A while ago I described the pre-standard way Cisco IOS used to get delegated IPv6 prefixes from a RADIUS server. Cisco’s documentation always claimed that Cisco IOS implements RFC 4818, but you simply couldn’t get it to work in IOS releases 12.4T or 15.0M. In December I wrote about the progress Cisco is making on the DHCPv6 front and iord@intracom.com commented that IOS 15.1S does support RFC 4818. You know I absolutely had to test that claim ... and it’s true!
This is the configuration you can use on the PE-router:
aaa authorization configuration IA_PD group radius ! ipv6 dhcp pool PPP-Radius prefix-delegation aaa method-list IA_PD lifetime 7200 300 dns-server FEC0::CCCC:4 domain-name example.com ! interface Virtual-Template10 mtu 1480 no ip address ipv6 enable ipv6 nd other-config-flag no ipv6 nd ra suppress ipv6 dhcp server PPP-Radius
And this is the FreeRADIUS user definition:
Site-A Cleartext-Password := "Site-A"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IPv6-Prefix = "fec0:1:2400:1::/64",
Delegated-IPv6-Prefix = "fec0:1:2400:1100::/56"
Cisco IOS release 15.1(3)S that I used in the tests also supports a fallback mechanism:
- The value of the Delegated-IPv6-Prefix from the RADIUS reply is saved in a per-interface DHCPv6 block;
- When the PPPoE client uses DHCPv6 to get a delegated prefix, PE-router checks the pre-populated DHCPv6 reply associated with the incoming interface. If the delegated prefix is already in there, it returns the reply without querying the RADIUS server;
- If the delegated IPv6 prefix is not yet available, the PE-router uses the pre-standard method and sends another RADIUS request for the user-dhcpv6 username.
According to Cisco’s documentation, you get the same functionality (RFC 4818 support) in IOS XE release 3S.
More information
You’ll get more IPv6 access network design and configuration guidelines in my new Building Large IPv6 Access Networks webinar (you also get immediate access to the recording of the Building IPv6 Service Provider Core webinar when you register).
Posts
Ahh, this old chestnut. Thankfully I've not had to touch this problem since, but it's good to know it -actually- works now, instead of using hack-ey hacks. While the point to point link numbering doesn't strictly matter and it's all about the PD in realistic terms, people are just very fond of statics.
ReplyDeleteEven better, "framed-ipv6-pool" works as well ;)
ReplyDeleteHow can you turn on debug on the PE to see all those ipv6 nd and ipv6 dhcp messages with this vrf setup?? I have not able to do the debug except on the CPE side. Your kindly advise.
ReplyDeletedebug ipv6 dhcp detail
ReplyDeletedebug radius authentication
debug ipv6 nd (this one is not really good)
Hi,
ReplyDeleteWe would like setup into our radius /48 pool that we delegate into /56. Does it possible ?
If not how can I setup such pool directly on the Cisco router ?