001:200::1
*Jan  2 02:39:03.951:     2001:200::2
*Jan  2 02:39:03.951:   option DOMAIN-LIST(24), len 15
*Jan  2 02:39:03.951:     hyperfeed.net
*Jan  2 02:39:03.951:   option SIP-ADDRESS(22), len 32
*Jan  2 02:39:03.951:     2001:333::1
*Jan  2 02:39:03.951:     2001:333::2
*Jan  2 02:39:03.951:   option SNTP-ADDRESS(31), len 32
*Jan  2 02:39:03.951:     2001:222::111
*Jan  2 02:39:03.951:     2001:222::112
*Jan  2 02:39:03.951: IPv6 DHCP: Adding server FE80::21D:70FF:FE39:7F01
*Jan  2 02:39:05.075: IPv6 DHCP: Sending REQUEST to FF02::1:2 on GigabitEthernet0/1
*Jan  2 02:39:05.075: IPv6 DHCP: detailed packet contents
*Jan  2 02:39:05.075:   src FE80::221:D8FF:FE63:E11
*Jan  2 02:39:05.075:   dst FF02::1:2 (GigabitEthernet0/1)
*Jan  2 02:39:05.075:   type REQUEST(3), xid 16511105
*Jan  2 02:39:05.075:   option ELAPSED-TIME(8), len 2
*Jan  2 02:39:05.075:     elapsed-time 0
*Jan  2 02:39:05.075:   option CLIENTID(1), len 10
*Jan  2 02:39:05.075:     000300010021D8630E10
*Jan  2 02:39:05.075:   option ORO(6), len 4
*Jan  2 02:39:05.075:     DNS-SERVERS,DOMAIN-LIST
*Jan  2 02:39:05.075:   option SERVERID(2), len 10
*Jan  2 02:39:05.075:     00030001001D70397F00
*Jan  2 02:39:05.075:   option IA-NA(3), len 40
*Jan  2 02:39:05.075:     IAID 0x00030001, T1 0, T2 0
*Jan  2 02:39:05.075:     option IAADDR(5), len 24
*Jan  2 02:39:05.075:       IPv6 address 2001:111::79E7:8A77:46FC:9F8D
*Jan  2 02:39:05.075:       preferred 86400, valid 172800
*Jan  2 02:39:05.075: IPv6 DHCP: DHCPv6 address changes state from SOLICIT to REQUEST (ADDR_ADVERTISE_RECEIVED) on Gigabit
Ethernet0/1
*Jan  2 02:39:05.075: IPv6 DHCP: Received REPLY from FE80::21D:70FF:FE39:7F01 on GigabitEthernet0/1
*Jan  2 02:39:05.075: IPv6 DHCP: detailed packet contents
*Jan  2 02:39:05.075:   src FE80::21D:70FF:FE39:7F01 (GigabitEthernet0/1)
*Jan  2 02:39:05.075:   dst FE80::221:D8FF:FE63:E11 (GigabitEthernet0/1)
*Jan  2 02:39:05.075:   type REPLY(7), xid 16511105
*Jan  2 02:39:05.075:   option SERVERID(2), len 10
*Jan  2 02:39:05.075:     00030001001D70397F00
*Jan  2 02:39:05.075:   option CLIENTID(1), len 10
*Jan  2 02:39:05.075:     000300010021D8630E10
*Jan  2 02:39:05.075:   option IA-NA(3), len 40
*Jan  2 02:39:05.075:     IAID 0x00030001, T1 43200, T2 69120
*Jan  2 02:39:05.075:     option IAADDR(5), len 24
*Jan  2 02:39:05.075:       IPv6 address 2001:111::79E7:8A77:46FC:9F8D
*Jan  2 02:39:05.075:       preferred 86400, valid 172800
*Jan  2 02:39:05.075:   option DNS-SERVERS(23), len 32
*Jan  2 02:39:05.075:     2001:200::1
*Jan  2 02:39:05.075:     2001:200::2
*Jan  2 02:39:05.075:   option DOMAIN-LIST(24), len 15
*Jan  2 02:39:05.075:     hyperfeed.net
*Jan  2 02:39:05.075:   option SIP-ADDRESS(22), len 32
*Jan  2 02:39:05.075:     2001:333::1
*Jan  2 02:39:05.075:     2001:333::2
*Jan  2 02:39:05.075:   option SNTP-ADDRESS(31), len 32
*Jan  2 02:39:05.075:     2001:222::111
*Jan  2 02:39:05.075:     2001:222::112
*Jan  2 02:39:05.075: IPv6 DHCP: Processing options
*Jan  2 02:39:05.075: IPv6 DHCP: Adding address 2001:111::79E7:8A77:46FC:9F8D/128 to GigabitEthernet0/1
*Jan  2 02:39:05.075: IPv6 DHCP: T1 set to expire in 43200 seconds
*Jan  2 02:39:05.075: IPv6 DHCP: T2 set to expire in 69120 seconds
*Jan  2 02:39:05.075: IPv6 DHCP: Configuring DNS server 2001:200::1
*Jan  2 02:39:05.075: IPv6 DHCP: Configuring DNS server 2001:200::2
*Jan  2 02:39:05.075: IPv6 DHCP: Configuring domain name hyperfeed.net
*Jan  2 02:39:05.075: IPv6 DHCP: DHCPv6 address changes state from REQUEST to OPEN (ADDR_REPLY_RECEIVED) on GigabitEtherne
t0/1
cisco3825(config-if)#
NOTE:  and we can validate our address  with issuing another "show ipv6 interface cmd"


One last point I would like to make everyone aware about. The managed and other flags that we configured are hints , and NOT 100% enforcement for  the clients selections & address  methods (with SLAAC or DHCP). Here's why, the same cisco IOS client that  I'm showing in this example, is not configured for  SLAAC ( autoconfig )

cisco3825(config-if)#int gi 0/1
cisco3825(config-if)#ipv6 en
cisco3825(config-if)#ipv6 enable
cisco3825(config-if)#ipv6 address autoconfig
cisco3825(config-if)#


Okay it still sent a local dhcp solicitation  request for other information to be configured and if a local DHCPv6 server is present, it will provide those details;


( look here )


*Jan  2 02:40:53.819: IPv6 DHCP: Sending INFORMATION-REQUEST to FF02::1:2 on GigabitEthernet0/1
*Jan  2 02:40:53.819: IPv6 DHCP: detailed packet contents
*Jan  2 02:40:53.819:   src FE80::221:D8FF:FE63:E11
*Jan  2 02:40:53.819:   dst FF02::1:2 (GigabitEthernet0/1)
*Jan  2 02:40:53.819:   type INFORMATION-REQUEST(11), xid 16619851
*Jan  2 02:40:53.819:   option ELAPSED-TIME(8), len 2
*Jan  2 02:40:53.819:     elapsed-time 0
*Jan  2 02:40:53.819:   option CLIENTID(1), len 10
*Jan  2 02:40:53.819:     000300010021D8630E10
*Jan  2 02:40:53.819:   option ORO(6), len 6
*Jan  2 02:40:53.819:     DNS-SERVERS,DOMAIN-LIST,INFO-REFRESH
*Jan  2 02:40:53.819: IPv6 DHCP: DHCPv6 changes state from IDLE to INFORMATION-REQUEST (STATELESS) on GigabitEthernet0/1
*Jan  2 02:40:53.819: IPv6 DHCP: Received REPLY from FE80::21D:70FF:FE39:7F01 on GigabitEthernet0/1
*Jan  2 02:40:53.819: IPv6 DHCP: detailed packet contents
*Jan  2 02:40:53.819:   src FE80::21D:70FF:FE39:7F01 (GigabitEthernet0/1)
*Jan  2 02:40:53.819:   dst FE80::221:D8FF:FE63:E11 (GigabitEthernet0/1)
*Jan  2 02:40:53.819:   type REPLY(7), xid 16619851
*Jan  2 02:40:53.819:   option SERVERID(2), len 10
*Jan  2 02:40:53.819:     00030001001D70397F00
*Jan  2 02:40:53.819:   option CLIENTID(1), len 10
*Jan  2 02:40:53.819:     000300010021D8630E10
*Jan  2 02:40:53.819:   option DNS-SERVERS(23), len 32
*Jan  2 02:40:53.819:     2001:200::1
*Jan  2 02:40:53.819:     2001:200::2
*Jan  2 02:40:53.819:   option DOMAIN-LIST(24), len 15
*Jan  2 02:40:53.819:     hyperfeed.net
*Jan  2 02:40:53.819:   option SIP-ADDRESS(22), len 32
*Jan  2 02:40:53.819:     2001:333::1
*Jan  2 02:40:53.819:     2001:333::2
*Jan  2 02:40:53.819:   option SNTP-ADDRESS(31), len 32
*Jan  2 02:40:53.819:     2001:222::111
*Jan  2 02:40:53.819:     2001:222::112
*Jan  2 02:40:53.819:   option INFO-REFRESH(32), len 4
*Jan  2 02:40:53.819:     86400
*Jan  2 02:40:53.819: IPv6 DHCP: Adding server FE80::21D:70FF:FE39:7F01
*Jan  2 02:40:53.819: IPv6 DHCP: Processing options
*Jan  2 02:40:53.819: IPv6 DHCP: Configuring DNS server 2001:200::1
*Jan  2 02:40:53.819: IPv6 DHCP: Configuring DNS server 2001:200::2
*Jan  2 02:40:53.819: IPv6 DHCP: Configuring domain name hyperfeed.net
*Jan  2 02:40:53.819: IPv6 DHCP: DHCPv6 changes state from INFORMATION-REQUEST to IDLE (REPLY_RECEIVED) on GigabitEthernet
0/1




show ipv6 int gi 0/1
GigabitEthernet0/1 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::221:D8FF:FE63:E11
  No Virtual link-local address(es):
  Stateless address autoconfig enabled
  Global unicast address(es):
    2001:111::221:D8FF:FE63:E11, subnet is 2001:111::/64 [EUI/CAL/PRE]
      valid lifetime 2591983 preferred lifetime 604783
  Joined group address(es):
    FF02::1
    FF02::2
    FF02::1:FF63:E11
  MTU is 1500 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ICMP unreachables are sent
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds (using 30000)
  ND advertised reachable time is 0 (unspecified)
  ND advertised retransmit interval is 0 (unspecified)
  ND router advertisements are sent every 200 seconds
  ND router advertisements live for 1800 seconds
  ND advertised default router preference is Medium
  Hosts use stateless autoconfig for addresses.
So the client still autoconfig its ipv6 address, using it's 64bit address obtained from it's mac_address, & it also found the local prefix offered via  DHCP server route_advertisement

Last,

here's my macbook setup for autoconf, this is what the DHCPv6 server sees;


router3825#debug ipv6 dhcp det
   IPv6 DHCP debugging is on (detailed)
router3825#
*Jan  2 03:15:38.751: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up
*Jan  2 03:15:40.755: IPv6 DHCP: Add routes, pool myip6pool, idb GigabitEthernet0/1

==========macbook========

kenfelix1$ ifconfig en0 inet6
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    inet6 fe80::21f:5bff:feea:afa%en0 prefixlen 64 scopeid 0x4
    inet6 2001:111::21f:5bff:feea:afa prefixlen 64 autoconf
 
Notice nothing  :;

That's right the mac does not send any solicit messages to the dhcpv6 server. But it still picks up the  ipv6 address via autoconf ( SLAAC ). It never sent any type of solicitation for any other DHCPv6 information. Btw this is MACOSX 10.6.8, maybe Lion is different.



Keypoints to take away from this all;

  • ipv6 offers both stateless  ( SLAAC ) and statefull ( DHCPv6 ) address assignments the latter can also provide other non ipv6_address information  ( e.g  dns/,ntp/sip/wins servers, domain search list, domain-name,etc….)
  • DHCPv6 is not widely use in ALL  OSes
  • A host can still compute his  EUI address regardless if a DHCPv6 server is or is-not currently present
  • DHCPv6 uses the host link-local-address and ipv6 multicast for solicitations towards a DHCPv6 server
  • Cisco DHCPv6 server is simple and straight forward to deploy
  • show ipv6 dhcp pool cmd will show you  dhcpv6 pool information
  • rapid-commit reduce the overhead  with  server/client solicit and replies
  • clear ipv6 dhcp binding cmd will allow you to flush  dhcpv6 binding in the same fashion as ipv4
  • not all IOS codeset have DHCPv6 server support YMMV so check the software features navigator
  • not all IOS codeset have the ability to  DHCPv6 assign an address to it's interfaces
  • Rogue DHCPv6 server protection as far as my last checkup, is lacking in all most ALL  router/l3-switches
  • By default, cisco ipv6 router interfaces precipitate in RouteAdvertisements with no special configs options required outside of enabling ipv6 on the interface(s)
  • SLAAC is the most popular means of address followed by static and lastly DHCPv6 from my experience and engagement of ipv6 over the last ten+ years

Once again, I hoped that you found this information helpful and useful in the near future.

Ken Felix
Freelance Network & Security Professional (ipv4 to ipv6 migration specialist )
kfelix @ hyperfeed  dot com
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)