DHCPv6 Prefix Delegation with Radius works in IOS release 15.1

A while ago I described the pre-standard way Cisco IOS used to get delegated IPv6 prefixes from a RADIUS server. Cisco’s documentation always claimed that Cisco IOS implements RFC 4818, but you simply couldn’t get it to work in IOS releases 12.4T or 15.0M. In December I wrote about the progress Cisco is making on the DHCPv6 front and iord@intracom.com commented that IOS 15.1S does support RFC 4818. You know I absolutely had to test that claim ... and it’s true!

This is the configuration you can use on the PE-router:

aaa authorization configuration IA_PD group radius
!
ipv6 dhcp pool PPP-Radius
 prefix-delegation aaa method-list IA_PD lifetime 7200 300
 dns-server FEC0::CCCC:4
 domain-name example.com
!
interface Virtual-Template10
 mtu 1480
 no ip address
 ipv6 enable
 ipv6 nd other-config-flag
 no ipv6 nd ra suppress
 ipv6 dhcp server PPP-Radius

And this is the FreeRADIUS user definition:

Site-A  Cleartext-Password := "Site-A"
        Service-Type = Framed-User,
        Framed-Protocol = PPP,
        Framed-IPv6-Prefix = "fec0:1:2400:1::/64",
        Delegated-IPv6-Prefix = "fec0:1:2400:1100::/56"

Cisco IOS release 15.1(3)S that I used in the tests also supports a fallback mechanism:

  • The value of the Delegated-IPv6-Prefix from the RADIUS reply is saved in a per-interface DHCPv6 block;
  • When the PPPoE client uses DHCPv6 to get a delegated prefix, PE-router checks the pre-populated DHCPv6 reply associated with the incoming interface. If the delegated prefix is already in there, it returns the reply without querying the RADIUS server;
  • If the delegated IPv6 prefix is not yet available, the PE-router uses the pre-standard method and sends another RADIUS request for the user-dhcpv6 username.

According to Cisco’s documentation, you get the same functionality (RFC 4818 support) in IOS XE release 3S.

More information

You’ll get more IPv6 access network design and configuration guidelines in my new Building Large IPv6 Access Networks webinar (you also get immediate access to the recording of the Building IPv6 Service Provider Core webinar when you register).

5 comments:

  1. Ahh, this old chestnut. Thankfully I've not had to touch this problem since, but it's good to know it -actually- works now, instead of using hack-ey hacks. While the point to point link numbering doesn't strictly matter and it's all about the PD in realistic terms, people are just very fond of statics.

    ReplyDelete
  2. Even better, "framed-ipv6-pool" works as well ;)

    ReplyDelete
  3. How can you turn on debug on the PE to see all those ipv6 nd and ipv6 dhcp messages with this vrf setup?? I have not able to do the debug except on the CPE side. Your kindly advise.

    ReplyDelete
  4. debug ipv6 dhcp detail
    debug radius authentication
    debug ipv6 nd (this one is not really good)

    ReplyDelete
  5. Hi,

    We would like setup into our radius /48 pool that we delegate into /56. Does it possible ?

    If not how can I setup such pool directly on the Cisco router ?

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.