Framed-IPv6-Prefix used as delegated DHCPv6 prefix

Chris Pollock from io Networks was kind enough to share yet another method of implementing DHCPv6 prefix delegation on PPP interfaces in his comment to my DHCPv6-RADIUS integration: the Cisco way blog post: if you tell the router not to use the Framed-IPv6-Prefix passed from RADIUS in the list of prefixes advertised in RA messages with the no ipv6 nd prefix framed-ipv6-prefix interface configuration command, the router uses the prefix sent from the RADIUS server as delegated prefix.

This setup works reliably in IOS release 15.0M. 12.2SRE3 (running on a 7206) includes the framed-IPv6-prefix in RA advertisements and DHCPv6 IA_PD reply, totally confusing the CPE.

This feature works great for CPE routers connecting to the PE-router (BRAS), but if the PPP session is established directly from an end host, the host still needs an IPv6 prefix on the PPP link itself, so you have to address the virtual access interfaces from a local IPv6 address pool. Complete configuration of the virtual template interface is included below:

interface Virtual-Template10
 mtu 1480
 no ip address
 peer default ipv6 pool PPP
 ipv6 enable
 no ipv6 nd prefix framed-ipv6-prefix
 ipv6 nd other-config-flag
 no ipv6 nd ra suppress
 ipv6 dhcp server PPP-Radius
 no keepalive
 ppp authentication pap
 ppp direction callin

You have to configure an IPv6 DHCP pool to be able to start DHCP server on the virtual access interface. The DHCP pool needs just the DNS server address:

ipv6 dhcp pool PPP-Radius
 dns-server FEC0::CCCC:4

Last but not least, you need a local IPv6 address pool:

ipv6 local pool PPP FEC0:1:2300::/48 64

... and a corresponding route to null interface that you can advertise into your IGP or BGP:

ipv6 route FEC0:1:2300::/48 Null0

More information

Using Framed-IPv6-Prefix as delegated DHCPv6 prefix is only one of the many ways you can configure DHCPv6 prefix delegation on Cisco IOS. Most of them, including local DHCPv6 server, DHCPv6 relay, proprietary RADIUS integration with two usernames and RFC 4818 are described in my Building IPv6 Service Provider Core webinar (buy the recording or register for an online session). The webinar is also available as part of the yearly subscription package.

10 comments:

  1. Matteo Sgalaberni23 August, 2011 14:11

    Seems that in this configuration is missing the line:
    prefix-delegation pool PPP-Radius
    in the dhcp pool section. Otherwise the dhcp server say to the CPE error 6 (no prefix available).
    Can you confirm that there is this mistake in the config provided in the blog, or not...?
    Thanks!!!

    Matteo

    ReplyDelete
  2. Ivan Pepelnjak23 August, 2011 16:01

    There's no mistake. Test the config with a router running 15.0M or later release.

    ReplyDelete
  3. Matteo Sgalaberni23 August, 2011 16:13

    You are right! I'm using a 12.4! the issue is here! So I discovered that there are many important differences between IOS releases in IPv6 configuration... wonderful think to know!
    Thanks!

    ReplyDelete
  4. javier.humphreys@gmail.com25 August, 2011 23:19

    Hi Ivan I have a question because we are intending our cisco BRAS asr1006, which is currently supporting dual stack, to send the user´ipv6 prefix during accounting request to our radius using framed-ipv6-prefix type 97 and that unfortunately doesnt happen. Do you know if there is any command similar to the junipers:
    radius include framed-ipv6-prefix
    ■Use to include the Framed-Ipv6-Prefix attribute in Access-Request, Acct-Start, or Acct-Stop messages.
    ■You can control inclusion of the Framed-Ipv6-Prefix attribute by enabling or disabling this command.
    So that we can solve our current problem?

    If you need I can give you more detail of the BRAS configuration.

    I lokk forward to hearing from you asap.
    best regards,
    Javier
    PD: sorry for my english i am from argentina

    ReplyDelete
  5. Ivan Pepelnjak26 August, 2011 10:43

    Am I right in understanding you'd like to get the IPv6 prefix in __accounting__ not in authentication records (so after the PPP session is terminated)? Need to investigate, never stumbled across this particular one before.

    On a totally unrelated note, your english is just fine :)

    ReplyDelete
  6. javier.humphreys@gmail.com29 August, 2011 17:14

    Hi Ivan! Yes that´s right! in accounting records for an issue of billing. If you remmember, for IPv4 according to RFC2866 reference 4.1 Accounting-request it says " If the Accounting-Request packet includes a Framed-IP-Address, that attribute MUST contain the IP address of the user. If the Access-Accept used the special values for Framed-IP-Address telling the NAS to assign or negotiate an IP address for the user, the Framed-IP-Address (if any) in the Accounting-Request MUST
    contain the actual IP address assigned or negotiated."

    In our case for ipv4 broadband services the BRAS sends the ipv4´s user so that way our systems keep records for billing and other stuff as for instance lawfull intercept etc. So it is not our idea for IPv6 that prefix delegation function will be in the radius in the near future but this will go on in the BRAS as today we are doing for our trial. What are we doing?
    So far we are doing a broadband ipv6 trial that has just started june 8th and will end up in November. The users are 25 employees from my company and the broadband service belongs to my company. So far the service is working fine with the exception of the detail I have told you that I need to solve and for which I am a bit confused.
    Really thank for your answer Ivan!
    Best regards,
    Javier :)

    ReplyDelete
  7. Ivan Pepelnjak29 August, 2011 19:19

    If the accounting doesn't give you IPv6 data, assign a static /64 IPv6 prefix to every user in RADIUS.

    ReplyDelete
  8. javier.humphreys@gmail.com02 September, 2011 22:16

    But for our massive ipv6 broadband service we prefer not doing that, in my opinion it is not a best practice. We have more than one million costumers.
    Thanks anyway, I just wanted to know if you or someone had stumbled across this particular situacion.

    Best regards,
    Javier ;)

    ReplyDelete
  9. sasa.macakanja@carnet.hr26 September, 2011 16:08

    Hi Javier,

    Try this command:

    aaa accounting send counters ipv6

    I also had the same issue on asr 1006 with ipv6 accounting. After I entered this command ASR started sending Framed-IPv6-Prefix and Framed-Interface-Id attributes
    in accounting messages to our Radius server.

    Here is a debug output for radius accounting messages where you can see that attributes are being sent:

    004214: Sep 26 10:31:11.973 MET-DST: RADIUS: Framed-IPv6-Prefix [97] 20
    004215: Sep 26 10:31:11.973 MET-DST: RADIUS: 00 40 20 01 0B 68 00
    14 00 00 00 00 00 00 00 00 00 00 [ @ h]
    004216: Sep 26 10:31:11.973 MET-DST: RADIUS: Framed-Interface-Id [96] 10
    004217: Sep 26 10:31:11.973 MET-DST: RADIUS: 60 A8 A9 16 79 D5 36

    Regards,
    Sasha

    ReplyDelete
  10. Hi

    just wanted to share my experience with Cisco Access Server, and AVM FritzBox as CPE. This is my WORKING Cisco(IOS 12.4(24)T1) config
    !
    aaa group server radius my-auth-radius-servers
    server 10.0.31.21 auth-port 1645 acct-port 1646
    server 10.0.31.20 auth-port 1645 acct-port 1646
    ip vrf forwarding VRF-A
    ip radius source-interface GigabitEthernet0/0.1
    !
    aaa authorization configuration my-aaa-radius group my-auth-radius-servers
    !
    ipv6 dhcp pool v6dhcppool
    prefix-delegation aaa method-list my-aaa-radius
    dns-server 2001:DB8:2001:2001::1
    !
    interface Virtual-Template1
    ip unnumbered GigabitEthernet0/0.1
    ip broadcast-address 0.0.0.0
    ipv6 enable
    no ipv6 nd prefix framed-ipv6-prefix
    ipv6 nd other-config-flag
    no ipv6 nd ra suppress
    ipv6 dhcp server v6dhcppool
    snmp trap link-status permit duplicates
    peer default ipv6 pool v6prefixpool
    ppp authentication chap pap ms-chap ms-chap-v2 callin my-aaa-radius
    ppp authorization my-aaa-radius
    ppp accounting my-aaa-radius
    ppp ipcp address accept
    ppp multilink
    !
    ipv6 local pool v6prefixpool FEC0:1:2300::/48 64
    !

    Enjoy it!
    :)

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.