And since someone asked me for it off-list, example PACL for IOS to filter RAs and DHCPv6 server traffic on incoming ports: On each switch: ipv6 access-list RA_Guard deny icmp any any router-advertisement deny udp any eq 547 any eq 546 permit any any end And on each switchport: ipv6 traffic-filter RA_Guard in Your mileage may vary. This was written for Catalyst 3560s and 3750s. Obviously you wouldn't apply it on the port your uplink is on. On Thu, Oct 21, 2010 at 4:08 PM, Ray Soucy <rps@maine.edu> wrote:
Also,
Keep in mind that DHCPv6 uses a DUID for host identification and not a MAC address.
Here is an example ISC DHCPd configuration for an IPv6 network without open pool allocation (it will only respond for hosts in the config).
# subnet6 for each network subnet6 FD00:1234:5678:9ABC::/64 { option dhcp6.name-servers FD00:1234:5678:9ABC::2, FD00:1234:5678:9ABC::3; }
# host for each host host soucy-desktop.domain.net { host-identifier option dhcp6.client-id 00:01:00:01:11:ee:71:12:00:1a:a0:da:ba:7f; fixed-address6 FD00:1234:5678:9ABC::A; }
I believe the new version of ISC DHCPd has added code to be able to determine the MAC address instead of using a DUID, but I haven't tested it personally.
On Thu, Oct 21, 2010 at 3:59 PM, Ray Soucy <rps@maine.edu> wrote:
I think you're misunderstanding how DHCPv6 works. Don't think of it like DHCP that you're used to.
DHCPv6 requires an IPv6 router advertisement to work. There are three flags of interest in a router advertisement.
One of them is the "A" (autonomous) flag which is enabled by default in almost every implementation I've seen. This is what signals a host that it is permitted to use stateless configuration with the prefix.
There are also "M" (managed) and "O" other flags. The "M" flag being set signals the host that it should start a DHCPv6 client and make a request for an address, the "O" flag signals that the host should ask for "other" or additional configuration information through DHCPv6 (e.g. DNS servers).
None of the flags are exclusive, so you can enable DHCPv6 by setting the M flag, but unless you disable the A flag, hosts will still use stateless configuration (in addition to DHCPv6 and receive two addresses)
If you want a DHCPv6-only environment, you simply disable the A flag on the router advertisement. This will stop hosts from using stateless with the advertised prefix.
The default gateway for the network is learned through the router advertisement, not through DHCPv6, which is why it doesn't exist in DHCPv6.
Example IOS configuration:
interface Vlan123 description Test IPv6 Network ipv6 address FD00:1234:5678:9ABC::1/64 no ipv6 unreachables ipv6 nd prefix default 2592000 604800 no-autoconfig ipv6 nd managed-config-flag ipv6 nd other-config-flag ipv6 nd router-preference High no ipv6 redirects ipv6 verify unicast source reachable-via rx ipv6 eigrp 123 ipv6 dhcp relay destination FD00:1234:5678:9ABC::2 ipv6 dhcp relay destination FD00:1234:5678:9ABC::3
The "ipv6 nd prefix ... no-autoconfig" statement is what you're looking for. You need to type out timers to be able to get to it. The values shown are just the Cisco defaults.
On Thu, Oct 21, 2010 at 3:43 PM, Luca Tosolini <bit.gossip@chello.nl> wrote:
On Thu, 2010-10-21 at 14:19 -0400, Ray Soucy wrote:
We've decided to disable SLAAC (State-Less Address Auto-Configuration) on almost all our IPv6 networks and use DHCPv6 exclusively. This allows us to only respond with DHCPv6 to the hosts we want to get an IPv6 address instead of enabling it network-wide and crossing your fingers. The disadvantage here is that DHCPv6 client support is still limited (OS X has none for example). The argument is that IPv6 isn't mission critical yet, so we're waiting to see if vendors will come around and include DHCPv6 client support in the future.
Ray, how do you convey the default-router information with DHCPv6 only. AFAIK there is no such field in DHCPv6...
Luca.
-- Ray Soucy
Epic Communications Specialist
Phone: +1 (207) 561-3526
Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/
-- Ray Soucy
Epic Communications Specialist
Phone: +1 (207) 561-3526
Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/
-- Ray Soucy Epic Communications Specialist Phone: +1 (207) 561-3526 Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/