[131243] in North American Network Operators' Group
=?windows-1252?Q?Re=3A_IPv6_fc00=3A=3A=2F7_=97_Unique_local_addresses?=
daemon@ATHENA.MIT.EDU (Ray Soucy)
Thu Oct 21 16:50:31 2010
In-Reply-To: <AANLkTinFziW98thphnvFkPD6fdvcPA63nuA9msCH+hEL@mail.gmail.com>
Date: Thu, 21 Oct 2010 16:50:19 -0400
From: Ray Soucy <rps@maine.edu>
To: Luca Tosolini <bit.gossip@chello.nl>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
And since someone asked me for it off-list, example PACL for IOS to
filter RAs and DHCPv6 server traffic on incoming ports:
On each switch:
ipv6 access-list RA_Guard
deny icmp any any router-advertisement
deny udp any eq 547 any eq 546
permit any any
end
And on each switchport:
ipv6 traffic-filter RA_Guard in
Your mileage may vary. This was written for Catalyst 3560s and 3750s.
Obviously you wouldn't apply it on the port your uplink is on.
On Thu, Oct 21, 2010 at 4:08 PM, Ray Soucy <rps@maine.edu> wrote:
> Also,
>
> Keep in mind that DHCPv6 uses a DUID for host identification and not a
> MAC address.
>
> Here is an example ISC DHCPd configuration for an IPv6 network without
> open pool allocation (it will only respond for hosts in the config).
>
> # subnet6 for each network
> subnet6 FD00:1234:5678:9ABC::/64 { option dhcp6.name-servers
> FD00:1234:5678:9ABC::2, FD00:1234:5678:9ABC::3; }
>
> # host for each host
> host soucy-desktop.domain.net { host-identifier option dhcp6.client-id
> 00:01:00:01:11:ee:71:12:00:1a:a0:da:ba:7f; fixed-address6
> FD00:1234:5678:9ABC::A; }
>
> I believe the new version of ISC DHCPd has added code to be able to
> determine the MAC address instead of using a DUID, but I haven't
> tested it personally.
>
> On Thu, Oct 21, 2010 at 3:59 PM, Ray Soucy <rps@maine.edu> wrote:
>> I think you're misunderstanding how DHCPv6 works. =A0Don't think of it
>> like DHCP that you're used to.
>>
>> DHCPv6 requires an IPv6 router advertisement to work. =A0There are three
>> flags of interest in a router advertisement.
>>
>> One of them is the "A" (autonomous) flag which is enabled by default
>> in almost every implementation I've seen. =A0This is what signals a host
>> that it is permitted to use stateless configuration with the prefix.
>>
>> There are also "M" (managed) and "O" other flags. =A0The "M" flag being
>> set signals the host that it should start a DHCPv6 client and make a
>> request for an address, the "O" flag signals that the host should ask
>> for "other" or additional configuration information through DHCPv6
>> (e.g. DNS servers).
>>
>> None of the flags are exclusive, so you can enable DHCPv6 by setting
>> the M flag, but unless you disable the A flag, hosts will still use
>> stateless configuration (in addition to DHCPv6 and receive two
>> addresses)
>>
>> If you want a DHCPv6-only environment, you simply disable the A flag
>> on the router advertisement. =A0This will stop hosts from using
>> stateless with the advertised prefix.
>>
>> The default gateway for the network is learned through the router
>> advertisement, not through DHCPv6, which is why it doesn't exist in
>> DHCPv6.
>>
>> Example IOS configuration:
>>
>> interface Vlan123
>> =A0description Test IPv6 Network
>> =A0ipv6 address FD00:1234:5678:9ABC::1/64
>> =A0no ipv6 unreachables
>> =A0ipv6 nd prefix default 2592000 604800 no-autoconfig
>> =A0ipv6 nd managed-config-flag
>> =A0ipv6 nd other-config-flag
>> =A0ipv6 nd router-preference High
>> =A0no ipv6 redirects
>> =A0ipv6 verify unicast source reachable-via rx
>> =A0ipv6 eigrp 123
>> =A0ipv6 dhcp relay destination FD00:1234:5678:9ABC::2
>> =A0ipv6 dhcp relay destination FD00:1234:5678:9ABC::3
>>
>> The "ipv6 nd prefix ... no-autoconfig" statement is what you're
>> looking for. =A0You need to type out timers to be able to get to it.
>> The values shown are just the Cisco defaults.
>>
>>
>>
>> On Thu, Oct 21, 2010 at 3:43 PM, Luca Tosolini <bit.gossip@chello.nl> wr=
ote:
>>> On Thu, 2010-10-21 at 14:19 -0400, Ray Soucy wrote:
>>>
>>>> We've decided to disable SLAAC (State-Less Address Auto-Configuration)
>>>> on almost all our IPv6 networks and use DHCPv6 exclusively. =A0This
>>>> allows us to only respond with DHCPv6 to the hosts we want to get an
>>>> IPv6 address instead of enabling it network-wide and crossing your
>>>> fingers. =A0The disadvantage here is that DHCPv6 client support is sti=
ll
>>>> limited (OS X has none for example). =A0 The argument is that IPv6 isn=
't
>>>> mission critical yet, so we're waiting to see if vendors will come
>>>> around and include DHCPv6 client support in the future.
>>>>
>>>
>>> Ray,
>>> how do you convey the default-router information with DHCPv6 only. AFAI=
K
>>> there is no such field in DHCPv6...
>>>
>>> Luca.
>>>
>>>
>>
>>
>>
>> --
>> Ray Soucy
>>
>> Epic Communications Specialist
>>
>> Phone: +1 (207) 561-3526
>>
>> Networkmaine, a Unit of the University of Maine System
>> http://www.networkmaine.net/
>>
>
>
>
> --
> Ray Soucy
>
> Epic Communications Specialist
>
> Phone: +1 (207) 561-3526
>
> Networkmaine, a Unit of the University of Maine System
> http://www.networkmaine.net/
>
--=20
Ray Soucy
Epic Communications Specialist
Phone: +1 (207) 561-3526
Networkmaine, a Unit of the University of Maine System
http://www.networkmaine.net/
