DHCPv6 Prefix Delegation
Suppose you had a problem, you want to use a provider assigned globally unique IPv6 address space for your network’s clients and you’d like to do this as dynamically as possible because either you can’t guarantee that the provider won’t change the address block on you or you just want to use a standardized template on your network equipment. How can you accomplish this? A cool feature added to DHCPv6 called Prefix Delegation (PD).
The basic idea is that the ISP allocates a larger IPv6 address block to the customer's router, and the customer's router then further subdivides this block into smaller subnets and assigns them to different segments of the local network. This allows for efficient utilization of the IPv6 address space and simplifies network management.
Of course, this feature set isn’t limited to only being used by ISP for clients. You could certainly choose to use this in an enterprise. Say I want to maintain a standard template across my WAN sites and assign interface addresses via a centralized server. If you wanted to centralized the management of the PD pools further, you can use DHCPv6 relaying or manage the pools using AAA.
Here's a configuration example using common networking devices, such as a router from the ISP and a customer-premises router. In this example, the ISP assigns a /48 IPv6 address block to the customer's router and the customer-premises router delegates /64 subnets to its LAN interfaces.
Setup:
ISP router Gig1 Interface: 2001:db8:55:22::1/64
Assigned Prefix Pool: 2001:db8:2200::/40
Customer-premises router LAN interface: GigabitEthernet1
LAN subnets: 2001:db8:2200:1::/64, 2001:db8:2200:2::/64, ...
Configuration steps:
ISP Router Configuration:
Enable IPv6 routing
Configure the DHCPv6 prefix pool and the size of prefixes that we want to assign to customers.
Configure the interface facing the customer’s router with an IPv6 address and enable it to act as a DHCPv6 server.
Assign the /48 IPv6 prefix to the WAN interface of the customer's router using DHCPv6 Prefix Delegation.
Customer-Premises Router Configuration:
Enable IPv6 routing
Configure the WAN interface to obtain an address using SLAAC
Configure the WAN interface to obtain the IPv6 prefix from the ISP using DHCPv6 Prefix Delegation.
Assign the LAN interface addresses using the obtained prefix.
DHCPv6 Process
You may be familiar with the message types used in DHCP(v4) by remembering the acronym DORA. DORA, or Discover, Offer, Request, Acknowledge is the back and forth messages between a DHCP client and server.
A clients sends a Discover message to the broadcast MAC address (FF:FF:FF:FF:FF:FF)
The DHCP server responds with a unicast Offer message to the client with a potential IP address
The client responds with a unicast Request message to the server asking for the address sent in the Offer message
The server responds to the client Acknowledging that it has been leased the IP address to the client
This process may seem a little bit redundant at first glance, but there’s good reason why it’s so verbose, and that is for three main reasons
There may be multiple DHCP servers on a LAN segment without knowledge of each other
The client may not want the IP address in the offer message for one reason or another and can send a NAK (Negative Acknowledgement)
The client could have been removed from the network before receiving the offer and we don’t want to unnecessarily tie up unused IP addresses
Now that we’ve quickly reviewed the DHCPv4 process, let’s understand the DHCPv6 process. It’s largely the same but with some tweaks to the message names.
Router Advertisement - The client receives a router advertisement packet from the router telling it that either the managed-config-flag or other-config-flag have been set
Solicit - The client sends a solicit message to the “All_DHCP_Relay_Agents_and_Servers” link-local multicast group of FF02::1:2 UDP 547
Advertise - The server sends a potential IPv6 address (or option information) to the client on UDP 546
Request - The client confirms that it wants the IPv6 address from the server
Reply - The server acknowledges that the lease has been created for the client
The basic premise is the same between DHCPv4 and DHCPv6, with different names. Prefix Delegation information is communicated in the Advertise message. Annoyingly, the simple to remember acronym DORA is now replaced with the less elegant SARR process.
Rapid Commit
One interesting change with DHCPv6 though is the introduction of the Rapid commit process. The client is given the option to skip the last two steps, of the previously discussed exchange, the request and the reply. The client sends a solicit message that indicates that it’s willing to accept an IPv6 address from the server and the server responds with an Advertise message back providing the address. The client does not continue with a request message but instead immediately starts to use the provided address. Both the client and the server have to agree to use the rapid commit option.
If you have multiple servers prepared to use rapid commit, all but the server who’s response was accepted by the client will have incorrect lease associated with that client. Some DHCP servers may mitigate against this with a process between the servers but this could cause an issue with incorrect DNS entries if you DHCP servers are configured to update DNS servers.
Rapid commit is enabled with the keyword “rapid-commit” after the interface subcommand “ipv6 dhcp server…” and “ipv6 dhcp client pd…”.
ISP Router Configuration
hostname ISP ! Enable IPv6 routing ipv6 unicast-routing ! ! Create the DHCPv6 pool, give it the name CUSTOMER-PD ! and define it to use the pool named "Customer-PD-POOL" ! ipv6 dhcp pool CUSTOMER-PD prefix-delegation pool CUSTOMER-PD-POOL lifetime 1800 600 ! ! Define the IPv6 pool named "CUSTOMER-PD-POOL" and ! define the size of prefixes that it should assign. ! ipv6 local pool CUSTOMER-PD-POOL 2001:DB8:2200::/40 48 ! ! Assign an IPv6 address under the interface going to the customer ! router, and then enable the use of the DHCPv6 server. Note that ! SLAAC is enabled by default, if you wanted the customer router ! to use a DHCP assigned address, set the managed config flag ! interface GigabitEthernet1 description To-Customer1-Gig1 ipv6 address 2001:DB8:55:22::1/64 ipv6 dhcp server CUSTOMER-PD !
Customer Router Configuration
hostname Customer1 ! ! Enable IPv6 routing ipv6 unicast-routing ! interface GigabitEthernet1 description WAN TO ISP ! Enable the Gig1 interface to configure a dynamic IPv6 address ipv6 address autoconfig default ! Act as a DHCPv6 client and save the PD prefix as a variable named "PREFIX-FROM-ISP" ipv6 dhcp client pd PREFIX-FROM-ISP no shut ! interface GigabitEthernet2 ! Use the Prefix variable with a unique subnet ID. This will result in the configured address of "2001:db8:2200:1::1" ipv6 address PREFIX-FROM-ISP ::1:0:0:0:1/64 no shut interface GigabitEthernet3 ! Use the Prefix variable with a unique subnet ID. This will result in the configured address of "2001:db8:2200:2::1" ipv6 address PREFIX-FROM-ISP ::2:0:0:0:1/64 no shut !
Customer Router Verification
Once configuration has been completed for both the ISP and Customer router, let’s use a couple of show commands to verify our work. First up is to check that IPv6 addresses are being assigned to the interfaces that we expect. Below is the output of “show ipv6 interface brief” that shows an EUI-64 address assigned to the GigabitEthernet1 interface that it learned via SLAAC. Additionally, the GigabitEthernet2 and GigabitEthernet3 interfaces have addresses configured using the PD assigned prefix of “2001:DB8:2200::/48”.
Customer1#show ipv6 interface brief GigabitEthernet1 [up/up] FE80::5054:FF:FE01:3B88 2001:DB8:55:22:5054:FF:FE01:3B88 GigabitEthernet2 [up/up] FE80::5054:FF:FE1D:97B6 2001:DB8:2200:1::1 GigabitEthernet3 [up/up] FE80::5054:FF:FE0B:F9BA 2001:DB8:2200:2::1 GigabitEthernet4 [administratively down/down] unassigned
You can investigate the DHCPv6 information with “show ipv6 dhcp interface”. The output of this command will show us the prefix assigned from the server, the lifetime information, and the prefix name, or the variable that we’ve assigned to it.
Customer1#show ipv6 dhcp interface GigabitEthernet1 is in client mode Prefix State is OPEN Renew will be sent in 00:07:43 Address State is IDLE List of known servers: Reachable via address: FE80::5054:FF:FE12:74AD DUID: 00030001001EE5918F00 Preference: 0 Configuration parameters: IA PD: IA ID 0x00070001, T1 500, T2 800 Prefix: 2001:DB8:2200::/48 preferred lifetime 600, valid lifetime 1800 expires at Jan 04 2024 10:32 PM (1663 seconds) Information refresh time: 0 Prefix name: PREFIX-FROM-ISP Prefix Rapid-Commit: disabled Address Rapid-Commit: disabled
The last step in verifying the Customer1 router’s configuration is correct is to check the routing table. The output of “show ipv6 route” gives us a default route (::), a static route for the 2001:db8:2200::/48 prefix that goes to Null0, and the subnets that were assigned to the LAN interfaces GigabitEthernet2 and GigabitEthernet3.
The default route is learned via the ICMP Neighbor Discovery (ND) Protocol also known as Stateless Address Autoconfiguration. You’ll note that the next hop address is a link-local address (FE80::) rather that the GUA that is assigned to the interface.
Customer1#show ipv6 route IPv6 Routing Table - default - 9 entries Codes: C - Connected, L - Local, S - Static, U - Per-user Static route B - BGP, R - RIP, H - NHRP, I1 - ISIS L1 I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP EX - EIGRP external, ND - ND Default, NDp - ND Prefix, DCE - Destination NDr - Redirect, RL - RPL, O - OSPF Intra, OI - OSPF Inter OE1 - OSPF ext 1, OE2 - OSPF ext 2, ON1 - OSPF NSSA ext 1 ON2 - OSPF NSSA ext 2, la - LISP alt, lr - LISP site-registrations ld - LISP dyn-eid, lA - LISP away, le - LISP extranet-policy lp - LISP publications, a - Application, m - OMP ND ::/0 [2/0] via FE80::5054:FF:FE12:74AD, GigabitEthernet1 NDp 2001:DB8:55:22::/64 [2/0] via GigabitEthernet1, directly connected L 2001:DB8:55:22:5054:FF:FE01:3B88/128 [0/0] via GigabitEthernet1, receive S 2001:DB8:2200::/48 [1/0] via Null0, directly connected C 2001:DB8:2200:1::/64 [0/0] via GigabitEthernet2, directly connected L 2001:DB8:2200:1::1/128 [0/0] via GigabitEthernet2, receive C 2001:DB8:2200:2::/64 [0/0] via GigabitEthernet3, directly connected L 2001:DB8:2200:2::1/128 [0/0] via GigabitEthernet3, receive L FF00::/8 [0/0] via Null0, receive
ISP Router Verification
A couple of verification commands from the ISP point of view, we can verify that the interface that we expect to be in server mode (GigabitEthernet1) is correct and that the DHCPv6 pool is correct. Below is the output for “show ipv6 dhcp interface”, “show ipv6 dhcp pool”, and “show ipv6 local pool”.
ISP#show ipv6 dhcp interface GigabitEthernet1 is in server mode Using pool: CUSTOMER-PD Preference value: 0 Hint from client: ignored Rapid-Commit: disabled ISP#show ipv6 dhcp pool DHCPv6 pool: CUSTOMER-PD Prefix pool: CUSTOMER-PD-POOL preferred lifetime 600, valid lifetime 1800 Active clients: 1 ISP#show ipv6 local pool Pool Prefix Free In use CUSTOMER-PD-POOL 2001:DB8:2200::/40 255 1
The “show ipv6 dhcp binding” command will let us see which prefix has been assigned to which customer router.
ISP#show ipv6 dhcp binding Client: FE80::5054:FF:FE01:3B88 DUID: 00030001001E14515300 Username : unassigned VRF : default Interface : GigabitEthernet1 IA PD: IA ID 0x00070001, T1 500, T2 800 Prefix: 2001:DB8:2200::/48 preferred lifetime 600, valid lifetime 1800 expires at Jan 04 2024 09:47 PM (818 seconds)
Lastly, we can check the IPv6 routing table to see that the prefix 2001:db8:2200::/48 is present and shows up as a static route with the next-hop address of our Customer1 routers GigabitEthernet1 interface. Just like the routing table on the Customer1 router, the static route for the assigned /48 has a link-local next-hop address.
ISP#show ipv6 route IPv6 Routing Table - default - 4 entries Codes: C - Connected, L - Local, S - Static, U - Per-user Static route B - BGP, R - RIP, H - NHRP, I1 - ISIS L1 I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP EX - EIGRP external, ND - ND Default, NDp - ND Prefix, DCE - Destination NDr - Redirect, RL - RPL, O - OSPF Intra, OI - OSPF Inter OE1 - OSPF ext 1, OE2 - OSPF ext 2, ON1 - OSPF NSSA ext 1 ON2 - OSPF NSSA ext 2, la - LISP alt, lr - LISP site-registrations ld - LISP dyn-eid, lA - LISP away, le - LISP extranet-policy lp - LISP publications, a - Application, m - OMP C 2001:DB8:55:22::/64 [0/0] via GigabitEthernet1, directly connected L 2001:DB8:55:22::1/128 [0/0] via GigabitEthernet1, receive S 2001:DB8:2200::/48 [1/0] via FE80::5054:FF:FE01:3B88, GigabitEthernet1 L FF00::/8 [0/0] via Null0, receive
Packet Capture
Here’s a packet capture from my lab that contains the DHCP prefix delegation between the ISP router (FE80::5054:FF:FE12:74AD) and the Customer1 router (FE80::5054:FF:FE01:3B88).
DHCPv6 Relay
In larger environments, it makes more sense to deploy DHCP onto centralized servers and simply relay the messages to the server from the default-gateway of the subnet. This centralizes management and makes it easier to make network-wide configuration changes. Additionally, it provides a single logging point for all clients and can allow you to enforce a security policy if needed.
The IPv4 feature-set was known on Cisco devices as “IP helper”, however, Cisco has renamed the feature to “DHCP Relay” in IPv6 to more accurately reflect its purpose. In addition to end-device address assignment, DHCP relay can be used for prefix-delegation.
To configure DHCPv6 relay, configure the command under the interface facing the clients. It’s generally easier to use a global unicast address (GUA) but you can also use a link-local address to forward RA solicitation messages to, but you must specify the outgoing interface if you do so.
hostname ISP ! Enable IPv6 routing ipv6 unicast-routing ! ! interface GigabitEthernet1 description To-Customer1-Gig1 ipv6 address 2001:DB8:55:22::1/64 ipv6 dhcp relay destination 2001:DB8:99::DEAD:BEEF
DHCP Relay Verification
You can verify the configuration of the DHCP relay with the command “show ipv6 dhcp interface”.
ISP#show ipv6 dhcp interface
GigabitEthernet1 is in relay mode
Relay destinations:
2001:DB8:99::DEAD:BEEF