Framed-IPv6-Prefix used as delegated DHCPv6 prefix

Chris Pollock from io Networks was kind enough to share yet another method of implementing DHCPv6 prefix delegation on PPP interfaces in his comment to my DHCPv6-RADIUS integration: the Cisco way blog post: if you tell the router not to use the Framed-IPv6-Prefix passed from RADIUS in the list of prefixes advertised in RA messages with the no ipv6 nd prefix framed-ipv6-prefix interface configuration command, the router uses the prefix sent from the RADIUS server as delegated prefix.

This setup works reliably in IOS release 15.0M. 12.2SRE3 (running on a 7206) includes the framed-IPv6-prefix in RA advertisements and DHCPv6 IA_PD reply, totally confusing the CPE.

This feature works great for CPE routers connecting to the PE-router (BRAS), but if the PPP session is established directly from an end host, the host still needs an IPv6 prefix on the PPP link itself, so you have to address the virtual access interfaces from a local IPv6 address pool. Complete configuration of the virtual template interface is included below:

interface Virtual-Template10
mtu 1480
no ip address
peer default ipv6 pool PPP
ipv6 enable
no ipv6 nd prefix framed-ipv6-prefix
ipv6 nd other-config-flag
no ipv6 nd ra suppress
ipv6 dhcp server PPP-Radius
no keepalive
ppp authentication pap
ppp direction callin

You have to configure an IPv6 DHCP pool to be able to start DHCP server on the virtual access interface. The DHCP pool needs just the DNS server address:

ipv6 dhcp pool PPP-Radius
dns-server FEC0::CCCC:4

Last but not least, you need a local IPv6 address pool:

ipv6 local pool PPP FEC0:1:2300::/48 64

... and a corresponding route to null interface that you can advertise into your IGP or BGP:

ipv6 route FEC0:1:2300::/48 Null0

More information

Using Framed-IPv6-Prefix as delegated DHCPv6 prefix is only one of the many ways you can configure DHCPv6 prefix delegation on Cisco IOS. Most of them, including local DHCPv6 server, DHCPv6 relay, proprietary RADIUS integration with two usernames and RFC 4818 are described in my Building IPv6 Service Provider Core webinar.

10 comments:

  1. Seems that in this configuration is missing the line:
    prefix-delegation pool PPP-Radius
    in the dhcp pool section. Otherwise the dhcp server say to the CPE error 6 (no prefix available).
    Can you confirm that there is this mistake in the config provided in the blog, or not...?
    Thanks!!!

    Matteo
  2. There's no mistake. Test the config with a router running 15.0M or later release.
  3. You are right! I'm using a 12.4! the issue is here! So I discovered that there are many important differences between IOS releases in IPv6 configuration... wonderful think to know!
    Thanks!
  4. Hi Ivan I have a question because we are intending our cisco BRAS asr1006, which is currently supporting dual stack, to send the user´ipv6 prefix during accounting request to our radius using framed-ipv6-prefix type 97 and that unfortunately doesnt happen. Do you know if there is any command similar to the junipers:
    radius include framed-ipv6-prefix
    ■Use to include the Framed-Ipv6-Prefix attribute in Access-Request, Acct-Start, or Acct-Stop messages.
    ■You can control inclusion of the Framed-Ipv6-Prefix attribute by enabling or disabling this command.
    So that we can solve our current problem?

    If you need I can give you more detail of the BRAS configuration.

    I lokk forward to hearing from you asap.
    best regards,
    Javier
    PD: sorry for my english i am from argentina
  5. Am I right in understanding you'd like to get the IPv6 prefix in __accounting__ not in authentication records (so after the PPP session is terminated)? Need to investigate, never stumbled across this particular one before.

    On a totally unrelated note, your english is just fine :)
  6. Hi Ivan! Yes that´s right! in accounting records for an issue of billing. If you remmember, for IPv4 according to RFC2866 reference 4.1 Accounting-request it says " If the Accounting-Request packet includes a Framed-IP-Address, that attribute MUST contain the IP address of the user. If the Access-Accept used the special values for Framed-IP-Address telling the NAS to assign or negotiate an IP address for the user, the Framed-IP-Address (if any) in the Accounting-Request MUST
    contain the actual IP address assigned or negotiated."

    In our case for ipv4 broadband services the BRAS sends the ipv4´s user so that way our systems keep records for billing and other stuff as for instance lawfull intercept etc. So it is not our idea for IPv6 that prefix delegation function will be in the radius in the near future but this will go on in the BRAS as today we are doing for our trial. What are we doing?
    So far we are doing a broadband ipv6 trial that has just started june 8th and will end up in November. The users are 25 employees from my company and the broadband service belongs to my company. So far the service is working fine with the exception of the detail I have told you that I need to solve and for which I am a bit confused.
    Really thank for your answer Ivan!
    Best regards,
    Javier :)
  7. If the accounting doesn't give you IPv6 data, assign a static /64 IPv6 prefix to every user in RADIUS.
  8. But for our massive ipv6 broadband service we prefer not doing that, in my opinion it is not a best practice. We have more than one million costumers.
    Thanks anyway, I just wanted to know if you or someone had stumbled across this particular situacion.

    Best regards,
    Javier ;)
  9. Hi Javier,

    Try this command:

    aaa accounting send counters ipv6

    I also had the same issue on asr 1006 with ipv6 accounting. After I entered this command ASR started sending Framed-IPv6-Prefix and Framed-Interface-Id attributes
    in accounting messages to our Radius server.

    Here is a debug output for radius accounting messages where you can see that attributes are being sent:

    004214: Sep 26 10:31:11.973 MET-DST: RADIUS: Framed-IPv6-Prefix [97] 20
    004215: Sep 26 10:31:11.973 MET-DST: RADIUS: 00 40 20 01 0B 68 00
    14 00 00 00 00 00 00 00 00 00 00 [ @ h]
    004216: Sep 26 10:31:11.973 MET-DST: RADIUS: Framed-Interface-Id [96] 10
    004217: Sep 26 10:31:11.973 MET-DST: RADIUS: 60 A8 A9 16 79 D5 36

    Regards,
    Sasha
  10. Hi

    just wanted to share my experience with Cisco Access Server, and AVM FritzBox as CPE. This is my WORKING Cisco(IOS 12.4(24)T1) config
    !
    aaa group server radius my-auth-radius-servers
    server 10.0.31.21 auth-port 1645 acct-port 1646
    server 10.0.31.20 auth-port 1645 acct-port 1646
    ip vrf forwarding VRF-A
    ip radius source-interface GigabitEthernet0/0.1
    !
    aaa authorization configuration my-aaa-radius group my-auth-radius-servers
    !
    ipv6 dhcp pool v6dhcppool
    prefix-delegation aaa method-list my-aaa-radius
    dns-server 2001:DB8:2001:2001::1
    !
    interface Virtual-Template1
    ip unnumbered GigabitEthernet0/0.1
    ip broadcast-address 0.0.0.0
    ipv6 enable
    no ipv6 nd prefix framed-ipv6-prefix
    ipv6 nd other-config-flag
    no ipv6 nd ra suppress
    ipv6 dhcp server v6dhcppool
    snmp trap link-status permit duplicates
    peer default ipv6 pool v6prefixpool
    ppp authentication chap pap ms-chap ms-chap-v2 callin my-aaa-radius
    ppp authorization my-aaa-radius
    ppp accounting my-aaa-radius
    ppp ipcp address accept
    ppp multilink
    !
    ipv6 local pool v6prefixpool FEC0:1:2300::/48 64
    !

    Enjoy it!
    :)
Add comment
Sidebar