Solved

IPv6 Implementation - Cisco ASA5512 and Windows DHCPv6

Posted on 2016-10-31
1
56 Views
Last Modified: 2016-11-01
So I have been trying to get IPv6 up and going internally and a big part of that is getting our DHCP server to hand out addresses to clients instead of using autoconfig. However, it has been a huge pain in the rear end. Basically, I am learning that with DHCPv6, there is no concept of a default gateway as a configurable DHCPv6 option like dns servers. So basically, this results in the client getting an IP address but no DG and it can't talk to anything. If I modify the Cisco ASA interface config to allow it to advertise itself as the default router to the clients on that interface, the clients cease to get IPs from the DHCP server and start getting autoconfig addresses. I have provided two scenarios below that represent what is happening with the "ipv6 nd suppress-ra" command enabled and disabled.

If someone could please help me figure out how to successfully hand out DHCPv6 to my clients and still allow the Cisco ASA to send its default router advertisement, that would be great.

I have obfuscated the addresses a bit to make myself feel better about this post :-)

Scenario 1 - Autoconfig

ASA 5512
interface GigabitEthernet0/1
nameif inside
security-level 100
ipv6 address 2600:1234:f7ea:1ab:a::1/64
ipv6 enable
ipv6 nd ra-lifetime 1801
ipv6 nd prefix 2600:1234:f7ea:1ab::/64 300 300

Windows DCHP Server
Can get out to internet via IPv6.
Scope:
2600:1234:f7ea:1ab::/64
Exclusions:
2600:1234:f7ea:1ab:: - 2600:1234:f7ea:1ab:c:ffff:ffff:ffff
2600:1234:f7ea:1ab:d:0:1:0 - 2600:1234:f7ea:1ab:ffff:ffff:ffff:ffff
(This means I should be handing out only 2600:1234:f7ea:1ab:d::xxxx addresses)
IP Address:
2600:1234:f7ea:1ab:c::11/64 (Statically configured in Windows NIC)
Default Gateways:
fe80::e6c7:1234:1234:f3cf (Cisco ASA's Inside interface link-local address)
2600:1234:f7ea:1ab:a::1 (Cisco ASA's manually configured global address) (Statically configured in Windows NIC)

Windows DHCP Client
Is not getting an IPv6 address from the DHCP server.
Can ping global and local addresses including internal and internet addresses. Cannot resolve DNS
IP Address:
Global
2600:1234:f7ea:1ab:55b:1234:1234:793f (Assigned via autoconfig I assume)
Link Local
fe80::55b:1234:1234:793f
Default Gateway:
fe80:e6c7:1234:1234:f3cf (Cisco ASA's Inside interface link-local address)
DNS Servers:
fec0:0:0:ffff::1
fec0:0:0:ffff::2
fec0:0:0:ffff::3


Scenario 2 - DHCPv6

I added suppress-ra to the interface config in order to get the DHCP server to successfully hand an address to the client.

ASA 5512
interface GigabitEthernet0/1
nameif inside
security-level 100
ipv6 address 2600:1234:f7ea:1ab:a::1/64
ipv6 enable
ipv6 nd ra-lifetime 1801
ipv6 nd prefix 2600:1234:f7ea:1ab::/64 300 300
ipv6 nd suppress-ra

Windows DCHP Server
Same as above

Windows DHCP Client
Is successfully getting an IPv6 address from the DHCP server but can't talk to any global or local addresses as far as I can tell
(If I manually enter the ASA's Inside interface global address as the DG, everything works fine)
IP Address:
2600:1234:f7ea:1ab:d::9418 (Assigned via DHCP)
Default Gateway:
None
DNS Servers:
2600:1234:f7ea:1ab:c::11
2001:4860:4860::8888
0
Comment
Question by:Andrew Watson
1 Comment
 

Accepted Solution

by:
Andrew Watson earned 0 total points
ID: 41868557
I figured it out.

New Cisco ASA Inside interface config:
interface GigabitEthernet0/1
nameif inside
security-level 100
ipv6 address fe80:c15c::1 link-local
ipv6 address 2600:1234:f7ea:1ab:a::1/64
ipv6 enable
ipv6 nd ra-interval 3
ipv6 nd ra-lifetime 0
ipv6 nd prefix 2600:1234:f7ea:1ab::/64 300 300 no-autoconfig
ipv6 nd managed-config-flag
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Netgear switch to Cisco switch VLAN not passing traffic 8 36
Suggestions for hosted VOIP 5 49
CISCO ATA 190 using PRI DID number 6 25
Website Issue 10 66
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now