Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

IPv6 Implementation - Cisco ASA5512 and Windows DHCPv6

Posted on 2016-10-31
1
Medium Priority
?
95 Views
Last Modified: 2016-11-01
So I have been trying to get IPv6 up and going internally and a big part of that is getting our DHCP server to hand out addresses to clients instead of using autoconfig. However, it has been a huge pain in the rear end. Basically, I am learning that with DHCPv6, there is no concept of a default gateway as a configurable DHCPv6 option like dns servers. So basically, this results in the client getting an IP address but no DG and it can't talk to anything. If I modify the Cisco ASA interface config to allow it to advertise itself as the default router to the clients on that interface, the clients cease to get IPs from the DHCP server and start getting autoconfig addresses. I have provided two scenarios below that represent what is happening with the "ipv6 nd suppress-ra" command enabled and disabled.

If someone could please help me figure out how to successfully hand out DHCPv6 to my clients and still allow the Cisco ASA to send its default router advertisement, that would be great.

I have obfuscated the addresses a bit to make myself feel better about this post :-)

Scenario 1 - Autoconfig

ASA 5512
interface GigabitEthernet0/1
nameif inside
security-level 100
ipv6 address 2600:1234:f7ea:1ab:a::1/64
ipv6 enable
ipv6 nd ra-lifetime 1801
ipv6 nd prefix 2600:1234:f7ea:1ab::/64 300 300

Windows DCHP Server
Can get out to internet via IPv6.
Scope:
2600:1234:f7ea:1ab::/64
Exclusions:
2600:1234:f7ea:1ab:: - 2600:1234:f7ea:1ab:c:ffff:ffff:ffff
2600:1234:f7ea:1ab:d:0:1:0 - 2600:1234:f7ea:1ab:ffff:ffff:ffff:ffff
(This means I should be handing out only 2600:1234:f7ea:1ab:d::xxxx addresses)
IP Address:
2600:1234:f7ea:1ab:c::11/64 (Statically configured in Windows NIC)
Default Gateways:
fe80::e6c7:1234:1234:f3cf (Cisco ASA's Inside interface link-local address)
2600:1234:f7ea:1ab:a::1 (Cisco ASA's manually configured global address) (Statically configured in Windows NIC)

Windows DHCP Client
Is not getting an IPv6 address from the DHCP server.
Can ping global and local addresses including internal and internet addresses. Cannot resolve DNS
IP Address:
Global
2600:1234:f7ea:1ab:55b:1234:1234:793f (Assigned via autoconfig I assume)
Link Local
fe80::55b:1234:1234:793f
Default Gateway:
fe80:e6c7:1234:1234:f3cf (Cisco ASA's Inside interface link-local address)
DNS Servers:
fec0:0:0:ffff::1
fec0:0:0:ffff::2
fec0:0:0:ffff::3


Scenario 2 - DHCPv6

I added suppress-ra to the interface config in order to get the DHCP server to successfully hand an address to the client.

ASA 5512
interface GigabitEthernet0/1
nameif inside
security-level 100
ipv6 address 2600:1234:f7ea:1ab:a::1/64
ipv6 enable
ipv6 nd ra-lifetime 1801
ipv6 nd prefix 2600:1234:f7ea:1ab::/64 300 300
ipv6 nd suppress-ra

Windows DCHP Server
Same as above

Windows DHCP Client
Is successfully getting an IPv6 address from the DHCP server but can't talk to any global or local addresses as far as I can tell
(If I manually enter the ASA's Inside interface global address as the DG, everything works fine)
IP Address:
2600:1234:f7ea:1ab:d::9418 (Assigned via DHCP)
Default Gateway:
None
DNS Servers:
2600:1234:f7ea:1ab:c::11
2001:4860:4860::8888
0
Comment
Question by:Andrew Watson
1 Comment
 

Accepted Solution

by:
Andrew Watson earned 0 total points
ID: 41868557
I figured it out.

New Cisco ASA Inside interface config:
interface GigabitEthernet0/1
nameif inside
security-level 100
ipv6 address fe80:c15c::1 link-local
ipv6 address 2600:1234:f7ea:1ab:a::1/64
ipv6 enable
ipv6 nd ra-interval 3
ipv6 nd ra-lifetime 0
ipv6 nd prefix 2600:1234:f7ea:1ab::/64 300 300 no-autoconfig
ipv6 nd managed-config-flag
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question