Re: IPv6 fc00::/7 — Unique local addresses
Ray Soucy
rps at maine.edu
Thu Oct 21 20:50:19 UTC 2010
And since someone asked me for it off-list, example PACL for IOS to
filter RAs and DHCPv6 server traffic on incoming ports:
On each switch:
ipv6 access-list RA_Guard
deny icmp any any router-advertisement
deny udp any eq 547 any eq 546
permit any any
end
And on each switchport:
ipv6 traffic-filter RA_Guard in
Your mileage may vary. This was written for Catalyst 3560s and 3750s.
Obviously you wouldn't apply it on the port your uplink is on.
On Thu, Oct 21, 2010 at 4:08 PM, Ray Soucy <rps at maine.edu> wrote:
> Also,
>
> Keep in mind that DHCPv6 uses a DUID for host identification and not a
> MAC address.
>
> Here is an example ISC DHCPd configuration for an IPv6 network without
> open pool allocation (it will only respond for hosts in the config).
>
> # subnet6 for each network
> subnet6 FD00:1234:5678:9ABC::/64 { option dhcp6.name-servers
> FD00:1234:5678:9ABC::2, FD00:1234:5678:9ABC::3; }
>
> # host for each host
> host soucy-desktop.domain.net { host-identifier option dhcp6.client-id
> 00:01:00:01:11:ee:71:12:00:1a:a0:da:ba:7f; fixed-address6
> FD00:1234:5678:9ABC::A; }
>
> I believe the new version of ISC DHCPd has added code to be able to
> determine the MAC address instead of using a DUID, but I haven't
> tested it personally.
>
> On Thu, Oct 21, 2010 at 3:59 PM, Ray Soucy <rps at maine.edu> wrote:
>> I think you're misunderstanding how DHCPv6 works. Don't think of it
>> like DHCP that you're used to.
>>
>> DHCPv6 requires an IPv6 router advertisement to work. There are three
>> flags of interest in a router advertisement.
>>
>> One of them is the "A" (autonomous) flag which is enabled by default
>> in almost every implementation I've seen. This is what signals a host
>> that it is permitted to use stateless configuration with the prefix.
>>
>> There are also "M" (managed) and "O" other flags. The "M" flag being
>> set signals the host that it should start a DHCPv6 client and make a
>> request for an address, the "O" flag signals that the host should ask
>> for "other" or additional configuration information through DHCPv6
>> (e.g. DNS servers).
>>
>> None of the flags are exclusive, so you can enable DHCPv6 by setting
>> the M flag, but unless you disable the A flag, hosts will still use
>> stateless configuration (in addition to DHCPv6 and receive two
>> addresses)
>>
>> If you want a DHCPv6-only environment, you simply disable the A flag
>> on the router advertisement. This will stop hosts from using
>> stateless with the advertised prefix.
>>
>> The default gateway for the network is learned through the router
>> advertisement, not through DHCPv6, which is why it doesn't exist in
>> DHCPv6.
>>
>> Example IOS configuration:
>>
>> interface Vlan123
>> description Test IPv6 Network
>> ipv6 address FD00:1234:5678:9ABC::1/64
>> no ipv6 unreachables
>> ipv6 nd prefix default 2592000 604800 no-autoconfig
>> ipv6 nd managed-config-flag
>> ipv6 nd other-config-flag
>> ipv6 nd router-preference High
>> no ipv6 redirects
>> ipv6 verify unicast source reachable-via rx
>> ipv6 eigrp 123
>> ipv6 dhcp relay destination FD00:1234:5678:9ABC::2
>> ipv6 dhcp relay destination FD00:1234:5678:9ABC::3
>>
>> The "ipv6 nd prefix ... no-autoconfig" statement is what you're
>> looking for. You need to type out timers to be able to get to it.
>> The values shown are just the Cisco defaults.
>>
>>
>>
>> On Thu, Oct 21, 2010 at 3:43 PM, Luca Tosolini <bit.gossip at chello.nl> wrote:
>>> On Thu, 2010-10-21 at 14:19 -0400, Ray Soucy wrote:
>>>
>>>> We've decided to disable SLAAC (State-Less Address Auto-Configuration)
>>>> on almost all our IPv6 networks and use DHCPv6 exclusively. This
>>>> allows us to only respond with DHCPv6 to the hosts we want to get an
>>>> IPv6 address instead of enabling it network-wide and crossing your
>>>> fingers. The disadvantage here is that DHCPv6 client support is still
>>>> limited (OS X has none for example). The argument is that IPv6 isn't
>>>> mission critical yet, so we're waiting to see if vendors will come
>>>> around and include DHCPv6 client support in the future.
>>>>
>>>
>>> Ray,
>>> how do you convey the default-router information with DHCPv6 only. AFAIK
>>> there is no such field in DHCPv6...
>>>
>>> Luca.
>>>
>>>
>>
>>
>>
>> --
>> Ray Soucy
>>
>> Epic Communications Specialist
>>
>> Phone: +1 (207) 561-3526
>>
>> Networkmaine, a Unit of the University of Maine System
>> http://www.networkmaine.net/
>>
>
>
>
> --
> Ray Soucy
>
> Epic Communications Specialist
>
> Phone: +1 (207) 561-3526
>
> Networkmaine, a Unit of the University of Maine System
> http://www.networkmaine.net/
>
--
Ray Soucy
Epic Communications Specialist
Phone: +1 (207) 561-3526
Networkmaine, a Unit of the University of Maine System
http://www.networkmaine.net/
More information about the NANOG
mailing list