2012-01-19: The initial version of this post contained a serious error: Cisco IOS DHCPv6 server does not create host routes; without on-link prefix, the router cannot forward the packets to the attached end-hosts.
IPv6 hosts can use stateless or stateful autoconfiguration. Stateless address autoconfiguration (SLAAC) uses IPv6 prefixes from Router Advertisement (RA) messages; stateful autoconfiguration uses DHCPv6. The routers can use two flags in RA messages to tell the attached end hosts which method to use:
- Managed-Config-Flag tells the end-host to use DHCPv6 exclusively;
- Other-Config-Flag tells the end-host to use SLAAC to get IPv6 address and DHCPv6 to get other parameters (DNS server address, for example).
- Absence of both flags tells the end-host to use only SLAAC.
One might assume that setting managed-config-flag in RA messages forces IPv6 hosts to use DHCPv6. Wrong, the two flags are just a polite suggestion.
Can you enforce the use of DHCPv6 in case you want to track end-user IPv6 addresses for security/accountability reasons? Sure you can (there’s a workaround for every problem) – if you don’t advertise on-link prefixes in router advertisement messages, the hosts cannot auto-generate IPv6 addresses and are forced to use DHCPv6, or stay forever isolated from the beauties of IPv6-only Internet.
You have to configure IPv6 prefix on the LAN interface and disable its propagation with the ipv6 nd prefix no-advertise interface configuration command – DHCPv6 server does not create host routes toward its clients.
To enforce DHCPv6-only address configuration in Cisco IOS, use the following interface configuration:
description Host Access LAN (VLAN 100)
encapsulation dot1Q 100
ipv6 address FEC0:1:2300:1::1/64
ipv6 nd prefix FEC0:1:2300:1::/64 no-advertise
ipv6 nd managed-config-flag
ipv6 nd router-preference High
ipv6 dhcp server VLAN_100
Many more IPv6 access network hints are described in my new Building Large IPv6 Access Networks webinar (and you get access to the recording of the Building IPv6 Service Provider Core webinar when you register).