Solved

IPv6 Implementation - Cisco ASA5512 and Windows DHCPv6

Posted on 2016-10-31
1
72 Views
Last Modified: 2016-11-01
So I have been trying to get IPv6 up and going internally and a big part of that is getting our DHCP server to hand out addresses to clients instead of using autoconfig. However, it has been a huge pain in the rear end. Basically, I am learning that with DHCPv6, there is no concept of a default gateway as a configurable DHCPv6 option like dns servers. So basically, this results in the client getting an IP address but no DG and it can't talk to anything. If I modify the Cisco ASA interface config to allow it to advertise itself as the default router to the clients on that interface, the clients cease to get IPs from the DHCP server and start getting autoconfig addresses. I have provided two scenarios below that represent what is happening with the "ipv6 nd suppress-ra" command enabled and disabled.

If someone could please help me figure out how to successfully hand out DHCPv6 to my clients and still allow the Cisco ASA to send its default router advertisement, that would be great.

I have obfuscated the addresses a bit to make myself feel better about this post :-)

Scenario 1 - Autoconfig

ASA 5512
interface GigabitEthernet0/1
nameif inside
security-level 100
ipv6 address 2600:1234:f7ea:1ab:a::1/64
ipv6 enable
ipv6 nd ra-lifetime 1801
ipv6 nd prefix 2600:1234:f7ea:1ab::/64 300 300

Windows DCHP Server
Can get out to internet via IPv6.
Scope:
2600:1234:f7ea:1ab::/64
Exclusions:
2600:1234:f7ea:1ab:: - 2600:1234:f7ea:1ab:c:ffff:ffff:ffff
2600:1234:f7ea:1ab:d:0:1:0 - 2600:1234:f7ea:1ab:ffff:ffff:ffff:ffff
(This means I should be handing out only 2600:1234:f7ea:1ab:d::xxxx addresses)
IP Address:
2600:1234:f7ea:1ab:c::11/64 (Statically configured in Windows NIC)
Default Gateways:
fe80::e6c7:1234:1234:f3cf (Cisco ASA's Inside interface link-local address)
2600:1234:f7ea:1ab:a::1 (Cisco ASA's manually configured global address) (Statically configured in Windows NIC)

Windows DHCP Client
Is not getting an IPv6 address from the DHCP server.
Can ping global and local addresses including internal and internet addresses. Cannot resolve DNS
IP Address:
Global
2600:1234:f7ea:1ab:55b:1234:1234:793f (Assigned via autoconfig I assume)
Link Local
fe80::55b:1234:1234:793f
Default Gateway:
fe80:e6c7:1234:1234:f3cf (Cisco ASA's Inside interface link-local address)
DNS Servers:
fec0:0:0:ffff::1
fec0:0:0:ffff::2
fec0:0:0:ffff::3


Scenario 2 - DHCPv6

I added suppress-ra to the interface config in order to get the DHCP server to successfully hand an address to the client.

ASA 5512
interface GigabitEthernet0/1
nameif inside
security-level 100
ipv6 address 2600:1234:f7ea:1ab:a::1/64
ipv6 enable
ipv6 nd ra-lifetime 1801
ipv6 nd prefix 2600:1234:f7ea:1ab::/64 300 300
ipv6 nd suppress-ra

Windows DCHP Server
Same as above

Windows DHCP Client
Is successfully getting an IPv6 address from the DHCP server but can't talk to any global or local addresses as far as I can tell
(If I manually enter the ASA's Inside interface global address as the DG, everything works fine)
IP Address:
2600:1234:f7ea:1ab:d::9418 (Assigned via DHCP)
Default Gateway:
None
DNS Servers:
2600:1234:f7ea:1ab:c::11
2001:4860:4860::8888
0
Comment
Question by:Andrew Watson
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 

Accepted Solution

by:
Andrew Watson earned 0 total points
ID: 41868557
I figured it out.

New Cisco ASA Inside interface config:
interface GigabitEthernet0/1
nameif inside
security-level 100
ipv6 address fe80:c15c::1 link-local
ipv6 address 2600:1234:f7ea:1ab:a::1/64
ipv6 enable
ipv6 nd ra-interval 3
ipv6 nd ra-lifetime 0
ipv6 nd prefix 2600:1234:f7ea:1ab::/64 300 300 no-autoconfig
ipv6 nd managed-config-flag
0

Featured Post

Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question