DHCPv6 Configuration
Overview of DHCPv6
Dynamic Host Configuration Protocol for IPv6 (DHCPv6) is a stateful protocol that assigns IPv6 addresses or prefixes and other configuration parameters to hosts.
Introduction
IPv6 has made it possible to have virtually unlimited IP addresses by increasing the IP address length from 32 bits to 128 bits. This increase in IP address length requires efficient IPv6 address space management and assignment.
- Manual configuration. IPv6 addresses/prefixes and other network configuration parameters are manually configured, such as the DNS server address, network information service (NIS) server address, and Simple Network Time Protocol (SNTP) server address.
- Stateless address allocation. A host uses the prefix carried in a received Router Advertisement (RA) message and the local interface ID to automatically generate an IPv6 address.
- Stateful address autoconfiguration using DHCPv6. DHCPv6 address
allocation can be implemented in any of the following modes:
- DHCPv6 stateful address autoconfiguration. A DHCPv6 server automatically configures IPv6 addresses/prefixes and other network configuration parameters, such as the DNS server address, NIS server address, and SNTP server address.
- DHCPv6 stateless address autoconfiguration. A host uses the prefix carried in a received RA message and the local interface ID to automatically generate an IPv6 address. The DHCPv6 server assigns configuration parameters other than IPv6 addresses, such as the DNS server address, NIS server address, and SNTP server address.
- DHCPv6 Prefix Delegation (PD). IPv6 prefixes do not need to be manually configured for the downstream routers. The DHCPv6 prefix delegation mechanism allows a downstream router to send DHCPv6 messages carrying the IA_PD option to an upstream router to apply for IPv6 prefixes. After the upstream router assigns a prefix that has less than 64 bits to the downstream router, the downstream router automatically subnets the delegated prefix into /64 prefixes and assigns the /64 prefixes to the links attached to IPv6 hosts through RA messages. This mechanism implements automatic configuration of IPv6 addresses for IPv6 hosts and hierarchical IPv6 prefix delegation.
Limitations for DHCPv6
Limitations for DHCPv6 on NE40E-M2H
Restrictions |
Guidelines |
Impact |
|---|---|---|
DHCPv6 relay does not apply to the request packets from the DHCP clients that pass through lightweight DHCP relay agent (LDRA). |
Do not deploy this type of networking for DHCPvc6 relay. |
DHCPv6 clients cannot go online through DHCPv6 relay. |
The function of automatic restoration upon restart for DHCPv6 PD users supports up to 40K users. |
Properly plan the number of PD users on the live network. If the function of automatic restoration upon restart for DHCPv6 PD users is required, do not deploy more than 40K PD users. |
If more than 40K PD users exist, user data cannot be written into the file, and data cannot be restored after restart. |
In a master/slave scenario where the DHCPv6 Relay packet and the return packet are transmitted over different paths, the DHCPv6 relay configurations on relay interfaces must be consistent; on a DHCPv6 relay, different interfaces cannot be configured with the same link-address. The corresponding command is dhcpv6 relay link-address xx::xx; double-layer VLAN scenario is not supported between Relay device and Client device. |
In a master/slave scenario, the DHCPv6 relay configuration on relay interfaces must be consistent; different interfaces on the same DHCPv6 relay cannot be configured with the same link-address. The corresponding command is dhcpv6 relay link-address xx::xx. |
DHCPv6 users fail to go online. |
Limitations for DHCPv6 on NE40E-M2K
Restrictions |
Guidelines |
Impact |
|---|---|---|
DHCPv6 relay does not apply to the request packets from the DHCP clients that pass through lightweight DHCP relay agent (LDRA). |
Do not deploy this type of networking for DHCPvc6 relay. |
DHCPv6 clients cannot go online through DHCPv6 relay. |
The function of automatic restoration upon restart for DHCPv6 PD users supports up to 40K users. |
Properly plan the number of PD users on the live network. If the function of automatic restoration upon restart for DHCPv6 PD users is required, do not deploy more than 40K PD users. |
If more than 40K PD users exist, user data cannot be written into the file, and data cannot be restored after restart. |
In a master/slave scenario where the DHCPv6 Relay packet and the return packet are transmitted over different paths, the DHCPv6 relay configurations on relay interfaces must be consistent; on a DHCPv6 relay, different interfaces cannot be configured with the same link-address. The corresponding command is dhcpv6 relay link-address xx::xx; double-layer VLAN scenario is not supported between Relay device and Client device. |
In a master/slave scenario, the DHCPv6 relay configuration on relay interfaces must be consistent; different interfaces on the same DHCPv6 relay cannot be configured with the same link-address. The corresponding command is dhcpv6 relay link-address xx::xx. |
DHCPv6 users fail to go online. |
Limitations for DHCPv6 on NE40E-M2K-B
Restrictions |
Guidelines |
Impact |
|---|---|---|
DHCPv6 relay does not apply to the request packets from the DHCP clients that pass through lightweight DHCP relay agent (LDRA). |
Do not deploy this type of networking for DHCPvc6 relay. |
DHCPv6 clients cannot go online through DHCPv6 relay. |
The function of automatic restoration upon restart for DHCPv6 PD users supports up to 40K users. |
Properly plan the number of PD users on the live network. If the function of automatic restoration upon restart for DHCPv6 PD users is required, do not deploy more than 40K PD users. |
If more than 40K PD users exist, user data cannot be written into the file, and data cannot be restored after restart. |
In a master/slave scenario where the DHCPv6 Relay packet and the return packet are transmitted over different paths, the DHCPv6 relay configurations on relay interfaces must be consistent; on a DHCPv6 relay, different interfaces cannot be configured with the same link-address. The corresponding command is dhcpv6 relay link-address xx::xx; double-layer VLAN scenario is not supported between Relay device and Client device. |
In a master/slave scenario, the DHCPv6 relay configuration on relay interfaces must be consistent; different interfaces on the same DHCPv6 relay cannot be configured with the same link-address. The corresponding command is dhcpv6 relay link-address xx::xx. |
DHCPv6 users fail to go online. |
Configuring DHCPv6 Relay
When a DHCPv6 client and a DHCPv6 server reside on different links, configure a DHCPv6 relay agent to relay DHCPv6 messages between the client and server.
Usage Scenario
On the network shown in Figure 5-1, DHCPv6 clients reside on Network A, and the DHCPv6 server resides on Network B. A DHCPv6 relay agent must be configured to relay DHCPv6 messages between the clients and server so that the clients can apply for IPv6 addresses from the server.
Pre-configuration Tasks
Before configuring DHCPv6 relay, complete the following tasks:
- Configure a DHCPv6 server.
- Configure a DHCPv6 relay interface.
- Configure a route on the DHCPv6 server destined for the DHCPv6 relay interface.
Enable DHCPv6
DHCPv6 provides client, relay, and server functions.
Configuring DHCPv6 Relay Forwarding
DHCPv6 relay forwarding functions are configured on the inbound interface of DHCPv6 messages. You can specify the outbound interface, or destination DHCPv6 server address, or next-hop DHCPv6 relay agent address.
Context
To relay packets sent from DHCPv6 clients on a network segment, configure DHCPv6 relay forwarding on the DHCPv6 relay agent's interface that connects to the network segment. If multiple outbound interfaces or destination IPv6 addresses are specified, the DHCPv6 relay agent forwards one copy of packets to each outbound interface or destination IPv6 address. The destination IPv6 address can be an interface address on the next-hop DHCPv6 relay agent or the DHCPv6 server.
Procedure
- Run system-view
The system view is displayed.
- (Optional) Run dhcpv6 relay server group group-name. A DHCPv6 relay server group is configured, and the server group view is displayed.
If you want to enable DHCPv6 relay on multiple interfaces and specify the same DHCPv6 relay servers for these interfaces, configure a DHCPv6 relay server group to simplify the configuration.
- (Optional) Run server server-addr
A server is added to the DHCPv6 relay server group.
- Run quit
Return to the system view.
- Run interface interface-type interface-number
The interface view is displayed.
- Run either of the following commands:
- To specify an outbound interface or destination IPv6 address for DHCPv6 messages on the interface, run the dhcpv6 relay { interface interface-type interface-number | destination ipv6–address } command.
- To bind the interface to a DHCPv6 relay server group, run the dhcpv6 relay binding server group group-name command.
- (Optional) Run dhcpv6 relay link-address ipv6–address
A DHCPv6 relay gateway address is configured.
- (Optional) For the DHCPv6 server that replies packets based on the source IP address, the DHCPv6 relay agent uses the IP address of the relay interface as the source IP address when forwarding a DHCP request packet from a DHCPv6 client. If the source IP address needs to be specified, perform either of the following operations:
- Run dhcpv6 relay source-ip-address ipv6–address
The source IPv6 address is specified for DHCPv6 messages on the interface.
- Run dhcpv6 relay source-interface{ interface-name | interface-typeinterface-num }
The IP address of a specified interface is configured as the source IPv6 address of DHCPv6 relay forwarding packets.
Both the dhcpv6 relay source-ip-address and dhcpv6 relay source-interface commands can specify the source IP address used by a DHCP relay agent to forward packets. These two commands are mutually exclusive. If both of the two commands are run on a DHCP relay interface, the latter configuration overrides the former one.
- Run dhcpv6 relay source-ip-address ipv6–address
- Run quit
Return to the system view.
- (Optional) Run dhcpv6 rate-limit { enable | rate-limit }
Global rate limiting is enabled for DHCPv6 messages.
After global rate limiting is enabled and a rate limit is configured for DHCPv6 messages on a DHCPv6 device, when the device is being attacked or the system is busy, the device can control the rate at which DHCPv6 messages are processed and discards the messages exceeding the specified rate limit
- (Optional) Run dhcpv6 source-ip-address format adaptive enable
The source IPv6 address type of the response packets sent by the DHCPv6 relay to the DHCPv6 client is configured as link-local.
- Run commit
The configuration is committed.
(Optional) Configuring DHCPv6 PD Relay Functions
A DHCPv6 relay agent can be configured to advertise DHCPv6 PD routes, limit the maximum number of access DHCPv6 clients, and check the physical information of DHCPv6 packets.
Context
The NE40E functioning as a DHCPv6 relay agent supports the following DHCPv6 PD relay functions:
Advertises DHCPv6 PD routes.
In DHCPv6 (IA_PD) scenarios, a DHCPv6 relay agent generates a PD route based on the DHCPv6 PD prefix assigned by the DHCPv6 server to a DHCPv6 client. By default, this PD route applies only to the relay agent and is not advertised. Other devices cannot obtain the routes destined for the CPE and its attached user terminals. As a result, the user terminals cannot access the network. To allow devices to obtain routes destined for the CPE and its attached user terminals, perform either of the following operations:- Configure a summarized route with a DHCPv6 PD prefix and use a routing protocol to advertise the route to other devices. This method is recommended because it does not require other devices to learn many routes, so it has little impact on the core network.
- Run the dhcpv6 export pd-route command to allow a DHCPv6 relay agent to automatically advertise the PD routes it generated to other devices. Because the PD routes generated on the DHCPv6 relay agent are destined for clients and the clients are constantly applying for and releasing prefixes, PD routes cannot be dynamically summarized. Advertising all PD routes has a large impact on the core network. Therefore, this method is not recommended.
Configures the maximum number of access DHCPv6 clients on the DHCPv6 relay agent.
The maximum number of access DHCPv6 clients can be limited on an interface or a specified interface in a VLAN.
Configures the DHCPv6 relay agent to check the physical information of DHCPv6 packets.
If the location of a WLAN user changes, the physical information (user access interface, PE-VLAN ID, and CE-VLAN ID) of DHCPv6 packets from that user will also change. In this case, the DHCPv6 relay agent does not need to check the physical information of DHCPv6 packets.
However, the physical information of DHCPv6 packets from fixed network users does not change unless an error has occurred. To allow a DHCPv6 relay interface to check the physical information of DHCPv6 packets for security purposes, run the dhcpv6 relay strict-check interface-info command.
Procedure
- Run system-view
The system view is displayed.
- Run dhcpv6 export pd-route
The DHCPv6 relay agent is enabled to advertise DHCPv6 PD routes.
- Run dhcpv6 relay pd-route auto-save file-name
The DHCPv6 relay agent is enabled to automatically save PD routes.
After a DHCPv6 relay agent is restarted, the PD routes are lost, so users cannot access the network. After you enable the DHCPv6 relay agent to save PD routes to a file, it can restore the PD routes from the file after a restart.
- Run interface interface-type interface-number
The DHCPv6 relay interface view is displayed.
- Run dhcpv6 relay access-limit
The maximum number of access DHCPv6 clients on the DHCPv6 relay interface is configured. After the number is reached, additional DHCPv6 clients are not allowed to go online through the DHCPv6 relay interface.
- The dhcpv6 relay access-limit limit-number command configures the maximum number of access DHCPv6 clients on a DHCPv6 relay interface.
- The dhcpv6 relay access-limit limit-number vlan vlan-id [ end-vlan-id ] command configures the maximum number of access DHCPv6 clients in a specified VLAN on a DHCPv6 relay interface. If both vlanid and end-vlan-id are configured to specify a VLAN range, the maximum number of access DHCPv6 clients applies to all the VLANs in this range. Each relay interface supports 16 VLAN ranges. For example, if the dhcpv6 relay access-limit 1 vlan 1 100 command is run on GE 0/1/1.1, one DHCPv6 client is allowed to go online through VLANs in the range 1-100.
- The dhcpv6 relay access-limit limit-number pevlan pevlan-id { cevlan cevlan-id [ end-cevlan-id ] | any } command configures the maximum number of DHCPv6 clients that send double-tagged packets to go online through a DHCPv6 relay interface. Each relay interface supports 16 VLAN ranges. If you configure any for cevlan, the maximum number of DHCPv6 clients whose packets carry the outer VLAN ID specified by pevlan-id and any VLAN ID not in the CE-VLAN range is limited. This configuration is counted in the 16 VLAN ranges allowed. For example, if both the dhcpv6 relay access-limit 1 pevlan 2 cevlan 1 100 and dhcpv6 relay access-limit 2 pevlan 2 cevlan any commands are run on GE 0/1/1.1, one DHCPv6 client whose packets carry PE-VLAN 2 and any CE-VLAN ID in the range 1-100 is allowed to go online, and two DHCPv6 clients whose packets carry PE-VLAN 2 and any CE-VLAN ID in the range 101-4094 are allowed to go online.
- The dhcpv6 relay access-limit limit-number vlan any command configures the maximum number of DHCPv6 clients that can go online through single or double VLANs that do not have such a limit configured. This configuration is not counted in the 16 VLAN ranges allowed. Run this command to limit the maximum number of access DHCPv6 clients on a DHCPv6 relay interface in a specified VLAN. For example, if DHCPv6 clients send double-tagged packets to go online, each pair of VLAN tags identifies a VLAN. Run the dhcpv6 relay access-limit 1 vlan any command to configure a DHCPv6 relay interface to allow only one client that sends double-tagged VLAN packets to go online. This configuration protects the device against packets with changing MAC addresses and DUIDs.
- Run dhcpv6 relay strict-check interface-info
The DHCPv6 relay interface is enabled to check the physical information of DHCPv6 packets.
- Run commit
The configuration is committed.
(Optional) Configuring DHCPv6 Relay Options
DHCPv6 relay options include the Interface-ID option, Remote-ID option, and Subscriber-ID option. These options carry detailed user information for address assignment and parameter configuration.
Context
A DHCPv6 server assigns IPv6 addresses and other configuration parameters to clients based on options carried in DHCPv6 messages. You can determine whether to enable the DHCPv6 relay agent to add these options to DHCPv6 messages based on the server implementation.
- The Interface-ID option carries information about the inbound interface that receives client messages.
- The Remote-ID option carries information about a DHCPv6 relay agent, such as the DUID, port identifier, and VLAN ID.
- The Subscriber-ID option carries the MAC address of a client.
Among these options, the Interface-ID, Remote-ID, and Subscribe-ID options can be configured for Layer 2 or Layer 3 Ethernet interfaces.
Procedure
- Run system-view
The system view is displayed.
- Run interface interface-type interface-number
The interface view is displayed.
- Run dhcpv6 relay option-insert { interface-id mode { cn-telecom | tr-101 } | remote-id | subscriber-id } or dhcpv6 relay option-insert { interface-id mode self-define self-define-value | remote-id mode self-define self-define-value }
The interface is enabled to add the Interface-ID, Subscriber-ID, and Remote-ID relay options to DHCPv6 messages.
- Run commit
The configuration is committed.
(Optional) Configuring IPsec on a DHCPv6 Relay Agent
To defend against DoS attacks, configure IPsec on a DHCPv6 relay agent so that IPsec can be implemented on packets exchanged between DHCPv6 relay agents or between the DHCPv6 relay agent and DHCPv6 server.
Context
If an attacker pretends to be a DHCPv6 server and sends bogus DHCPv6 messages to a client, the client may suffer from DoS attacks or be incorrectly configured. To defend against DoS attacks, implement IPsec on packets exchanged between DHCPv6 relay agents or between a DHCPv6 relay agent and a DHCPv6 server.
Procedure
- Run system-view
The system view is displayed.
- Run dhcpv6 ipsec sa sa-name [ peer peer-ipv6–address [ vpn-instance vpn-instance ] ]
IPsec is enabled on the DHCPv6 relay agent to authenticate packets exchanged between DHCPv6 relay agents or between the DHCPv6 relay agent and DHCPv6 server.
An IPsec SA must have been configured before you run this command. For details, see IPsec Configuration.
- Run commit
The configuration is committed.
Maintaining DHCPv6 Relay
This section describes how to monitor the DHCPv6 relay operating status and clear DHCPv6 relay packet statistics.
Monitoring the DHCPv6 Relay Operating Status
This section describes how to monitor the DHCPv6 relay operating status.
Context
You can run the following command in any view to check the DHCPv6 relay operating status in routine maintenance.
Procedure
- Run the display dhcpv6 relay statistics command to check packet statistics on a DHCPv6 relay agent.
- Run the display dhcpv6 relay userinfo table command to check DHCPv6 client information on a DHCPv6 relay agent.
- Run the display dhcpv6 relay client-info command to check DHCPv6 client login failure and logout records on a DHCPv6 relay agent.
Clearing DHCPv6 Relay Statistics
This section describes how to use the reset command to clear DHCPv6 relay packet statistics.
Context
DHCPv6 relay statistics cannot be restored after they are cleared. Exercise caution when running the reset commands.
Procedure
- Run the reset dhcpv6 relay statistics command to clear DHCPv6 relay packet statistics.
- Run the reset dhcpv6 relay userinfo table command to clear DHCPv6 client information on a DHCPv6 relay agent so that all resources allocated to clients are released.
- Run the reset dhcpv6 relay client-info command to clear DHCPv6 client login and logout records on a DHCPv6 relay agent.
Configuration Examples for DHCPv6
This section provides DHCPv6 configuration examples.
Example for Configuring DHCPv6 Relay
This section provides an example for configuring DHCPv6 relay. This configuration example applies to carrier IP devices.
Networking Requirements
On the network shown in Figure 5-2, DHCPv6 clients reside on the network segment 2001:db8:1::/64, and the DHCPv6 server resides on the network segment 2001:db8:2::/64. To allow the DHCPv6 clients to obtain IPv6 addresses and other configuration parameters from the DHCPv6 server, configure DHCPv6 relay on the device in between to relay DHCPv6 messages.
Configuration Roadmap
The configuration roadmap is as follows:
- Configure IPv6 addresses for the relay agent's interfaces that connect to the server and clients.
- Enable DHCPv6 on the relay agent.
- Configure DHCPv6 relay forwarding on the relay agent's interface that connects to the clients.
Data Preparation
To complete the configuration, you need the following data:
Number of the interface to have DHCPv6 relay enabled and IPv6 address of the interface
IPv6 address of the DHCPv6 server
Procedure
- Configure DHCPv6 relay.
# Configure IPv6 addresses for interfaces.
<HUAWEI> system-view[~HUAWEI] sysname DeviceA
[*HUAWEI] commit
[~DeviceA] interface gigabitethernet 0/1/0
[~DeviceA-GigabitEthernet0/1/0] ipv6 enable
[*DeviceA-GigabitEthernet0/1/0] ipv6 address 2001:db8:1::2/64
[*DeviceA-GigabitEthernet0/1/0] undo shutdown
[*DeviceA-GigabitEthernet0/1/0] commit
[~DeviceA-GigabitEthernet0/1/0] quit
[~DeviceA] interface gigabitethernet 0/2/0
[~DeviceA-GigabitEthernet0/2/0] ipv6 enable
[*DeviceA-GigabitEthernet0/2/0] ipv6 address 2001:db8:2::1/64
[*DeviceA-GigabitEthernet0/2/0] undo shutdown
[*DeviceA-GigabitEthernet0/2/0] commit
[~DeviceA-GigabitEthernet0/2/0] quit
# Enable DHCPv6.
[~DeviceA] dhcpv6 enable
# Configure DHCPv6 relay forwarding on GE 0/1/0.
[~DeviceA] interface gigabitethernet 0/1/0
[~DeviceA-GigabitEthernet0/1/0] dhcpv6 relay destination 2001:db8:2::2
[*DeviceA-GigabitEthernet0/1/0] commit
[~DeviceA-GigabitEthernet0/1/0] quit
- Configure the DHCP server.The configuration details are not provided. The DHCPv6 server must meet the following conditions:
- An address pool is configured on the DHCPv6 server so that the DHCPv6 server can assign IPv6 addresses to DHCPv6 clients.
- The address pool lease is configured to improve IP address utilization.
- Verify the configuration.
Run the display dhcpv6 relay statistics command on the DHCPv6 relay agent. The command output shows statistics about various DHCPv6 messages.
[~DeviceB] display dhcpv6 relay statistics
------------------------------------------------------------------- Bad Packets received : 0 DHCPv6 packets received from clients : 41357 DHCPv6 SOLICIT packets received : 41357 DHCPv6 REQUEST packets received : 0 DHCPv6 CONFIRM packets received : 0 DHCPv6 RENEW packets received : 0 DHCPv6 REBIND packets received : 0 DHCPv6 DECLINE packets received : 0 DHCPv6 RELEASE packets received : 0 DHCPv6 INFORMATION-REQUEST packets received : 0 DHCPv6 packets received from relay agents or servers: 6 DHCPv6 RELAY-FORWARD packets received : 6 DHCPv6 RELAY-REPLY packets received : 0 DHCPv6 packets sent to clients : 0 DHCPv6 ADVERTISE packets sent : 0 DHCPv6 REPLY packets sent : 0 DHCPv6 RECONFIGURE packets sent : 0 DHCPv6 packets sent to relay agents or servers : 41333 DHCPv6 RELAY-FORWARD packets sent : 41333 DHCPv6 RELAY-REPLY packets sent : 0 DHCPv6 packets dropped : 33 Table Full : 0 General Error : 33 IPSec Authentication Failed : 0 -------------------------------------------------------------------
Configuration Files
DHCPv6 Relay configuration file
#
sysname DeviceAdhcpv6 enable
#
interface GigabitEthernet0/1/0undo shutdown
ipv6 enable
ipv6 address 2001:db8:1::2/64
dhcpv6 relay destination 2001:db8:2::2
#
interface GigabitEthernet 0/2/0undo shutdown
ipv6 enable
ipv6 address 2001:db8:2::1/64
#
return
