IPv6 MPLS/VPN (6VPE) with PPPoE and RADIUS

During my visit to South Africa someone told me that he got 6VPE working over an L2TP connection ... and that you should “use the other VRF attribute, not lcp:interface-config” to make it work. A few days ago one of the readers asked me the same question and although I was able to find several relevant documents, I wanted to see it working in my lab.

Starting point (based on the somewhat relevant documentation): use the ip:vrf-id and ip:ip-unnumbered RADIUS attributes (Framed-IPv6-Prefix is used to number the WAN interface on the CE-router).

Framed-IPv6-Prefix = "fec0:1:2400:1::/64",
cisco-avpair = "ip:vrf-id=CUSTOMER",
cisco-avpair += "ip:ip-unnumbered=Loopback1001"

Result: IPv4 works, IPv6 fails. To make IPv6 work, you have to add another RADIUS attribute (hat tip to Gordon Kuzet):

cisco-avpair += "lcp:interface-config#1=ipv6 unnumbered Loopback 1001"

The need for the extra ipv6 unnumbered command seems confusing (after all, ipv6 enable was already configured on the virtual template), but the ip:vrf-id RADIUS attribute does exactly the same thing as the vrf forwarding interface configuration command – it erases all IPv4 and IPv6 addressing configuration from the virtual access interface. If you don’t like the ipv6 unnumbered command, you can easily use ipv6 enable, making IPv6 in VRF work without a PE-router loopback interface required by IPv4.

cisco-avpair += "lcp:interface-config#1=ipv6 enable"

Lcp:interface-config RADIUS parameter might cause ASR 1000 to complain and terminate the PPPoE session. Use the aaa policy interface-config allow-subinterface workaround.

Next problem: routing. I wanted to use the proper mechanism (DHCPv6 prefix delegation) and failed since DHCPv6 in Cisco IOS is still not VRF aware. Delegated prefix is retrieved from the RADIUS server and passed to the CE-router in a DHCPv6 Reply packet, but the corresponding static route is not installed in the VRF on the PE-router.

Plan B – static routes using the Framed-IPv6-Route RADIUS attribute – works flawlessly.

Framed-IPv6-Route = "fec0:1:2400:1100::/56"

As you can’t use the prefix delegation, you have to configure IPv6 prefixes matching the RADIUS static route(s) on the CE-router (potentially using ipv6 general-prefix to make it a bit more manageable if you have more than one non-WAN interface on the router).

More information

Various IPv6 access network configurations are described in my Building IPv6 Service Provider Core webinar (buy the recording). I’ve just added the 6VPE-with-RADIUS lab scenario to the router configurations you get with the recording; if you’ve already bought the recording or attended the live webinar, just log into my Webinar Management System and retrieve the new configuration tarball.

For more IPv6 webinars, check the IPv6 roadmap; all of them are available as part of the yearly subscription package.

1 comment:

  1. Gary T. Giesen23 July, 2013 16:59

    Have you ever run into a situation where an IPv6 connected route for the peer is not installed on the PPPoE client/CE? I have to manually add a static route pointing at the Dialer to establish connectivity (which is not ideal).

    This is on a 7206 VXR, the PE is running 12.2(33)SRE8, the CE is running 15.1(4)M6.

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.