Home  Prev  cOS Core 14.00.17 Administration Guide  Next

5.6. DHCPv6

cOS Core supports DHCPv6, the equivalent of IPv4 DHCP for IPv6. DHCPv6 support is described in the two sections that follow:

5.6.1. DHCPv6 Client

Overview

Any interface can be configured to be a DHCPv6 client. This means that whenever cOS Core restarts or when the DHCPv6 enabled configuration is saved and activated, the interface will automatically try to retrieve an IPv6 lease from a connected DHCPv6 server. Only the following interface types support the DHCPv6 client function:

  • Ethernet interfaces.
  • VLAN interfaces.
  • Link Aggregation interfaces.

This section will use the generic term interface to mean any of the above types.

[Important] Important: DHCPv6 clients are not supported in HA clusters

The DHCPv6 client is not supported for interfaces in an HA cluster. If it is enabled for an interface, this will result in an error message when trying to activate the configuration.

Addresses Received in a Server Lease

The lease received from a DHCPv6 server will contain the following:

  • An IPv6 address for the interface.

  • The addresses of up to three IPv6 DNS servers. cOS Core will only read the first two. The third will be discarded.

As explained later in the section, the IPv6 network address and IPv6 gateway address can also be automatically retrieved if the interface property Router Discovery is enabled.

Address Book Objects Created

The following is a list of the IPv6 address book objects that will be created when the DHCP client is enabled on, for example, the if1 interface:

  • if1_ip6 - The interface address.
  • if1_dns6_1 - The first IPv6 DNS address in the DHCP lease.
  • if1_dns6_2 - The second IPv6 DNS address in the DHCP lease.
  • if1_net6 - The interface network (requires Router Discovery is enabled).
  • if1_gw6 - The gateway (requires Router Discovery is enabled).

The DHCP client mechanism not only creates these objects but also assigns them to the relevant property in the interface. Using the Router Discovery option is discussed later in this section.

Enabling DHCPv6

Similar to DHCP with IPv4, DHCPv6 is enabled using the Enable DHCPv6 property for a specific interface. By default, this property is disabled.

In addition, a number of other properties can be optionally specified for an interface:

  • Preferred IP

    This is a suggestion sent to the DHCPv6 server for what the interface IP should be.

  • Preferred Lifetime and Valid Lifetime

    These are suggestions sent to the DHCPv6 server for what the lifetimes should be for an IP. The lower limit for these values in cOS Core is 7600 seconds and the Valid Lifetime should always be greater than the Preferred Lifetime. The meaning of these two settings is explained further in Section 5.6.2, DHCPv6 Server.

  • Lease Filter

    This a range of acceptable IPv6 addresses that can be assigned to the interface. If the offered lease does not contain this address, it is rejected.

  • Server Filter

    This is a range of IPv6 addresses for servers from which cOS Core will accept leases.

The Router Discovery Option

An Ethernet configuration object has an additional property called Router Discovery which is either disabled or enabled.

By default, this option is disabled which means that the DHCPv6 client feature will only set the IPv6 address for the interface and the IPv6 addresses of DNS servers, while the network address and the gateway addresses must be set manually by the administrator.

When the Router Discovery option is enabled, a complete set of client addresses will be provided by the DHCPv6 process including the IPv6 network and the IPv6 gateway address. This is similar to the standard way that IPv4 functions.

[Tip] Tip: An ISP will have a correct IPv6 connection method

When connecting to an ISP using IPv6, check with the ISP how cOS Core should be configured. Using the DHCP client with Router Discovery enabled may be required by the ISP to retrieve the IPv6 address for the ISP's gateway as well as for the IPv6 network.

The Router Discovery option can also be used when automatically configuring the IPv6 address of the interface, with the DHCP client function disabled. This usage is described in Section 3.2, IPv6 Support.

Assigned DNS Servers

The lease granted by a DHCPv6 server can contain up to three IPv6 addresses of DNSv6 servers. However, cOS Core will only use the first and second of these which are sometimes known as the Primary, and Secondary servers. If a third server is present in the lease it will be ignored.

The DNSv6 addresses obtained from the DHCP server will be stored in two properties of the interface configuration object which are called DHCPv6DNS1 and DHCPv6DNS2.

Created DNS Address Objects

For the first DNSv6 server address in a lease, cOS Core will automatically create a new IPv6 address book object with the name <interface>_dns6_<num>, where <interface> is the interface receiving the lease and <num> is the order number of the DNSv6 server in the lease.

For example, if the interface receiving the DHCPv6 lease is the wan interface then the address book object created for the first lease will be named wan_dns6_1. If the lease contains a second DNSv6 server address, this will be called wan_dns6_2 and so on.

The DNSv6 server addresses can be configured statically for cOS Core. If this is done, these manually configured addresses take precedence over addresses received in a lease. However, cOS Core will still automatically create the address book objects of the form <interface>_dns6_<num> for each DHCPv6 server address received in the lease. This precedence of statically defined DNS addresses is discussed further in Section 3.10, DNS.

Behavior on Lease Expiry

When a DHCP lease ends and is not renewed, any address book objects created by the DHCPv6 mechanism will remain in the address book. However, the values of the address book objects associated with an interface will be affected as follows:

  • Network and gateway objects will retain the values that were last allocated by DHCPv6.

  • All other objects will be set to the IPv6 unspecified address (::/128).

Example 5.6. DHCPv6 Client Setup

This example shows how to enable DHCPv6 on the wan interface. It is assumed that IPv6 has already been enabled for the interface.

Command-Line Interface

Device:/> set Interface Ethernet wan DHCPv6Enabled=Yes

InControl

Follow similar steps to those used for the Web Interface below.

Web Interface

  1. Go to: Network > Interfaces and VPN > Ethernet
  2. Select the wan interface
  3. Select Enable DHCPv6 Client
  4. Click OK

5.6.2. DHCPv6 Server

cOS Core provides the ability to set up one or more DHCPv6 servers. Configuring these is almost identical to configuring an IPv4 DHCP server. However, there are some object properties which are available with DHCPv6 but not with standard IPv4 DHCP. These are as follows:

  • Rapid Commit

    By default this is disabled. This option makes sense during server solicitation procedure. If the client has included a rapid commit option in the solicit message and the rapid commit setting is enabled then the DHCPv6 server responds to the solicit with a reply. The server commits the assignment of addresses before sending the reply message. The client can assume it has been assigned the addresses in the reply message and does not need to send a request message for those addresses.

    If this option is left at the default value of being turned off, the server ignores the rapid commit option and acts as though no rapid commit option were present in the client's solicit message.

  • Preference Value

    A preference value can be either sent or not sent to the client. If sending it is enabled, the default preference value is zero but this can be manually set to be between 0 and 255.

    Setting the preference gives the administrator the ability to prioritize one DHCPv6 server over another. During the server solicitation procedure the client collects received advertisement messages from available DHCPv6 servers. The client typically will contact the server that sent the advertisement message with the highest server preference value.

    A preference value of 255 has the highest priority and once such value is received in an advertisement message, the client will immediately begin a client initiated message exchange with the DHCPv6 Server originated the message. This value therefore should only be used in an environment with a single server since other servers will be ignored.

    Preferences are often used where the administrator wants one server to be the primary with a higher preference and assigns a lower preference to other backup servers.

  • Send Unicast

    By default, in negotiations between client and server, the client uses multicast IPv6 address as a destination for all messages. This option enables the inclusion of the server unicast option by a DHCPv6 Server in messages sent to clients. Once such an option is received by the client, it can contact the server directly using the server's IPv6 address (which is carried in the server unicast option).

    This allows reduction of the network load as well as offloading to other DHCPv6 Servers available on the network.

  • Clear Universal Local Bit

    When set to a value of Yes, this option will always clear the universal/local bit (u/l bit) in the IPv6 addresses handed out by the server so that it always has a value of zero. This flags the address as being a locally created one that should not be used universally. This setting applies to /64 networks.

    The default value for this setting is No so the bit is not automatically set to zero by cOS Core.

  • Valid Lifetime and Preferred Lifetime

    These are the lifetimes used for IPs sent to a client. The lower limit for these values in cOS Core is 7600 seconds and the Valid Lifetime should always be greater than the Preferred Lifetime.

    After the Preferred Lifetime expires, the IP could be used for new or existing connections but this should be avoided unless absolutely necessary. For example, an application might have to use the IP because it is part of some unfinished processing. After the Valid Lifetime expires, the IP will become invalid and cannot be used for new or existing connections.

[Tip] Tip: Speeding up address allocation

If only one DHCPv6 server is configured then the process of IPv6 address allocation can be significantly speeded up by enabling rapid commit and setting the preference value of that server to be 255.

With a preference value of 255, message exchange is triggered as soon as soon as the client receives the solicit message. Rapid commit allows the client to get committed addresses in the reply message during the solicit-reply message exchange with the DHCPv6 server. Together, these can significantly increase the speed of address allocation.

Available Memory Can Limit Lease Allocation

When a DHCPv6 lease is handed out, cOS Core stores details of the lease in the firewall's local memory. There is no memory pre-allocated for this list of leases and the amount of memory used can expand from nothing up until the point that all free available memory is exhausted.

When no more memory is available, cOS Core will cease to assign new leases and will behave as though there are no free IPs left in the pool. cOS Core will signal a general out-of-memory condition and this will appear on the management console. This condition would require a very large number of leases to be allocated.

DHCPv6 Server Setup

The steps for setting up a DHCPv6 server in cOS Core are as follows:

  • Make sure that IPv6 is enabled for the listening interface of the DHCPv6 server and that there is an IPv6 address assigned to that interface. Doing this is described in Section 3.2, IPv6 Support.

  • Create a new DHCPv6 Server object. This will listen on the specified interface and get the IPv6 addresses handed out from a specified IPv6 Address Pool object.

  • The advanced IP setting Multicast HopLimit Min must be set to a value of 1 (the default is 3).

  • If the firewall which acts as the DHCPv6 server is also going to send out router advertisements for the server, the following must be configured:

    1. Add a Router Advertisement object with the same interface specified as the DCHPv6 server.

    2. Disable the Use Global Settings option for this Router Advertisement object and enable the Managed Flag setting to signal there is a DHCPv6 server on the network. If the DHCPv6 server is providing information about DNS addresses, also enable the Other Config Flag setting.

    3. Add a Prefix object to the Router Advertisement object. This is optional but is normally done. Normally, the prefix specified is the same as the network attached to the DHCPv6 server listening interface.

    4. If it is undesirable that hosts on the network use the defined prefix for stateless auto-configuration, disable the Autonomous Flag setting for the Prefix object. This is probably the case since the DHCPv6 server is being added to the network.

    If another device (either a Clavister firewall or third party device) on the network is going to send the router advertisements for the DHCPv6 server, that device must be similarly configured with the settings described above.

Example 5.7. DHCPv6 Server Setup

This example shows how to set up a DHCPv6 server called dhcpv6_server1 on the Ethernet interface lan. Assume that the pool of available IP addresses is already defined by the IPv6 address object dhcpv6_range1.

The server will also use the rapid commit option and will assign itself a preference value of 100. It is assumed in this example that IPv6 has been enabled globally and also for the listening interface lan.

Router advertisements will be generated by the same firewall and the prefix used will be 2001:DB8::/64.

Command-Line Interface

Create the server:

Device:/> add DHCPv6Server dhcpv6_server1
			Interface=lan
			IPv6AddressPool=dhcpv6_range1
			RapidCommit=Yes
			PreferenceConfigured=Yes
			PreferenceValue=100

Set the hop limit to 1:

Device:/> set Settings IPSettings HopLimitMinMulticast=1

Create a router advertisement:

Device:/> add RouterAdvertisement Name=my_ra
			Interface=lan
			UseGlobalRASettings=No
			RAManagedFlag=Yes
			RAOtherConfigFlag=Yes

Change the context to be the router advertisement:

Device:/> cc RouterAdvertisement 1

Add the prefix object:

Device:/1(my_ra)> add RA_PrefixInformation Name=my_prefix
			Prefix=2001:DB8::/64 
			RAAutonomousFlag=No

Return to the default context:

Device:/1(my_ra)> cc

InControl

Follow similar steps to those used for the Web Interface below.

Web Interface

Create the server:

  1. Go to: Network > Network Services > DHCPv6 Servers >Add > DHCPv6Server
  2. Now enter:
    • Name: dhcpv6_server1
    • Interface Filter: lan
    • IP Address Pool: dhcpv6_range1
  3. Select the Options tab
  4. Enable Handle Rapid Commit Option
  5. Enable Send Preference Option
  6. Set the Preference value to be 100
  7. Click OK

Set the hop limit to 1:

  1. Go to: System > Advanced Settings > IP Settings
  2. Under IPv6 set Multicast HopLimit Min to 1
  3. Click OK

Create a router advertisement:

  1. Go to: Network > Routing > Router Advertisements > Add > Router Advertisement
  2. Now enter:
    • Name: my_ra
    • Interface: lan
  3. Select the Advanced tab
  4. Disable Use Global Settings
  5. Enable Managed Flag
  6. Enable Other Config Flag
  7. Click OK

Still within the router advertisement definition, add the prefix object:

  1. Go to: Network > Routing > Router Advertisements > my_ra
  2. Go to: Prefix Information > Add > Prefix Information
  3. Now enter:
    • Name: my_prefix
    • Network Prefix: 2001:DB8::/64
  4. Disable the setting Autonomous Flag
  5. Click OK to save the prefix
  6. Click OK to save the advertisement

Static DHCPv6 Hosts

Where the administrator requires a fixed relationship between a client and the assigned IP address, cOS Core allows the assignment of a given IPv6 address to a specific MAC address just as it was assigned for IPv4 as described in Section 5.3.1, Static IPv4 DHCP Hosts.

Example 5.8. Static DHCPv6 Host Assignment

This example shows how to assign the IPv6 address 2001:DB8::1 to the MAC address 00-90-12-13-14-15. The example assumes that the DHCPv6 server dhcpv6_server1 has already been defined.

Command-Line Interface

First, change the category to the dhcp_ipv6_server1 context: 

Device:/> cc DHCPv6Server dhcpv6_server1

Add the static DHCP assignment: 

Device:/dhcpv6_server1> add DHCPv6ServerPoolStaticHost
			Host=2001:DB8::1
			MACAddress=00-90-12-13-14-15

Return to the default context: 

Device:/dhcpv6_server1> cc

Device:/>

InControl

Follow similar steps to those used for the Web Interface below.

Web Interface

  1. Go to: Network > Network Services > DHCPv6 Servers > dhcpv6_server1
  2. Select Static Hosts
  3. Select Add > Static Host Entry
  4. Now enter:
    • Host: 2001:DB8::1
    • MAC: 00-90-12-13-14-15
  5. Click OK
Home  Prev   Next