2. If the DHCPv6 server supports rapid assignment, it responds with a Reply message containing the assigned IPv6 address/prefix and other configuration parameters. If the DHCPv6 server does not support rapid assignment, Assignment involving four messages is performed.

Figure 1 Rapid assignment involving two messages

‌

Assignment involving four messages

As shown in Figure 2, four-message assignment operates using the following steps:

1. The DHCPv6 client sends a Solicit message to request an IPv6 address/prefix and other configuration parameters.

2. The DHCPv6 server responds with an Advertise message that contains the assignable address/prefix and other configuration parameters if either of the following conditions exists:

¡ The Solicit message does not contain a Rapid Commit option.

¡ The DHCPv6 server does not support rapid assignment even though the Solicit message contains a Rapid Commit option.

3. The DHCPv6 client might receive multiple Advertise messages offered by different DHCPv6 servers. It selects an offer according to the receiving sequence and server priority, and sends a Request message to the selected server for confirmation.

4. The DHCPv6 server sends a Reply message to the client, confirming that the address/prefix and other configuration parameters are assigned to the client.

Figure 2 Assignment involving four messages

‌

Address/prefix lease renewal

An IPv6 address/prefix assigned by a DHCPv6 server has a valid lifetime. After the valid lifetime expires, the DHCPv6 client cannot use the IPv6 address/prefix. To use the IPv6 address/prefix, the DHCPv6 client must renew the lease time.

Figure 3 Using the Renew message for address/prefix lease renewal

‌

As shown in Figure 3, at T1, the DHCPv6 client sends a Renew message to the DHCPv6 server. The recommended value for T1 is half the preferred lifetime. The DHCPv6 server responds with a Reply message, informing the client whether the lease is renewed.

Figure 4 Using the Rebind message for address/prefix lease renewal

‌

As shown in Figure 4:

· If the DHCPv6 client does not receive a response from the DHCPv6 server after sending a Renew message at T1, it multicasts a Rebind message to all DHCPv6 servers at T2. Typically, the value for T2 is 0.8 times the preferred lifetime.

· The DHCPv6 server responds with a Reply message, informing the client whether the lease is renewed.

· If the DHCPv6 client does not receive a response from any DHCPv6 server before the valid lifetime expires, the client stops using the address/prefix.

For more information about the valid lifetime and the preferred lifetime, see "Configuring basic IPv6 settings."

Stateless DHCPv6

Stateless DHCPv6 enables a device that has obtained an IPv6 address/prefix to get other configuration parameters from a DHCPv6 server.

The device performs stateless DHCPv6 if an RA message with the following flags is received from the router during stateless address autoconfiguration:

· The managed address configuration flag (M flag) is set to 0.

· The other stateful configuration flag (O flag) is set to 1.

Figure 5 Stateless DHCPv6 operation

‌

As shown in Figure 5, stateless DHCPv6 operates in the following steps:

1. The DHCPv6 client sends an Information-request message to the multicast address of all DHCPv6 servers and DHCPv6 relay agents. The Information-request message contains an Option Request option that specifies the requested configuration parameters.

2. The DHCPv6 server returns to the client a Reply message containing the requested configuration parameters.

3. The client checks the Reply message. If the obtained configuration parameters match those requested in the Information-request message, the client uses these parameters to complete configuration. If not, the client ignores the configuration parameters. If the client receives multiple replies with configuration parameters matching those requested in the Information-request message, it uses the first received reply.

DHCPv6 options

Option 18

Option 18, also called the interface-ID option, is used by the DHCPv6 relay agent to determine the interface to use to forward RELAY-REPLY message.

The DHCPv6 snooping device adds Option 18 to the received DHCPv6 request message before forwarding it to the DHCPv6 server. The server then assigns IP address to the client based on the client information in Option 18.

Figure 6 Option 18 format

‌

Figure 6 shows the Option 18 format, which includes the following fields:

· Option code—Option code. The value is 18.

· Option length—Size of the option data.

· Port index—Port that receives the DHCPv6 request from the client.

· VLAN ID—ID of the outer VLAN.

· Second VLAN ID—ID of the inner VLAN. This field is optional. If the received DHCPv6 request does not contain a second VLAN, Option 18 also does not contain it.

· DUID—DUID of the DHCPv6 client.

Option 37

Option 37, also called the remote-ID option, is used to identify the client.

The DHCPv6 snooping device adds Option 37 to the received DHCPv6 request message before forwarding it to the DHCPv6 server. This option provides client information about address allocation.

Figure 7 Option 37 format

‌

Figure 7 shows the Option 37 format, which includes the following fields:

· Option code—Option code. The value is 37.

· Option length—Size of the option data.

· Enterprise number—Enterprise number.

· Port index—Port that receives the DHCPv6 request from the client.

· VLAN ID—ID of the outer VLAN.

· Second VLAN ID—ID of the inner VLAN. This field is optional. If the received DHCPv6 request does not contain a second VLAN, Option 37 also does not contain it.

· DUID—DUID of the DHCPv6 client.

Protocols and standards

· RFC 3736, Stateless Dynamic Host Configuration Protocol (DHCP) Service for IPv6

· RFC 3315, Dynamic Host Configuration Protocol for IPv6 (DHCPv6)

· RFC 2462, IPv6 Stateless Address Autoconfiguration

· RFC 3633, IPv6 Prefix Options for Dynamic Host Configuration Protocol (DHCP) version 6

Configuring the DHCPv6 server

About DHCPv6 server

A DHCPv6 server can assign IPv6 addresses, IPv6 prefixes, and other configuration parameters to DHCPv6 clients.

IPv6 address assignment

As shown in Figure 8, the DHCPv6 server assigns IPv6 addresses, domain name suffixes, DNS server addresses, and other configuration parameters to DHCPv6 clients.

The IPv6 addresses assigned to the clients include the following types:

· Temporary IPv6 addresses—Frequently changed without lease renewal.

· Non-temporary IPv6 addresses—Correctly used by DHCPv6 clients, with lease renewal.

Figure 8 IPv6 address assignment

‌

IPv6 prefix assignment

As shown in Figure 9, the DHCPv6 server assigns an IPv6 prefix to the DHCPv6 client. The client advertises the prefix information in a multicast RA message so that hosts on the subnet can automatically configure their IPv6 addresses by using the prefix.

Figure 9 IPv6 prefix assignment

‌

Concepts

Multicast addresses used by DHCPv6

DHCPv6 uses the multicast address FF05::1:3 to identify all site-local DHCPv6 servers. It uses the multicast address FF02::1:2 to identify all link-local DHCPv6 servers and relay agents.

DUID

A DHCP unique identifier (DUID) uniquely identifies a DHCPv6 device (DHCPv6 client, server, or relay agent). A DHCPv6 device adds its DUID in a sent packet.

Figure 10 DUID-LL format

‌

The device supports the DUID format based on link-layer address (DUID-LL) defined in RFC 3315. Figure 10 shows the DUID-LL format, which includes the following fields:

· DUID type—The device supports DUID-LL. The value for DUID-LL is 0x0003.

· Hardware type—The device supports Ethernet. The value for Ethernet is 0x0001.

· Link layer address—Takes the value of the bridge MAC address of the device.

IA

Identified by an IAID, an identity association (IA) provides a construct through which a client manages the obtained addresses, prefixes, and other configuration parameters. A client can have multiple IAs, for example, one for each of its interfaces.

IAID

An IAID uniquely identifies an IA. It is chosen by the client and must be unique on the client.

PD

The DHCPv6 server creates a prefix delegation (PD) for each assigned prefix to record the following details:

· IPv6 prefix.

· Client DUID.

· IAID.

· Valid lifetime.

· Preferred lifetime.

· Lease expiration time.

· IPv6 address of the requesting client.

IPv6 address pool

The DHCP server selects IPv6 addresses, IPv6 prefixes, and other parameters from an address pool, and assigns them to the DHCP clients.

Address allocation mechanisms

DHCPv6 supports the following address allocation mechanisms:

· Static address allocation—To implement static address allocation for a client, create an IPv6 address pool, and manually bind the DUID and IAID of the client to an IPv6 address in the IPv6 address pool. When the client requests an IPv6 address, the DHCPv6 server assigns the IPv6 address in the static binding to the client.

· Dynamic address allocation—To implement dynamic address allocation for clients, create an IPv6 address pool, specify a subnet for the pool, and divide the subnet into temporary and non-temporary IPv6 address ranges. Upon receiving a DHCP request, the DHCPv6 server selects an IPv6 address from the temporary or non-temporary IPv6 address range based on the address type in the client request.

Prefix allocation mechanisms

DHCPv6 supports the following prefix allocation mechanisms:

· Static prefix allocation—To perform static prefix allocation for a client, create an IPv6 address pool, and manually bind the DUID and IAID of the client to an IPv6 prefix in the IPv6 address pool. When the client requests an IPv6 prefix, the DHCPv6 server assigns the IPv6 prefix in the static binding to the client.

· Dynamic prefix allocation—To perform dynamic prefix allocation for clients, create an IPv6 address pool and a prefix pool, specify a subnet for the address pool, and apply the prefix pool to the address pool. Upon receiving a DHCP request, the DHCPv6 server dynamically selects an IPv6 prefix from the prefix pool in the address pool.

Address pool selection

The DHCPv6 server observes the following principles when selecting an IPv6 address or prefix for a client:

1. If there is an address pool where an IPv6 address is statically bound to the DUID or IAID of the client, the DHCPv6 server selects this address pool. It assigns the statically bound IPv6 address or prefix and other configuration parameters to the client.

2. If the receiving interface has a DHCP policy and the DHCP client matches a user class, the DHCP server selects the address pool that is bound to the matching user class. If no matching user class is found, the server assigns an IP address and other parameters from the default IPv6 address pool. If no default address pool is specified or the default address pool does not have assignable IP addresses, the address assignment fails.

3. If the receiving interface has an address pool applied, the DHCP server selects an IPv6 address or prefix and other configuration parameters from this address pool.

4. If the above conditions are not met, the DHCPv6 server selects an address pool depending on the client location.

¡ Client on the same subnet as the server—The DHCPv6 server compares the IPv6 address of the receiving interface with the subnets of all address pools. It selects the address pool with the longest-matching subnet.

¡ Client on a different subnet than the server—The DHCPv6 server compares the IPv6 address of the DHCPv6 relay agent interface closest to the client with the subnets of all address pools. It also selects the address pool with the longest-matching subnet.

To make sure IPv6 address allocation functions correctly, keep the subnet used for dynamic assignment consistent with the subnet where the interface of the DHCPv6 server or DHCPv6 relay agent resides.

IPv6 address/prefix allocation sequence

The DHCPv6 server selects an IPv6 address/prefix for a client in the following sequence:

1. IPv6 address/prefix statically bound to the client's DUID and IAID and expected by the client.

2. IPv6 address/prefix statically bound to the client's DUID and IAID.

3. IPv6 address/prefix statically bound to the client's DUID and expected by the client.

4. IPv6 address/prefix statically bound to the client's DUID.

5. Assignable IPv6 address/prefix in the address pool/prefix pool expected by the client.

6. IPv6 address/prefix that was ever assigned to the client.

7. Assignable IPv6 address/prefix in the address pool/prefix pool.

8. IPv6 address/prefix that was a conflict or passed its lease duration. If no IPv6 address/prefix is assignable, the server does not respond.

If a client moves to another subnet, the DHCPv6 server selects an IPv6 address/prefix from the address pool that matches the new subnet.

Conflicted IPv6 addresses can be assigned to other DHCPv6 clients only after the addresses are in conflict for one hour.

DHCPv6 server tasks at a glance

To configure the DHCPv6 server, perform the following tasks:

1. Configuring an IPv6 address pool

2. Configuring an IPv6 address pool group

3. Modifying the address pool selection method on the DHCPv6 server

Choose the following tasks as needed:

¡ Configuring the DHCPv6 server on an interface

¡ Configuring a DHCPv6 policy for IPv6 address and prefix assignment

4. Configuring advanced DHCPv6 features

¡ (Optional.) Configuring IPv6 address/prefix reservation

¡ (Optional.) Allocating different IPv6 addresses to DHCPv6 clients with the same MAC

¡ (Optional.) Releasing the IPv6 address obtained by an online DHCPv6 client for a new dynamic allocation

¡ (Optional.) Allocating existing IPv6 address leases to DHCP clients with different DUIDs

¡ (Optional.) Specifying a DHCPv6 request processing method for roaming DHCPv6 clients

¡ (Optional.) Setting the DSCP value for DHCPv6 packets sent by the DHCPv6 server

¡ (Optional.) Configuring DHCPv6 binding auto backup

¡ (Optional.) Enabling the DHCPv6 server to advertise IPv6 prefixes

¡ (Optional.) Configuring the DHCPv6 server security features

5. (Optional.) Enabling DHCPv6 logging on the DHCPv6 server

6. (Optional.) Configuring SNMP notifications for the DHCPv6 server

7. (Optional.) Enabling IPv6 resource exhaustion logging

Configuring an IPv6 address pool

IPv6 address pool tasks at a glance

To configure an IPv6 address pool, perform the following tasks:

1. Configuring the DHCPv6 server to assign IPv6 prefixes, IPv6 addresses, and other network parameters

Choose the following tasks as needed:

¡ Configuring IPv6 prefix assignment

¡ Configuring IPv6 address assignment

¡ Configuring network parameters assignment

2. (Optional.) Setting an IPv6 UNR tag

3. (Optional.) Enabling host route advertisement

4. (Optional.) Advertising subnets assigned to clients

5. (Optional.) Enabling route logging for IPv6 address pools

6. (Optional.) Applying an IPv6 address pool to a VPN instance

7. (Optional.) Locking an IPv6 address pool

Configuring IPv6 prefix assignment

About this task

Use the following methods to configure IPv6 prefix assignment:

· Configure a static IPv6 prefix binding in an address pool—If you bind a DUID and an IAID to an IPv6 prefix, the DUID and IAID in a request must match those in the binding before the DHCPv6 server can assign the IPv6 prefix to the DHCPv6 client. If you only bind a DUID to an IPv6 prefix, the DUID in the request must match the DUID in the binding before the DHCPv6 server can assign the IPv6 prefix to the DHCPv6 client.

· Apply a prefix pool to an address pool—The DHCPv6 server dynamically assigns an IPv6 prefix from the prefix pool in the address pool to a DHCPv6 client.

Restrictions and guidelines

When you configure IPv6 prefix assignment, follow these restrictions and guidelines:

· An IPv6 prefix can be bound to only one DHCPv6 client. You cannot modify bindings that have been created. To change the binding for a DHCPv6 client, you must delete the existing binding first.

· You cannot specify an IPv6 prefix in a static binding if you have excluded it from DHCP allocation by using the ipv6 dhcp server forbidden-prefix command.

· One address pool can have only one prefix pool applied. You cannot modify prefix pools that have been applied. To change the prefix pool for an address pool, you must remove the prefix pool application first.

· You can apply a prefix pool that has not been created to an address pool. The setting takes effect after the prefix pool is created.

· If you repeat the prefix-pool command to modify the preferred lifetime and the valid lifetime, the new configuration takes effect only on the users that come online after the modification.

Procedure

1. Enter system view.

system-view

2. Create a prefix pool.

ipv6 dhcp prefix-pool prefix-pool-number prefix { prefix-number | prefix/prefix-len } assign-len assign-len [ vpn-instance vpn-instance-name ]

This step is required for dynamic prefix assignment.

If you specify an IPv6 prefix by its ID, make sure the IPv6 prefix is in effect. Otherwise, the configuration does not take effect.

3. Enter IPv6 address pool view.

ipv6 pool pool-name]

4. Specify an IPv6 subnet for dynamic assignment.

network { prefix/prefix-length | prefix prefix-number [ sub-prefix/sub-prefix-length ] } [ preferred-lifetime preferred-lifetime valid-lifetime valid-lifetime ]

By default, no IPv6 subnet is specified for dynamic assignment.

The IPv6 subnets cannot be the same in different address pools.

5. Configure the prefix assignment. Choose the options to configure as needed:

¡ Configure a static prefix binding:

static-bind prefix prefix/prefix-len duid duid [ iaid iaid ] [ preferred-lifetime preferred-lifetime valid-lifetime valid-lifetime ]

By default, no static prefix binding is configured.

To add multiple static IPv6 prefix bindings, repeat this step.

¡ Apply the prefix pool to the address pool:

prefix-pool prefix-pool-number [ preferred-lifetime preferred-lifetime valid-lifetime valid-lifetime ] [ export-route [ preference preference | tag tag ] * ]

By default, static or dynamic prefix assignment is not configured for an address pool.

¡ (Optional.) Exclude IPv6 prefixes from DHCP allocation:

forbidden-prefix start-prefix/prefix-len [ end-prefix/prefix-len ]

By default, no IPv6 prefixes are excluded from DHCP allocation.

6. (Optional.) Exclude IPv6 prefixes from DHCP allocation in system view.

a. Return to system view.

quit

b. Exclude IPv6 prefixes from DHCP allocation globally.

ipv6 dhcp server forbidden-prefix start-prefix/prefix-len [ end-prefix/prefix-len ] [ vpn-instance vpn-instance-name ]

By default, no IPv6 prefixes are excluded from DHCP allocation.

You cannot exclude an IPv6 prefix from DHCP allocation if it has been specified in a static binding by using the static-bind command.

Configuring IPv6 address assignment

About this task

Use one of the following methods to configure IPv6 address assignment:

· Configure a static IPv6 address binding in an address pool.

If you bind a DUID and an IAID to an IPv6 address, the DUID and IAID in a request must match those in the binding before the DHCPv6 server can assign the IPv6 address to the requesting client. If you only bind a DUID to an IPv6 address, the DUID in a request must match the DUID in the binding before the DHCPv6 server can assign the IPv6 address to the requesting client.

· Specify a subnet and address ranges in an address pool.

¡ Non-temporary address assignment—The server selects addresses from the non-temporary address range specified by the address range command. If no non-temporary address range is specified, the server selects addresses on the subnet specified by the network command.

¡ Temporary address assignment—The server selects addresses from the temporary address range specified by the temporary address range command. If no temporary address range is specified in the address pool, the DHCPv6 server cannot assign temporary addresses to clients.

The DHCPv6 server tries to allocate the same IP address as the previous allocation to the same user by default. With random IP address allocation enabled, the DHCPv6 server will allocate a new IP address to a user every time the user acquires an IP address. This feature is applicable to the scenarios where each user is identified by IP address and it is required that a user must obtain different IP addresses for each IP address acquisition.

Restrictions and guidelines

You can specify only one non-temporary address range and one temporary address range in an address pool.

The address ranges specified by the address range and temporary address range commands must be on the subnet specified by the network command. Otherwise, the addresses are unassignable.

An IPv6 address can be bound to only one DHCPv6 client. You cannot modify bindings that have been created. To change the binding for a DHCPv6 client, you must delete the existing binding first.

You cannot specify an IPv6 address in a static binding if you have excluded it from DHCP allocation by using the ipv6 dhcp server forbidden-address command.

Only one subnet can be specified in an address pool. If you use the network command multiple times in an IPv6 address pool, the most recent configuration takes effect. If you use this command to specify only new lifetimes, the settings do not affect existing leases. The IPv6 addresses assigned after the modification will use the new lifetimes.

The IPv6 address allocation mode configuration for an IPv6 address pool takes effect only when the prefix length of the IPv6 subnet for dynamic assignment is not longer than 64.

For the EUI-64-based IPv6 address allocation mode, the DHCPv6 server obtains the MAC address of a client only from the link layer header of the DHCPv6 request. For the interface ID-based IPv6 address allocation mode, the DHCPv6 server obtains the interface identifier information only from the source address of the DHCPv6 request. You cannot specify the IPv6 address allocation mode if a DHCP relay agent exists between DHCP clients and the DHCPv6 server to relay DHCP packets.

Procedure

1. Enter system view.

system-view

2. Enter IPv6 address pool view.

ipv6 pool pool-name

3. Specify an IPv6 subnet for dynamic assignment.

network { prefix/prefix-length | prefix prefix-number [ sub-prefix/sub-prefix-length ] } [ preferred-lifetime preferred-lifetime valid-lifetime valid-lifetime ]

By default, no IPv6 address subnet is specified.

The IPv6 subnets cannot be the same in different address pools.

4. (Optional.) Specify a non-temporary IPv6 address range.

address range start-ipv6-address end-ipv6-address [ preferred-lifetime preferred-lifetime valid-lifetime valid-lifetime ]

By default, no non-temporary IPv6 address range is specified, and all unicast addresses on the subnet are assignable.

5. (Optional.) Specify a temporary IPv6 address range.

temporary address range start-ipv6-address end-ipv6-address [ preferred-lifetime preferred-lifetime valid-lifetime valid-lifetime ]

By default, no temporary IPv6 address range is specified, and the DHCPv6 server cannot assign temporary IPv6 addresses.

6. (Optional.) Specify the IPv6 address allocation mode.

address-alloc-mode { eui-64 | interface-id }

By default, the DHCPv6 server selects the first usable IPv6 address in the IPv6 address pool according to the IPv6 address allocation sequence.

This command is supported only for common IPv6 address pools.

7. (Optional.) Enable random IP address allocation.

allocate-new-ip enable

By default, random IP address allocation is disabled.

This command takes effect only after you enable IPv6 address reservation in the IPv6 address pool.

CAUTION:

Enable this feature on the DHCPv6 server with caution if it works in conjunction with a DHCPv6 relay agent that is located on an access device. In this situation, this feature might prevent access users from coming online again after an abnormal offline event.

‌

8. (Optional.) Create a static binding.

static-bind address ipv6-address/addr-prefix-length duid duid [ iaid iaid ] [ preferred-lifetime preferred-lifetime valid-lifetime valid-lifetime ]

By default, no static binding is configured.

To add more static bindings, repeat this step.

9. (Optional.) Exclude IPv6 addresses from DHCP allocation.

forbidden-address start-ipv6-address [ end-ipv6-address ]

By default, all IPv6 addresses except for the DHCPv6 server's IP address in an IPv6 address pool are assignable.

10. (Optional.) Exclude IPv6 addresses from DHCP allocation in system view.

a. Return to system view.

quit

b. Exclude IPv6 addresses from DHCP allocation globally.

ipv6 dhcp server forbidden-address start-ipv6-address [ end-ipv6-address ] [ vpn-instance vpn-instance-name ]

By default, all IPv6 addresses except for the DHCPv6 server's IPv6 address in an IPv6 address pool are assignable.

You cannot exclude an IPv6 address from DHCP allocation if it has been specified in a static binding by using the static-bind command.

Configuring network parameters assignment

About this task

In addition to IPv6 prefixes and IPv6 addresses, you can configure the following network parameters in an address pool:

· A maximum of eight DNS server addresses.

· One domain name.

· One address family translation router (AFTR) domain name.

· A maximum of eight SIP server addresses.

· A maximum of eight SIP server domain names.

You can configure network parameters on a DHCPv6 server by using one of the following methods:

· Configure network parameters in an IPv6 address pool.

· Configure network parameters in a DHCPv6 option group, and specify the option group for an IPv6 address pool.

A DHCPv6 option group can be created by using the following methods:

· Create a static DHCPv6 option group by using the ipv6 dhcp option-group command. The static DHCPv6 option group takes precedence over the dynamic DHCPv6 option group.

· When the device acts as a DHCPv6 client, it automatically creates a dynamic DHCPv6 option group for saving the obtained parameters. For more information about creating a dynamic DHCPv6 option group, see "Configuring the DHCPv6 client."

Network parameters configured in an IPv6 address pool take precedence over those configured in a DHCPv6 option group.

Configuring network parameters in an IPv6 address pool

1. Enter system view.

system-view

2. Enter IPv6 address pool view.

ipv6 pool pool-name

3. Specify an IPv6 subnet for dynamic assignment.

network { prefix/prefix-length | prefix prefix-number [ sub-prefix/sub-prefix-length ] } [ preferred-lifetime preferred-lifetime valid-lifetime valid-lifetime ]

By default, no IPv6 subnet is specified.

The IPv6 subnets cannot be the same in different address pools.

If you specify an IPv6 prefix by its ID, make sure the IPv6 prefix is in effect. Otherwise, the configuration does not take effect.

4. Specify a DNS server address.

dns-server ipv6-address

By default, no DNS server address is specified.

5. Specify a domain name.

domain-name domain-name

By default, no domain name is specified.

6. Specify an AFTR domain name.

aftr-name aftr-name

By default, no AFTR domain name is specified.

7. Specify a SIP server address or domain name.

sip-server { address ipv6-address | domain-name domain-name }

By default, no SIP server address or domain name is specified.

8. Configure a self-defined DHCPv6 option.

option code hex hex-string

By default, no self-defined DHCPv6 option is configured.

Configuring network parameters in a DHCPv6 option group

1. Enter system view.

system-view

2. Create a static DHCPv6 option group and enter its view.

ipv6 dhcp option-group option-group-number

3. Specify a DNS server address.

dns-server ipv6-address

By default, no DNS server address is specified.

4. Specify a domain name suffix.

domain-name domain-name

By default, no domain name suffix is specified.

5. Specify a SIP server address or domain name.

sip-server { address ipv6-address | domain-name domain-name }

By default, no SIP server address or domain name is specified.

6. Configure a self-defined DHCPv6 option.

option code hex hex-string

By default, no self-defined DHCPv6 option is configured.

7. Return to system view.

quit

8. Enter IPv6 address pool view.

ipv6 pool pool-name

9. Specify a DHCPv6 option group.

option-group option-group-number

By default, no DHCPv6 option group is specified.

Setting an IPv6 UNR tag

About this task

When the DHCPv6 server assigns an IPv6 address, it adds the network route for the IPv6 address to the route management module. In a BAS network, user network routes (UNRs) can be classified based on their UNR tag values for route redistribution.

Restrictions and guidelines

You can set a network route tag value in system view or in IPv6 address pool view. The value set in IPv6 address pool view has higher priority than the one set in system view.

Procedure

1. Enter system view.

system-view

2. (Optional.) Set an IPv6 UNR tag.

ipv6 unr { framed-ipv6-address-tag tag-value | framed-ipv6-prefix-tag tag-value | framed-ipv6-route-tag tag-value | local-pool-tag tag-value | remote-pool-tag tag-value } *

By default, no IPv6 UNR tag is set.

3. Create an IPv6 address pool and enter its view.

ipv6 pool pool-name

4. (Optional.) Specify a non-temporary IPv6 address range.

address range start-ipv6-address end-ipv6-address [ preferred-lifetime preferred-lifetime valid-lifetime valid-lifetime ]

By default, no non-temporary IPv6 address range is specified, and all unicast addresses on the subnet are assignable.

5. (Optional.) Specify a temporary IPv6 address range.

temporary address range start-ipv6-address end-ipv6-address [ preferred-lifetime preferred-lifetime valid-lifetime valid-lifetime ]

By default, no temporary IPv6 address range is specified, and the DHCPv6 server cannot assign temporary IPv6 addresses.

6. (Optional.) Set a UNR tag for the pool.

unr tag tag-value

By default, no UNR tag is set.

7. (Optional.) Set an IPv6 UNR preference value for an IPv6 address pool.

unr preference preference-value

By default, the IPv6 UNR preference value is 65 for an IPv6 address pool.

Enabling host route advertisement

About this task

The network export-route command enables the DHCPv6 server to advertise the network route for an assigned IPv6 address/prefix in the pool. If multiple pools share the same network segment, the same network route will be advertised for assigned IPv6 addresses/prefixes in these address pools. This will make the clients using these IPv6 addresses/prefixes become inaccessible to external devices. To resolve this issue, enable host route advertisement for each IPv6 address pool to advertise a host route for each assigned IPv6 address/prefix.

Restrictions and guidelines

Before you enable host route advertisement for an IPv6 address pool, make sure this pool has not assigned any IPv6 addresses/prefixes.

After you enable this feature for an address pool, the DHCPv6 server advertises only host routes. The network export-route command and the network route tag value for the pool will not take effect. They take effect only after you execute the undo export host-route command for the pool.

Procedure

1. Enter system view.

system-view

2. Enter IPv6 address pool view.

ipv6 pool pool-name

3. Enable host route advertisement.

export host-route [ ipv6-address | nd-prefix | pd-prefix ] *

By default, host route advertisement is disabled.

Advertising subnets assigned to clients

About this task

This feature enables the route management module to advertise subnets assigned to DHCPv6 clients. This feature achieves symmetric routing for traffic of the same host.

As shown in Figure 11, Router A and Router B act as both the DHCPv6 server and the BRAS device. The BRAS devices send accounting packets to the RADIUS server. To enable the BRAS devices to collect correct accounting information for each RADIUS user, configure the DHCPv6 server to advertise subnets assigned to clients. The upstream and downstream traffic of a RADIUS user will pass through the same BRAS device.

Figure 11 Network diagram

‌

Restrictions and guidelines

If the address pool is applied to a VPN instance, make sure the VPN instance exists for the settings made in this task to take effect.

Procedure

1. Enter system view.

system-view

2. Enter IPv6 address pool view.

ipv6 pool pool-name

3. Advertise the subnet that is assigned to DHCPv6 clients.

network { prefix/prefix-length | prefix prefix-number [ sub-prefix/sub-prefix-length ] } [ preferred-lifetime preferred-lifetime valid-lifetime valid-lifetime ] export-route [ preference preference | tag tag ] *

By default, the subnet assigned to DHCPv6 clients is not advertised.

Enabling route logging for IPv6 address pools

About this task

This feature enables the DHCPv6 server to generate log entries for route events that occur in IPv6 address pools. Route events include network route adding or deletion.

To enable route logging for an IPv6 address pool, perform one of the following tasks:

· Use the ipv6 dhcp route-log enable command in system view.

This command enables route logging for all types of IPv6 address pools on the DHCPv6 server.

· Use the route-log enable command in the view of the IPv6 address pool.

This command enables route logging for a single IPv6 address pool on the DHCPv6 server.

Enabling route logging for all IPv6 address pools

1. Enter system view.

system-view

2. Enable route logging for all IPv6 address pools on the DHCPv6 server.

ipv6 dhcp route-log enable

By default, route logging is disabled for all IPv6 address pools.

Enabling route logging for a single IPv6 address pool

1. Enter system view.

system-view

2. Enter IPv6 pool view.

ipv6 pool pool-name

3. Enable route logging for an IPv6 address pool on the DHCPv6 server.

route-log enable

By default, route logging is disabled for an IPv6 address pool.

Applying an IPv6 address pool to a VPN instance

About this task

If an IPv6 address pool is applied to a VPN instance, the DHCPv6 server assigns IPv6 addresses in this address pool to clients in the VPN instance. Addresses in this address pool will not be assigned to clients on the public network.

The DHCPv6 server can obtain the VPN instance to which a DHCPv6 client belongs from the following information:

· The client's VPN information stored in authentication modules, such as IPoE.

· The VPN information of the DHCPv6 server's interface that receives DHCPv6 packets from the client.

The VPN information from authentication modules takes priority over the VPN information of the receiving interface.

An MCE acting as the DHCP server can assign IP addresses not only to clients on public networks, but also to clients on private networks. The IP address ranges of public and private networks or those of private networks on the DHCP server cannot overlap. For more information about MCE, see MPLS Configuration Guide.

Procedure

1. Enter system view.

system-view

2. Enter IPv6 address pool view.

ipv6 pool pool-name

3. Apply the address pool to a VPN instance.

vpn-instance vpn-instance-name

By default, the address pool is not applied to any VPN instance.

L ocking an IPv6 address pool

About this task

You can lock an IPv6 pool in loose mode or strict mode.

· If an IPv6 pool is locked in loose mode, the server responds to the lease renewal requests from online DHCPv6 clients for IPv6 addresses and prefixes in the pool. However, it does not assign IPv6 addresses or prefixes from the pool to new DHCPv6 clients.

· If an IPv6 pool is locked in strict mode, the server does not respond to the lease renewal requests from online DHCPv6 clients for IPv6 addresses and prefixes in the pool or assign IPv6 addresses or prefixes from the pool to new DHCPv6 clients.

Lock an IPv6 pool in loose mode or strict mode depending on the IPv6 pool management requirements.

· Lock an IPv6 pool in loose mode if you are using that pool only to assign addresses or prefixes to existing DHCPv6 clients on the network.

· Lock an IPv6 pool in strict mode if you are deleting or changing the IPv6 address space or prefix space assigned to the IPv6 pool. You can delete or change the IPv6 address space or prefix space for an IP pool only when the IPv6 pool does not contain assigned IPv6 addresses or prefixes. Locking the IPv6 pool in strict mode ensures that you can perform the delete or change operation as soon as all assigned IPv6 addresses and prefixes in the pool are reclaimed.

Procedure

1. Enter system view.

system-view

2. Enter IPv6 address pool view.

ipv6 pool pool-name

3. Lock the IPv6 address pool.

lock [ strict ]

By default, an IPv6 address pool is not locked.

If you do not specify the strict keyword, the IPv6 pool is locked in loose mode.

Configuring an IPv6 address pool group

About IPv6 pool grouping

Application scenarios

On an AAA network, the AAA server allocates an IPv6 address in the IPv6 address pool to a user after the user passes authentication. If only one IPv6 address pool is specified for address assignment, the following requirements cannot be met:

· The AAA server selects different DHCPv6 servers for users in different locations.

· The AAA server acts as the DHCPv6 server for address allocation, and also as a relay agent to forward DHCPv6 requests and replies between DHCPv6 clients and DHCPv6 servers.

To meet these requirements, add multiple IPv6 address pools to an IPv6 address pool group, and associate the address pool group with the AAA server. The AAA server selects an IP address in the matching IPv6 address pool of the address pool group.

IPv6 pool selection policy

An IPv6 pool group can contain local IPv6 address pools and remote IPv6 address pools. By default, the server uses the remote IPv6 pools in a pool group for dynamic allocation only when none of the local IPv6 pools in that group have assignable addresses or prefixes.

Round-robin IP pool selection

By default, the DHCPv6 server moves from one IPv6 pool to the next only when that IPv6 pool does not have assignable IPv6 addresses or prefixes. This pool selection mechanism leads to uneven IPv6 resource distribution among IPv6 pools. To balance resource usage across the IPv6 pools in a pool group, enable the round-robin algorithm on that pool group.

The round-robin IPv6 pool selection mechanism operates as follows:

1. On receipt of the first DHCPv6 request, the server selects the first available IPv6 pool for address allocation from the pool group.

2. When a new DHCPv6 request arrives, the server selects the next available IPv6 pool for address allocation.

3. After the server iterates through all the IPv6 pool in the group, the server starts over again from the first IPv6 pool.

You can enable the round-robin algorithm for selection of local IPv6 pools, remote IPv6 pools, or both types of IPv6 pools in a pool group.

If you enable the round-robin algorithm for both types of IPv6 pools, the server will first select local IPv6 pools in a round-robin manner. It moves to remote IPv6 pools for round-robin selection only if none of the local IPv6 pools has assignable IP addresses or prefixes.

Procedure

1. Enter system view.

system-view

2. Create an IPv6 address pool and enter its view.

ipv6 pool pool-name

By default, no IPv6 address pools exist on the device.

3. Create an IPv6 address pool group and enter its view.

ipv6 pool-group group-name

By default, no IPv6 address pool groups exist on the device.

4. Add an IPv6 address pool to the IPv6 address pool group.

pool pool-name [ priority priority-value ]

By default, an IPv6 address pool does not belong to any IPv6 address pool group.

The IPv6 address pool group and its pool members must belong to the same VPN instance.

5. (Optional.) Enable round-robin IPv6 pool selection.

ipv6-pool algorithm round-robin { local | remote } *

By default, the DHCPv6 server moves from one IPv6 pool to the next only when that IPv6 pool does not have assignable IPv6 addresses or prefixes.

6. (Optional.) Apply the IPv6 address pool group to a VPN instance.

vpn-instance vpn-instance-name

By default, an address pool group is not applied to any VPN instance.

You cannot modify the VPN instance for an IPv6 address pool group if this address pool group has been applied to a VPN instance.

Configuring the DHCPv6 server on an interface

About this task

Enable the DHCPv6 server and configure one of the following address/prefix assignment methods on an interface:

· Apply an address pool on the interface—The DHCPv6 server selects an IPv6 address/prefix from the applied address pool for a requesting client. If there is no assignable IPv6 address/prefix in the address pool, the DHCPv6 server cannot to assign an IPv6 address/prefix to a client.

· Configure global address assignment on the interface—The DHCPv6 server selects an IPv6 address/prefix in the global IPv6 address pool that matches the server interface address or the DHCPv6 relay agent address for a requesting client.

If you configure both methods on an interface, the DHCPv6 server uses the specified address pool for address assignment without performing global address assignment.

Restrictions and guidelines

· An interface cannot act as a DHCPv6 server and DHCPv6 relay agent at the same time.

· Do not enable DHCPv6 server and DHCPv6 client on the same interface.

· You can apply an address pool that has not been created to an interface. The setting takes effect after the address pool is created.

Procedure

1. Enter system view.

system-view

2. Enter interface view.

interface interface-type interface-number

3. Enable the DHCPv6 server on the interface.

ipv6 dhcp select server

By default, the interface does not act as a DHCPv6 server or a DHCPv6 relay agent, and discards DHCPv6 packets from DHCPv6 clients.

4. Configure an assignment method.

¡ Configure global address assignment.

ipv6 dhcp server { allow-hint | preference preference-value | rapid-commit } *

By default, the DHCPv6 server supports global address assignment, but does not support desired address/prefix assignment and rapid assignment. The server preference is not set.

¡ Apply an IPv6 address pool to the interface.

ipv6 dhcp server apply pool pool-name [ allow-hint | preference preference-value | rapid-commit ] *

Configuring a DHCPv6 policy for IPv6 address and prefix assignment

About this task

In a DHCPv6 policy, each DHCPv6 user class has a bound IPv6 address pool. Clients matching different user classes obtain IPv6 addresses, IPv6 prefixes, and other parameters from different address pools. When receiving a DHCPv6 request, the DHCPv6 server compares the packet against the user classes in the order that they are configured.

If a match is found and the bound address pool has assignable IPv6 addresses or prefixes, the server uses the address pool for assignment. If the bound address pool does not have assignable IPv6 addresses or prefixes, the assignment fails.

If no match is found, the server uses the default IPv6 address pool for assignment. If no default address pool is specified or the default address pool does not have assignable IPv6 addresses or prefixes, the assignment fails.

For successful assignment, make sure the applied DHCPv6 policy and the bound address pools exist.

A match rule cannot match an option added by the DHCPv6 device, for example, Option 18 or Option 37.

Procedure

1. Enter system view.

system-view

2. Create a DHCPv6 user class and enter DHCPv6 user class view.

ipv6 dhcp class class-name

3. Configure a match rule for the DHCPv6 user class.

if-match rule rule-number { option option-code [ ascii ascii-string [ offset offset | partial ] | hex hex-string [ mask mask | offset offset length length | partial ] ] | relay-agent gateway-ipv6-address }

By default, no match rule is configured for a DHCPv6 user class.

4. Return to system view.

quit

5. Create a DHCPv6 policy and enter DHCPv6 policy view.

ipv6 dhcp policy policy-name

The DHCPv6 policy takes effect only after it is applied to the interface that acts as the DHCPv6 server.

6. Specify an IPv6 address pool for a DHCPv6 user class.

class class-name pool pool-name

By default, no address pool is specified for a user class.

7. (Optional.) Specify the default IPv6 address pool.

default pool pool-name

By default, the default address pool is not specified.

8. Return to system view.

quit

9. Enter interface view.

interface interface-type interface-number

10. Apply the DHCPv6 policy to the interface.

ipv6 dhcp apply-policy policy-name

By default, no DHCPv6 policy is applied to an interface.

Configuring IPv6 address/prefix reservation

About IPv6 address/prefix reservation

The IPv6 address or prefix reservation feature enables the DHCP server to reserve IPv6 addresses or prefixes for DHCP clients that are offline. When a client goes offline, the DHCP server reserves the client IPv6 address or prefix as an expired lease. When the client comes online again, the DHCP server assigns the client the IPv6 address or prefix in the reserved lease.

A DHCP server can reserve IPv6 addresses or prefixes for DHCP clients in the following modes:

· Reservation based on client MAC addresses—The DHCP server records the IP-to-MAC bindings for online clients. When these clients come online again, the server assigns them the IP addresses in the bindings according to their MAC addresses.

· Reservation based on client DUIDs—The DHCP server records the IP-to-client DUID bindings for online clients. When these clients come online again, the server assigns them the IP addresses in the bindings according to their client DUIDs.

Restrictions and guidelines for IPv6 address/prefix reservation

If multiple DHCP clients use the same DUID on your network, configure the DHCP server to reserve IP addresses based on client MAC addresses.

L2TP users do not support IPv6 address/prefix reservation based on client MAC addresses.

Enabling IPv6 address reservation

1. Enter system view.

system-view

2. Enter IPv6 address pool view.

ipv6 pool pool-name

3. Enable IPv6 address reservation.

reserve expired-ipv6-address enable

By default, IPv6 address reservation is enabled.

4. Configure the IPv6 address reservation mode.

reserve expired-ipv6-address mode { duid | mac } [ limit limit-number | time time ] *

By default, with IPv6 address reservation enabled, the DHCP server reserves IPv6 addresses based on DUIDs.

Enabling IPv6 prefix reservation

1. Enter system view.

system-view

2. Enter IPv6 address pool view.

ipv6 pool pool-name

3. Enable IPv6 prefix reservation.

reserve expired-pd enable

By default, IPv6 prefix reservation is enabled.

4. Configure the IPv6 prefix reservation mode.

reserve expired-pd mode { duid | mac } [ limit limit-number | time time ] *

By default, with IPv6 prefix reservation enabled, the DHCP server reserves IPv6 prefixes based on DUIDs.

Allocating different IPv6 addresses to DHCPv6 clients with the same MAC

About this task

Traditionally, the DHCPv6 server identifies DHCPv6 clients based on their MAC addresses. Each MAC address can be bound to only one IPv6 address. However, DHCPv6 clients that have the same MAC address exist in the network, and each client requires an IPv6 address. You can enable this feature to allocate different IPv6 addresses to such clients.

This feature enables the DHCPv6 server to use the following methods to identify the DHCPv6 clients that have the same MAC address:

· If a DHCPv6 snooping device or a DHCPv6 relay agent exist, you must enable the DHCPv6 snooping device or the DHCPv6 relay agent to support the Interface-ID option. The DHCPv6 server identifies a DHCPv6 client by the MAC address of the client and the Interface-ID option in the DHCPv6 request.

· If no DHCPv6 snooping device or DHCPv6 relay agent is on the network, the DHCPv6 server identifies a DHCPv6 client by the combination of the following information:

¡ The MAC address of the client.

¡ The interface name in the DHCPv6 request.

¡ The VLAN information of the receiving interface.

Restrictions and guidelines

If you execute both the ipv6 dhcp server multi-ip per-mac enable and ipv6 dhcp duid-mismatch offline commands on the device, these commands take effect as follows:

· If requests with the same MAC address and client VLAN are received on the same interface, the server determines the requests are from the same client. The ipv6 dhcp duid-mismatch offline command takes effect and the ipv6 dhcp server multi-ip per-mac enable command does not take effect.

· If requests with the same MAC address are received on different interfaces and client VLANs are different, the server determines the requests are from different clients. The ipv6 dhcp server multi-ip per-mac enable command takes effect and the ipv6 dhcp duid-mismatch offline command does not take effect.

Procedure

1. Enter system view.

system-view

2. Enable allocation of different IPv6 addresses to DHCPv6 clients with the same MAC address.

ipv6 dhcp server multi-ip per-mac enable

By default, allocation of different IPv6 addresses to DHCPv6 clients with the same MAC address is disabled.

Releasing the IPv6 address obtained by an online DHCPv6 client for a new dynamic allocation

About this task

By default, a new DHCPv6 client or authorized user fails to come online in either of the following situations:

· Its IPv6 address allocated by the DHCPv6 server conflicts with the address in a relay entry.

· Its IPv6 address allocated by the authentication module (UCM or AAA) conflicts with the address obtained by an online DHCPv6 client.

This feature works as follows:

· On a DHCPv6 server:

a. The DHCPv6 server releases the IPv6 address obtained by an online DHCPv6 client when an IPv6 address conflict occurs during the dynamic allocation.

b. The server then informs the access module that this IPv6 address is conflicting and cannot be allocated.

· On a DHCPv6 relay agent:

¡ If the IPv6 address allocated by the authentication module conflicts with the address in a relay entry, the relay agent do the follows:

i The relay agent sends a DHCPv6-RELEASE message for the conflicting address to the DHCPv6 server.

ii The relay agent then informs the access module that this IPv6 address is conflicting and cannot be allocated.

¡ If the IPv6 address in the DHCPv6-REPLY message conflicts with the address in a relay entry, the relay agent do the follows:

iii The relay agent sends a DHCPv6-RELEASE message for the conflicting address to the DHCPv6 server.

iv The relay agent then discards the DHCPv6 reply and the new DHCPv6 client fails to obtain an IPv6 address.

After the conflicting IPv6 address is released, the new DHCPv6 client or authorized user can obtain the address if it requests again.

Restrictions and guidelines

This feature cannot take effect on a DHCPv6 relay agent without relay entry recording enabled.

Procedure

1. Enter system view.

system-view

2. Configure the DHCPv6 device to release the IPv6 address obtained by an online DHCPv6 client for a new dynamic allocation.

ipv6 dhcp conflict-ip-address offline

By default, the DHCPv6 device does not release the IPv6 address obtained by an online DHCPv6 client to allocate it to a new client.

Allocating existing IPv6 address leases to DHCP clients with different DUIDs

About this task

A DHCPv6 client might have different DUIDs. One example is that a client runs on a host that installs multiple operating systems. When the client uses a different DUID to request an IPv6 address, the DHCPv6 server drops the request if the request contains the same MAC address as an existing lease. After you enable this feature, the DHCPv6 server releases the existing IPv6 address lease of the client and assigns this IPv6 address to the client.

Restrictions and guidelines

This feature is applicable only to IPoE networks.

This feature is available only in a network where packets are not relayed by the DHCPv6 relay agent.

If you execute both the ipv6 dhcp server multi-ip per-mac enable and ipv6 dhcp duid-mismatch offline commands on the device, these commands take effect as follows:

Procedure

1. Enter system view.

system-view

2. Configure the DHCPv6 server to allocate existing IPv6 address leases to DHCPv6 clients with different DUIDs.

ipv6 dhcp duid-mismatch offline

By default, upon receiving a request that contains the same MAC address as an existing lease but a different DUID, the DHCPv6 server reserves the lease and discards the request.

Specifying a DHCPv6 request processing method for roaming DHCPv6 clients

About this task

When a DHCPv6 client roams in a network, the client sends an offline request to the DHCPv6 server before requesting a new address or prefix. If the DHCPv6 device does not receive the offline request, it will discard the DHCPv6 client's new address or prefix request because it determines that the request is an attack packet.

This feature allows the DHCPv6 server to process address or prefix requests as follows upon receiving them from roaming DHCPv6 clients:

· The fast-renew method enables the server to release existing address or prefix leases of roaming clients and assign them new IPv6 addresses or prefixes.

· The roam method enables the server to assign addresses or prefixes to clients based on their existing leases and renew the leases. The clients can use the original IPv6 addresses or prefixes to access the network without another authentication.

Restrictions and guidelines

This feature is applicable to only IPoE networks.

The roam keyword in the ipv6 dhcp session-mismatch action { fast-renew | roam } command can take effect only after you enable roaming for IPoE individual users by using the ip subscriber roaming enable command.

For more information about IPoE roaming, see IPoE configuration in BRAS Services Configuration Guide.

Procedure

1. Enter system view.

system-view

2. Enter interface view.

interface interface-type interface-number

3. Specify a method for the DHCPv6 server to process address or prefix requests of roaming clients.

ipv6 dhcp session-mismatch action { fast-renew | roam }

By default, the DHCPv6 server discards DHCPv6 address requests sent from roaming DHCPv6 clients.

Setting the DSCP value for DHCPv6 packets sent by the DHCPv6 server

About this task

The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet.

Procedure

1. Enter system view.

system-view

2. Set the DSCP value for DHCPv6 packets sent by the DHCPv6 server.

ipv6 dhcp dscp dscp-value

By default, the DSCP value in DHCPv6 packets sent by the DHCPv6 server is 56.

Configuring DHCPv6 binding auto backup

About this task

The auto backup feature saves DHCPv6 bindings to a backup file, and allows the DHCPv6 server to download the bindings from the backup file at the server reboot. The bindings include the lease bindings and conflicted IPv6 addresses. They cannot survive a reboot on the DHCPv6 server.

The DHCPv6 server does not provide services during the download process. If a connection error occurs during the process and cannot be repaired in a short amount of time, you can terminate the download operation. Manual interruption allows the DHCPv6 server to provide services without waiting for the connection to be repaired.

Procedure

1. Enter system view.

system-view

2. Configure the DHCPv6 server to back up the bindings to a file.

ipv6 dhcp server database filename { filename | url url [ username username [ password { cipher | simple } string ] ] }

By default, the DHCPv6 server does not back up the DHCPv6 bindings.

With this command executed, the DHCPv6 server backs up its bindings immediately and runs auto backup.

3. (Optional.) Manually save the DHCPv6 bindings to the backup file.

ipv6 dhcp server database update now

4. (Optional.) Set the waiting time after a DHCPv6 binding change for the DHCPv6 server to update the backup file.

ipv6 dhcp server database update interval interval

By default, the DHCP server waits 300 seconds to update the backup file after a DHCP binding change. If no DHCP binding changes, the backup file is not updated.

5. (Optional.) Terminate the download of DHCPv6 bindings from the backup file.

ipv6 dhcp server database update stop

This command only triggers one termination.

Enabling the DHCPv6 server to advertise IPv6 prefixes

About this task

A DHCPv6 client can obtain an IPv6 prefix through DHCPv6 and use this IPv6 prefix to assign IPv6 addresses for clients in a downstream network. If the IPv6 prefix is in a different subnet than the IPv6 address of the DHCPv6 client's upstream interface, the clients in the downstream network cannot access the external network. If the DHCPv6 server is on the same link as the DHCPv6 client, enable the DHCPv6 server to advertise the IPv6 prefix.

This feature enables the DHCPv6 server to generate a routing entry for the IPv6 prefix when it assigns the IPv6 prefix to the DHCPv6 client. The DHCPv6 server advertises this entry to the dynamic routing protocol. After the DHCPv6 client learns this route through the dynamic routing protocol, clients in the downstream network can access the external network.

Procedure

1. Enter system view.

system-view

2. Enable the DHCPv6 server to advertise IPv6 prefixes.

ipv6 dhcp advertise pd-route

By default, the DHCPv6 server does not advertise IPv6 prefixes.

Configuring the DHCPv6 server security features

Restrictions and guidelines for DHCPv6 server security feature configuration

The DHCPv6 server security features are not applicable if a DHCPv6 relay agent exists in the network. This is because the MAC address of the DHCPv6 relay agent is encapsulated as the source MAC address in the DHCPv6 request relayed to the DHCPv6 server. In a network where the DHCP relay agent exists, configure the DHCP relay agent security features. For more information, see "Configuring DHCPv6 relay security features."

Configuring DHCPv6 flood attack protection

About this task

The DHCPv6 flood attack protection enables the DHCPv6 server to detect DHCPv6 flood attacks according to the DHCPv6 packet rate threshold on a per-MAC basis.

When the DHCPv6 server receives a DHCPv6 packet from a client (MAC address), it creates a DHCPv6 flood attack protection entry in check state. If the number of incoming DHCPv6 packets from the same MAC address reaches or exceeds the upper limit in the detection duration, the server determines that the client is launching a DHCPv6 flood attack. The DHCPv6 flood attack protection entry changes to the restrain state, and the DHCPv6 server discards the DHCPv6 packets from that client. When the aging time of the entry is reached, the DHCPv6 server examines the drop rate of DHCPv6 packets sent from the MAC address.

· If the packet drop rate is lower than the DHCPv6 flood attack threshold, the DHCPv6 server deletes the entry. If later a DHCPv6 packet from that MAC address arrives, the DHCPv6 server will create a new flood attack protection entry and count the number of incoming DHCPv6 packets for that client again.

· If the packet drop rate is equal to or higher than the DHCPv6 flood attack threshold, the DHCPv6 server resets the aging time for the entry.

DHCPv6 flood attack protection takes effect on all interfaces if it is enabled globally. To enable DHCPv6 flood attack protection on only some of the interfaces, disable the feature globally and enable it on the desired interfaces.

Procedure

1. Enter system view.

system-view

2. (Optional.) Set the DHCPv6 packet rate threshold for triggering DHCPv6 flood attack protection.

ipv6 dhcp flood-protection threshold packet-number milliseconds

By default, the device allows a maximum of 10 DHCPv6 packets per 5000 milliseconds from each DHCPv6 client.

3. (Optional.) Set the aging time of the DHCPv6 flood attack protection entries.

ipv6 dhcp flood-protection aging-time time

The default setting is 300 seconds.

4. Enable DHCPv6 flood attack protection globally.

ipv6 dhcp flood-protection global enable

By default, DHCPv6 flood attack protection is disabled globally.

5. Enable DHCPv6 flood attack protection only on one interface.

a. Disable DHCPv6 flood attack protection globally.

undo ipv6 dhcp flood-protection global enable

By default, DHCPv6 flood attack protection is disabled globally.

b. Enter interface view.

interface interface-type interface-number

c. Enable DHCPv6 flood attack protection on the interface.

ipv6 dhcp flood-protection enable

By default, DHCPv6 flood attack protection is disabled on interfaces.

Configuring interface-based DHCPv6 attack suppression

About this task

DHCPv6 attack suppression protects an interface from DHCPv6 attacks by limiting the rate of incoming DHCPv6 packets after the specified threshold is crossed.

When an interface protected with DHCPv6 attack suppression receives a DHCPv6 packet, the DHCPv6 server creates a DHCPv6 attack suppression entry in check state for the interface. If the incoming DHCPv6 packet rate on the interface reaches the threshold, a DHCPv6 attack occurs on the interface. The suppression entry changes to the restrain state. To protect the CPU against DHCPv6 attack packets, the device limits the incoming DHCPv6 packet rate on the interface before the aging time of the suppression entry is reached.

When the aging time of the DHCPv6 attack suppression entry on an interface is reached, the device examines the incoming DHCPv6 packet rate on the interface.

· If the incoming packet rate is identical to or below the suppression threshold, the device deletes the entry. When a new DHCPv6 packet arrives on that interface, the device creates a new attack suppression entry and starts to count the number of incoming DHCPv6 packets on that interface again.

· If the incoming packet rate is above the suppression threshold, the device resets the aging timer.

Restrictions and guidelines

You can enable DHCPv6 attack suppression globally or on a per-interface basis.

· To enable DHCPv6 attack suppression on all interfaces, enable it globally.

· DHCPv6 attack suppression takes effect on an interface as long as it is enabled globally or on the interface. To suppress DHCPv6 attacks only on some of the interfaces, you must disable DHCPv6 attack suppression globally, and then enable the feature on the target interfaces.

Procedure

1. Enter system view.

system-view

2. (Optional.) Set the DHCPv6 packet rate threshold for triggering interface-based DHCPv6 attack suppression.

ipv6 dhcp interface-rate-suppression threshold packet-number milliseconds

By default, the device can receive a maximum of 3000 DHCPv6 packets per 5000 milliseconds on an interface.

3. (Optional.) Set the aging time of interface-based DHCPv6 attack suppression entries.

ipv6 dhcp interface-rate-suppression aging-time time

The default setting is 300 seconds.

4. Enable DHCPv6 attack suppression.

¡ To enable DHCPv6 attack suppression on all interfaces:

ipv6 dhcp interface-rate-suppression global enable

By default, global DHCPv6 attack suppression is disabled.

¡ To enable DHCPv6 attack suppression only on some of the interfaces:

i Disable global DHCPv6 attack suppresion if it has been enabled.

undo ipv6 dhcp interface-rate-suppression global enable

ii Enter interface view.

interface interface-type interface-number

iii Enable DHCPv6 attack suppression on the interface.

ipv6 dhcp interface-rate-suppression enable

By default, DHCPv6 attack suppression is disabled on interfaces.

Enabling DHCPv6 logging on the DHCPv6 server

About this task

The DHCPv6 logging feature enables the DHCPv6 server to generate DHCPv6 logs and send them to the information center. For information about the log destination and output rule configuration in the information center, see Network Management and Monitoring Configuration Guide.

Restrictions and guidelines

As a best practice, disable this feature if the log generation affects the device performance or reduces the address and prefix allocation efficiency. For example, this situation might occur when a large number of clients frequently come online or go offline.

Procedure

1. Enter system view.

system-view

2. Enable DHCPv6 logging.

ipv6 dhcp log enable

By default, DHCPv6 logging is disabled.

Configuring SNMP notifications for the DHCPv6 server

A bout SNMP DHCPv6 server notifications

Perform this task to configure t he DHCPv6 module to send SNMP notifications to report DHCPv6 server events, including:

· Resource exhaustion events or recoveries from resource exhaustion conditions in an IPv6 address pool.

· Resource usage threshold violations or recoveries from threshold violation conditions in an IPv6 pool.

The SNMP notifications are sent to the SNMP module. For the SNMP notifications to be sent correctly, you must also configure SNMP. For more information about SNMP configuration, see Network Management and Monitoring Configuration Guide.

Enabling IPv6 resource exhaustion notifications

1. Enter system view.

system-view

2. Enable IPv6 resource exhaustion notifications.

snmp-agent trap enable ipv6 dhcp server address-exhaust pd-exhaust

By default, IPv6 resource exhaustion notifications are enabled.

3. Enter IPv6 address pool view.

ipv6 pool pool-name

4. (Optional.) Enable IPv6 resource exhaustion notifications for an IPv6 pool.

exhaustion trap enable

By default, IPv6 resource exhaustion notifications are enabled for an IPv6 pool.

Enabling IPv6 resource allocation failure alarming

1. Enter system view.

system-view

2. Enable IPv6 resource allocation failure alarming.

snmp-agent trap enable ipv6 dhcp server ip-alloc-failed pd-alloc-failed

By default, IPv6 resource allocation failure alarming is enabled.

Enabling IPv6 address usage alarm notifications

1. Enter system view.

system-view

2. Enable IPv6 address usage alarm notifications.

snmp-agent trap enable ipv6 dhcp server ip-in-use

By default, IPv6 address usage alarm notifications are enabled.

3. Enter IPv6 address pool view.

ipv6 pool pool-name

4. (Optional.) Set the IPv6 address usage threshold.

ip-in-use threshold threshold-value

The default IPv6 address usage threshold is 100%.

Enabling IPv6 prefix usage alarm notifications

1. Enter system view.

system-view

2. Enable IPv6 prefix usage alarm notifications.

snmp-agent trap enable ipv6 dhcp server pd-in-use

By default, IPv6 prefix usage alarm notifications are enabled.

3. Enter IPv6 address pool view.

ipv6 pool pool-name

4. (Optional.) Set the IPv6 prefix usage threshold.

pd-in-use threshold threshold-value

The default threshold is 100%.

Enabling IPv6 resource exhaustion alarming for IPv6 address pool groups

About this task

To enable IPv6 resource exhaustion alarming for an IPv6 address pool group, use one of the following methods:

· Use the snmp-agent trap enable dhcp server pool-group-exhaust command in system view to enable IPv6 resource exhaustion alarming for all IPv6 address pool groups.

· Use the exhaustion trap enable command in the view of the IPv6 address pool group to enable IPv6 resource exhaustion alarming for the IPv6 address pool group.

Restrictions and guidelines

For the exhaustion trap enable command to take effect, enable IPv6 resource exhaustion alarming for all IP v6 address pool groups first.

After you enable IPv6 resource exhaustion alarming for all IPv6 pool groups, a large number of unnecessary alarm notifications might be generated. To reduce the number of unnecessary alarm notifications, disable IPv6 resource exhaustion alarming for some IPv6 address pools by using the undo exhaustion trap enable command.

Enabling IPv6 resource exhaustion alarming for common IPv6 address pool groups

1. Enter system view.

system-view

2. Enable IPv6 resource exhaustion alarming for IPv6 address pool groups.

snmp-agent trap enable ipv6 dhcp server pool-group-exhaust

By default, IPv6 resource exhaustion alarming is enabled for IPv6 address pool groups.

3. Enter IPv6 pool group view.

ipv6 pool-group pool-group-name

4. (Optional.) Disable IPv6 resource exhaustion alarming for the IPv6 address pool group.

undo exhaustion trap enable

By default, IPv6 resource exhaustion alarming is enabled for an IPv6 address pool group.

Enabling IPv6 resource usage alarming for IPv6 address pool groups

1. Enter system view.

system-view

2. Enable IPv6 resource usage alarming for IPv6 address pool groups.

snmp-agent trap enable ipv6 dhcp server pool-group-threshold

By default, IPv6 resource usage alarming is enabled for IPv6 address pool groups.

3. Enter IPv6 pool group view.

ipv6 pool-group pool-group-name

4. (Optional.) Set the IPv6 address usage threshold for the IPv6 address pool group.

ip-in-use threshold threshold-value

The default IPv6 address usage threshold is 100%.

Enabling IPv6 resource exhaustion logging

About this task

This feature enables the DHCPv6 module to send a log message to the information center when an IPv6 address pool or pool group encounters one of the following events:

· The pool or pool group does not have assignable IPv6 addresses or prefix ranges.

· The IPv6 address usage, subnet usage, prefix usage, or prefix range usage in the pool or pool group drops to or below 90% after exhaustion.

For log messages to be sent correctly, you must also configure the information center. For information about the information center configuration, see Network Management and Monitoring Configuration Guide.

In a non-CUPS scenario, you can use the following formulas to calculate IPv6 resource usage:

· IPv6 address usage = (total number of IPv6 addresses – number of assignable IPv6 addresses )/total number of IPv6 addresses

· IPv6 prefix usage = (total number of IPv6 prefixes – number of assignable IPv6 prefixes)/total number of IPv6 prefixes

Restrictions and guidelines

This feature is not affected if DHCPv6 logging is disabled.

Enabling IPv6 resource exhaustion logging for an IPv6 address pool

1. Enter system view.

system-view

2. Enter IPv6 address pool.

ipv6 pool pool-name

3. Enable IPv6 resource exhaustion logging.

exhaustion log enable

By default, IPv6 resource exhaustion logging is disabled.

Enabling IPv6 resource exhaustion logging for an IP v6 address pool group

1. Enter system view.

system-view

2. Enter IPv6 address pool group view.

ipv6 pool-group pool-group-name

3. Enable IPv6 resource exhaustion logging.

exhaustion log enable

By default, IPv6 resource exhaustion logging is disabled.

Display and maintenance commands for DHCPv6 server

Execute display commands in any view and reset commands in user view.

Task	Command
Display the DUID of the local device.	display ipv6 dhcp duid
Display information about DHCPv6 flood attack protection entries.	display ipv6 dhcp flood-protection slot slot-number [ mac-address mac-address [ interface interface-type interface-number ] \| state { check \| restrain } [ verbose ] \| statistics \| verbose ]
Display information about interface-based DHCPv6 attack suppression entries.	display ipv6 dhcp interface-rate-suppression slot slot-number [interface interface-type interface-number \| state { check \| restrain } [ verbose ] \| statistics \| verbose ]
Display information about a DHCPv6 option group.	display ipv6 dhcp option-group [ option-group-number ]
Display IPv6 resource usage information for an IPv6 pool group.	display ipv6 dhcp pool-group-usage [ pool-group pool-group-name ]
Display IPv6 resource usage information for an IPv6 pool.	display ipv6 dhcp pool-usage [ peak ] [ pool pool-name ]
Display IPv6 address pool information.	display ipv6 pool [ all \| name pool-name \| pool-group pool-group-name \| vpn-instance vpn-instance-name ] [ verbose ]
Display information about IPv6 address pool groups.	display ipv6 pool-group [ all \| [ name pool-group-name ] [ vpn-instance vpn-instance-name ] ] [ verbose ]
Display prefix pool information.	display ipv6 dhcp prefix-pool [ prefix-pool-number ] [ vpn-instance vpn-instance-name ]
Display packet statistics for the DHCPv6 packet rate-limiting feature.	display ipv6 dhcp rate-limit slot slot-number
Display DHCPv6 server information on an interface.	display ipv6 dhcp server [ interface interface-type interface-number ]
Display information about IPv6 address conflicts.	display ipv6 dhcp server conflict [ address ipv6-address \| interface interface-type interface-number ] [ vpn-instance vpn-instance-name ]
Display information about DHCPv6 binding auto backup	display ipv6 dhcp server database
Display information about lease-expired IPv6 addresses.	display ipv6 dhcp server expired-ip [ [ address ipv6-address \| interface interface-type interface-number ] [ vpn-instance vpn-instance-name ] \| mac mac-address \| pool pool-name ] [ verbose ]
Display information about lease-expired IPv6 prefixes.	display ipv6 dhcp server expired-pd [ [ interface interface-type interface-number \| prefix prefix/prefix-len ] [ vpn-instance vpn-instance-name ] \| mac mac-address \| pool pool-name ] [ verbose ]
Display information about assignable IPv6 addresses for an IPv6 address pool.	display ipv6 dhcp server free-ip [ pool pool-name \| vpn-instance vpn-instance-name ]
Display information about assignable IPv6 prefixes for an IPv6 address pool.	display ipv6 dhcp server free-pd [ pool pool-name \| vpn-instance vpn-instance-name ]
Display information about IPv6 address bindings.	display ipv6 dhcp server ip-in-use [ [ address ipv6-address \| interface interface-type interface-number ] [ vpn-instance vpn-instance-name ] \| pool pool-name \| pool-group pool-group-name ]
Display information about IPv6 prefix bindings.	display ipv6 dhcp server pd-in-use [ pool pool-name \| pool-group pool-group-name \| [ interface interface-type interface-number \| prefix prefix/prefix-len ] [ vpn-instance vpn-instance-name ] ]
Display IPv6 pool statistics on the DHCPv6 server.	display ipv6 dhcp server statistics [ pool pool-name \| vpn-instance vpn-instance-name ]
Display packet statistics on the DHCPv6 server.	display ipv6 dhcp server packet statistics [ vpn-instance vpn-instance-name ]
Display the number of DHCPv6 access users.	display dhcpv6-access count
Display packet statistics for the DHCPv6 access module.	display dhcpv6-access packet statistics
Display information about DHCPv6 access users.	display dhcpv6-access user-table [ index index-value \| mac-address mac-address \| user-id user-id ]
Delete DHCPv6 flood attack protection entries.	reset ipv6 dhcp flood-protection slot slot-number [ mac-address mac-address [ interface interface-type interface-number ] ] [ packet-statistics ]
Delete interface-based DHCPv6 attack suppression entries.	reset ipv6 dhcp interface-rate-suppression slot slot-number [ interface interface-type interface-number ] [ packet-statistics ]
Clear packet statistics for the DHCPv6 packet rate-limiting feature.	reset ipv6 dhcp rate-limit slot slot-number
Clear peak resource usage information for an IPv6 pool.	reset ipv6 dhcp pool-usage peak [ pool pool-name ]
Clear information about IPv6 address conflicts.	reset ipv6 dhcp server conflict [ address start-ipv6-address [ end-ipv6-address ] ] [ vpn-instance vpn-instance-name ]
Clear binding information for lease-expired IPv6 addresses.	reset ipv6 dhcp server expired-ip [ [ address start-ipv6-address [ end-ipv6-address ] ] [ vpn-instance vpn-instance-name ] \| pool pool-name ]
Clear binding information for lease-expired IPv6 prefixes.	reset ipv6 dhcp server expired-pd [ pool pool-name \| [ prefix start-prefix/prefix-len [ end-prefix/prefix-len ] ] [ vpn-instance vpn-instance-name ] ]
Clear information about IPv6 address bindings.	reset ipv6 dhcp server ip-in-use [ [ address start-ipv6-address [ end-ipv6-address ] \| relay-address ipv6-address ] [ vpn-instance vpn-instance-name ] \| pool pool-name [ relay-address ipv6-address ] ]
Clear information about IPv6 prefix bindings.	reset ipv6 dhcp server pd-in-use [ pool pool-name [ relay-address ipv6-address ] \| [ prefix start-prefix/prefix-len [ end-prefix/prefix-len ] \| relay-address ipv6-address ] [ vpn-instance vpn-instance-name ] ]
Clear packet statistics for the DHCPv6 server	reset ipv6 dhcp server packet statistics [ vpn-instance vpn-instance-name ]
Clear packet statistics for the DHCPv6 access module.	reset dhcp-access packet statistics

‌

DHCPv6 server configuration examples

Example: Configuring dynamic IPv6 prefix assignment

Network configuration

As shown in Figure 12, the router acts as a DHCPv6 server to assign an IPv6 prefix, a DNS server address, a domain name, a SIP server address, and a SIP server name to each DHCPv6 client.

The router assigns prefix 2001:0410:0201::/48 to the client whose DUID is 00030001CA0006A40000, and assigns prefixes in the range of 2001:0410::/48 to 2001:0410:FFFF::/48 (excluding 2001:0410:0201::/48) to other clients. The DNS server address is 2::2:3. The DHCPv6 clients reside in the domain aaa.example.com. The SIP server address is 2:2::4, and the SIP server name is bbb.example.com.

Figure 12 Network diagram

‌

Procedure

# Specify an IPv6 address for Ten-GigabitEthernet 3/0/1.

<Router> system-view

[Router] interface ten-gigabitethernet 3/0/1

[Router-Ten-GigabitEthernet3/0/1] ipv6 address 1::1/64

# Disable RA message suppression on Ten-GigabitEthernet 3/0/1.

[Router-Ten-GigabitEthernet3/0/1] undo ipv6 nd ra halt

# Set the M flag to 1 in RA advertisements to be sent on Ten-GigabitEthernet 3/0/1. Hosts that receive the advertisements will obtain IPv6 addresses through DHCPv6.

[Router-Ten-GigabitEthernet3/0/1] ipv6 nd autoconfig managed-address-flag

# Set the O flag to 1 in RA advertisements to be sent on Ten-GigabitEthernet 3/0/1. Hosts that receive the advertisements will obtain information other than IPv6 address through DHCPv6.

[Router-Ten-GigabitEthernet3/0/1] ipv6 nd autoconfig other-flag

[Router-Ten-GigabitEthernet3/0/1] quit

# Create prefix pool 1, and specify the prefix 2001:0410::/32 with assigned prefix length 48.

[Router] ipv6 dhcp prefix-pool 1 prefix 2001:0410::/32 assign-len 48

# Create address pool 1.

[Router] ipv6 pool 1

# In address pool 1, specify subnet 1::/64 where the server interface resides.

[Router-ipv6-pool-1] network 1::/64

# Apply prefix pool 1 to address pool 1, and set the preferred lifetime to one day, and the valid lifetime to three days.

[Router-ipv6-pool-1] prefix-pool 1 preferred-lifetime 86400 valid-lifetime 259200

# In address pool 1, bind prefix 2001:0410:0201::/48 to the client DUID 00030001CA0006A40000, and set the preferred lifetime to one day, and the valid lifetime to three days.

[Router-ipv6-pool-1] static-bind prefix 2001:0410:0201::/48 duid 00030001CA0006A40000 preferred-lifetime 86400 valid-lifetime 259200

# Configure the DNS server address as 2:2::3.

[Router-ipv6-pool-1] dns-server 2:2::3

# Configure the domain name as aaa.example.com.

[Router-ipv6-pool-1] domain-name aaa.example.com

# Configure the SIP server address as 2:2::4, and the SIP server name as bbb.example.com.

[Router-ipv6-pool-1] sip-server address 2:2::4

[Router-ipv6-pool-1] sip-server domain-name bbb.example.com

[Router-ipv6-pool-1] quit

# Enable the DHCPv6 server on Ten-GigabitEthernet 3/0/1, enable desired prefix assignment and rapid prefix assignment, and set the preference to the highest.

[Router] interface ten-gigabitethernet 3/0/1

[Router-Ten-GigabitEthernet3/0/1] ipv6 dhcp select server

[Router-Ten-GigabitEthernet3/0/1] ipv6 dhcp server allow-hint preference 255 rapid-commit

Verifying the configuration

# Display the DHCPv6 server configuration on Ten-GigabitEthernet 3/0/1.

[Router-Ten-GigabitEthernet3/0/1] display ipv6 dhcp server interface ten-gigabitethernet 3/0/1

Using pool: global

Preference value: 255

Allow-hint: Enabled

Rapid-commit: Enabled

# Display information about address pool 1.

[Router-Ten-GigabitEthernet3/0/1] display ipv6 pool name 1

IPv6 pool: 1

Pool index: 1

Network: 1::/64

Preferred lifetime 604800 seconds, valid lifetime 2592000 seconds

Prefix pool: 1

Preferred lifetime 86400 seconds, valid lifetime 259200 seconds

Static bindings:

DUID: 00030001ca0006a4

IAID: Not configured

Prefix: 2001:410:201::/48

Preferred lifetime 86400 seconds, valid lifetime 259200 seconds

DNS server addresses:

2:2::3

Domain name:

aaa.example.com

SIP server addresses:

2:2::4

SIP server domain names:

bbb.example.com

# Display information about prefix pool 1.

[Router-Ten-GigabitEthernet3/0/1] display ipv6 dhcp prefix-pool 1

Prefix: 2001:410::/32

Assigned length: 48

Total prefix number: 65536

Available: 65535

In-use: 0

Static: 1

# After the client with the DUID 00030001CA0006A40000 obtains an IPv6 prefix, display the binding information on the DHCPv6 server.

[Router-Ten-GigabitEthernet3/0/1] display ipv6 dhcp server pd-in-use

Pool: 1

IPv6 prefix Type Lease expiration

2001:410:201::/48 Static(C) Jul 10 19:45:01 2019

# After the other client obtains an IPv6 prefix, display the binding information on the DHCPv6 server.

[Router-Ten-GigabitEthernet3/0/1] display ipv6 dhcp server pd-in-use

Pool: 1

IPv6 prefix Type Lease expiration

2001:410:201::/48 Static(C) Jul 10 19:45:01 2019

2001:410::/48 Auto(C) Jul 10 20:44:05 2019

Example: Configuring dynamic IPv6 address assignment

Network configuration

As shown in Figure 13, Router A acts as a DHCPv6 server to assign IPv6 addresses to the clients on subnets 1::1:0:0:0/96 and 1::2:0:0:0/96.

On Router A, configure the IPv6 address 1::1:0:0:1/96 for Ten-GigabitEthernet 3/0/1 and 1::2:0:0:1/96 for Ten-GigabitEthernet 3/0/2. The lease duration of the addresses on subnet 1::1:0:0:0/96 is 172800 seconds (two days), the valid time is 345600 seconds (four days), the domain name is aabbcc.com, and the DNS server address is 1::1:0:0:2/96. The lease duration of the addresses on subnet 1::2:0:0:0/96 is 432000 seconds (five days), the valid time is 864000 seconds (ten days), the domain name is aabbcc.com, and the DNS server address is 1::2:0:0:2/96.

Figure 13 Network diagram

‌

Procedure

1. Configure the interfaces on the DHCPv6 server:

# Specify an IPv6 address for Ten-GigabitEthernet 3/0/1.

<RouterA> system-view

[RouterA] interface ten-gigabitethernet 3/0/1

[RouterA-Ten-GigabitEthernet3/0/1] ipv6 address 1::1:0:0:1/96

# Disable RA message suppression on Ten-GigabitEthernet 3/0/1.

[RouterA-Ten-GigabitEthernet3/0/1] undo ipv6 nd ra halt

# Set the M flag to 1 in RA advertisements to be sent on Ten-GigabitEthernet 3/0/1. Hosts that receive the advertisements will obtain IPv6 addresses through DHCPv6.

[RouterA-Ten-GigabitEthernet3/0/1] ipv6 nd autoconfig managed-address-flag

# Set the O flag to 1 in RA advertisements to be sent on Ten-GigabitEthernet 3/0/1. Hosts that receive the advertisements will obtain information other than IPv6 address through DHCPv6.

[RouterA-Ten-GigabitEthernet3/0/1] ipv6 nd autoconfig other-flag

[RouterA-Ten-GigabitEthernet3/0/1] quit

# Specify an IPv6 address for Ten-GigabitEthernet 3/0/2.

[RouterA] interface ten-gigabitethernet 3/0/2

[RouterA-Ten-GigabitEthernet3/0/2] ipv6 address 1::2:0:0:1/96

# Disable RA message suppression on Ten-GigabitEthernet 3/0/2.

[RouterA-Ten-GigabitEthernet3/0/2] undo ipv6 nd ra halt

# Set the M flag to 1 in RA advertisements to be sent on Ten-GigabitEthernet 3/0/2. Hosts that receive the advertisements will obtain IPv6 addresses through DHCPv6.

[RouterA-Ten-GigabitEthernet3/0/2] ipv6 nd autoconfig managed-address-flag

# Set the O flag to 1 in RA advertisements to be sent on Ten-GigabitEthernet 3/0/2. Hosts that receive the advertisements will obtain information other than IPv6 address through DHCPv6.

[RouterA-Ten-GigabitEthernet3/0/2] ipv6 nd autoconfig other-flag

[RouterA-Ten-GigabitEthernet3/0/2] quit

2. Enable DHCPv6:

# Enable the DHCPv6 server on the interfaces Ten-GigabitEthernet 3/0/1 and Ten-GigabitEthernet 3/0/2.

[RouterA] interface ten-gigabitethernet 3/0/1

[RouterA-Ten-GigabitEthernet3/0/1] ipv6 dhcp select server

[RouterA-Ten-GigabitEthernet3/0/1] quit

[RouterA] interface ten-gigabitethernet 3/0/2

[RouterA-Ten-GigabitEthernet3/0/2] ipv6 dhcp select server

[RouterA-Ten-GigabitEthernet3/0/2] quit

# Exclude the DNS server addresses from dynamic assignment.

[RouterA] ipv6 dhcp server forbidden-address 1::1:0:0:2

[RouterA] ipv6 dhcp server forbidden-address 1::2:0:0:2

# Create IPv6 address pool 1 to assign IPv6 addresses and other configuration parameters to clients on subnet 1::1:0:0:0/96.

[RouterA] ipv6 pool 1

[RouterA-ipv6-pool-1] network 1::1:0:0:0/96 preferred-lifetime 172800 valid-lifetime 345600

[RouterA-ipv6-pool-1] domain-name aabbcc.com

[RouterA-ipv6-pool-1] dns-server 1::1:0:0:2

[RouterA-ipv6-pool-1] quit

# Create IPv6 address pool 2 to assign IPv6 addresses and other configuration parameters to clients on subnet 1::2:0:0:0/96.

[RouterA] ipv6 pool 2

[RouterA-ipv6-pool-2] network 1::2:0:0:0/96 preferred-lifetime 432000 valid-lifetime 864000

[RouterA-ipv6-pool-2] domain-name aabbcc.com

[RouterA-ipv6-pool-2] dns-server 1::2:0:0:2

[RouterA-ipv6-pool-2] quit

Verifying the configuration

# Verify that clients on subnets 1::1:0:0:0/96 and 1::2:0:0:0/96 can obtain IPv6 addresses and all other configuration parameters from the DHCPv6 server (Router A). (Details not shown.)

# On the DHCPv6 server, display IPv6 addresses assigned to the clients.

[RouterA] display ipv6 dhcp server ip-in-use

Configuring the DHCPv6 relay agent

About DHCPv6 relay agent

Typical application

A DHCPv6 client usually uses a multicast address to contact the DHCPv6 server on the local link to obtain an IPv6 address and other configuration parameters. As shown in Figure 14, if the DHCPv6 server resides on another subnet, the DHCPv6 clients need a DHCPv6 relay agent to contact the server. The relay agent feature avoids deploying a DHCPv6 server on each subnet.

Figure 14 Typical DHCPv6 relay agent application

‌

DHCPv6 relay agent operating process

As shown in Figure 15, a DHCPv6 client obtains an IPv6 address and other network configuration parameters from a DHCPv6 server through a DHCPv6 relay agent. The following example uses rapid assignment to describe the process:

· The DHCPv6 client sends a Solicit message containing the Rapid Commit option to the multicast address FF02::1:2 of all the DHCPv6 servers and relay agents.

· After receiving the Solicit message, the DHCPv6 relay agent encapsulates the message into the Relay Message option of a Relay-forward message, and sends the message to the DHCPv6 server.

· After obtaining the Solicit message from the Relay-forward message, the DHCPv6 server performs the following tasks:

¡ Selects an IPv6 address and other required parameters.

¡ Adds them to a reply that is encapsulated within the Relay Message option of a Relay-reply message.

¡ Sends the Relay-reply message to the DHCPv6 relay agent.

· The DHCPv6 relay agent obtains the reply from the Relay-reply message and sends the reply to the DHCPv6 client.

· The DHCPv6 client uses the IPv6 address and other network parameters assigned by the DHCPv6 server to complete network configuration.

Figure 15 Operating process of a DHCPv6 relay agent

Restrictions and guidelines: DHCPv6 relay agent configuration

To ensure successful traffic forwarding, make sure the IP addresses assigned to clients are from the same subnet as the IP address of the relay interface to which they are attached.

DHCPv6 relay agent tasks at a glance

To configure a DHCPv6 relay agent, perform the following tasks:

1. Enabling the DHCPv6 relay agent on an interface

2. Specifying DHCPv6 servers on the relay agent

3. (Optional.) Specifying a gateway address for DHCPv6 clients

4. (Optional.) Specifying the source IPv6 address for relayed DHCPv6 requests

5. (Optional.) Setting the DSCP value for DHCPv6 packets sent by the DHCPv6 relay agent

6. (Optional.) Specifying a padding mode for the Interface-ID option

7. (Optional.) Enabling the DHCPv6 relay agent to support Option 79

8. (Optional.) Enabling the DHCPv6 relay agent to advertise IPv6 prefixes

9. (Optional.) Configuring DHCPv6 relay security features

10. (Optional.) Specifying a DHCPv6 request processing method for roaming DHCPv6 clients

11. (Optional.) Enabling the non-first-hop DHCPv6 relay agent feature

Enabling the DHCPv6 relay agent on an interface

Restrictions and guidelines

As a best practice, do not enable DHCPv6 relay agent and DHCPv6 client on the same interface.

Procedure

1. Enter system view.

system-view

2. Enter interface view.

interface interface-type interface-number

3. Enable DHCPv6 relay agent on the interface.

ipv6 dhcp select relay

By default, the DHCPv6 relay agent is disabled on the interface.

Specifying DHCPv6 servers on the relay agent

Specifying DHCPv6 server IP addresses

Restrictions and guidelines

· You can use the ipv6 dhcp relay server-address command to specify a maximum of eight DHCPv6 servers on the DHCPv6 relay agent interface. The DHCPv6 relay agent forwards DHCP requests to all the specified DHCPv6 servers.

· If a DHCPv6 server address is a link-local address or a multicast address that starts with FF02, you must specify an outgoing interface by using the interface keyword in this command. Otherwise, DHCPv6 packets might fail to reach the DHCPv6 server.

· If you specify an output interface for relayed DHCPv6 packets, make sure the interface has a route to reach the specified DHCPv6 server address. Otherwise, the relayed DHCPv6 packets cannot reach the specified DHCPv6 server.

· If you specify the same DHCPv6 server address in the ipv6 dhcp relay server-address ipv6-address interface command and the ipv6 dhcp relay server-address ipv6-address command, the former command will overwrite the latter command.

· The DHCPv6 relay agent forwards the packets from clients to the specified DHCPv6 server in the specified virtual network (MPLS L3VPN instance or the public network). If you do not specify an MPLS L3VPN instance or the public network, the DHCPv6 relay agent forwards the packets from a client in the same virtual network as the client.

Procedure

1. Enter system view.

system-view

2. Enter interface view.

interface interface-type interface-number

3. Specify a DHCPv6 server.

ipv6 dhcp relay server-address ipv6-address [ interface interface-type interface-number | public | vpn-instance vpn-instance-name ]

By default, no DHCPv6 server is specified.

Specifying DHCPv6 servers for a DHCPv6 relay address pool

About this task

This feature allows DHCPv6 clients of the same type to obtain IPv6 addresses, IPv6 prefixes, and other configuration parameters from the DHCPv6 servers in the matching DHCPv6 relay address pool.

It applies to scenarios where the DHCPv6 relay agent connects to clients of the same access type but classified into different types by their locations. In this case, the relay interface typically has no IPv6 address configured. Typical scenario is the IPoE access. You can use the gateway-list command to specify the gateway addresses for clients matching the same DHCPv6 relay address pool.

Upon receiving a DHCPv6 Solicit or Request from a client that matches a DHCPv6 relay address pool, the relay agent processes the packet as follows:

· Fills the link-address field of the packet with a specified gateway address.

· Forwards the packet to all DHCPv6 servers in the matching DHCPv6 relay address pool.

The DHCPv6 servers select an IPv6 address pool according to the gateway address.

Restrictions and guidelines

· You can specify a maximum of eight DHCPv6 servers for one DHCPv6 relay address pool for high availability. The relay agent forwards DHCPv6 Solicit and Request packets to all DHCPv6 servers in the DHCPv6 relay address pool.

· If this feature is used in the PPPoE scenario, execute the ipv6 dhcp relay client-information record command to enable the DHCPv6 relay agent to record relay entries. When a PPPoE user gets offline, the DHCPv6 relay agent locates the matching relay entry and sends a Release message to the DHCPv6 server.

· If this feature is used in the PPPoE scenario, you do not need to execute the ipv6 dhcp select relay command. This is because the remote-server command is a must in this configuration task and it implies that this device is a relay device.

Procedure

1. Enter system view.

system-view

2. Create a DHCPv6 relay address pool and enter its view.

ipv6 pool pool-name

3. Specify gateway addresses for the clients matching the DHCPv6 relay address pool.

gateway-list ipv6-address&<1-8>

By default, no gateway addresses are specified.

4. Specify DHCPv6 servers for the DHCPv6 relay address pool.

remote-server ipv6-address [ interface interface-type interface-number | public | vpn-instance vpn-instance-name ]

By default, no DHCPv6 server is specified for the DHCPv6 relay address pool.

Specifying the DHCPv6 server selection algorithm

About this task

The DHCPv6 relay agent supports the polling and master-backup DHCPv6 server selection algorithms.

By default, the DHCPv6 relay agent uses the polling algorithm. It forwards DHCPv6 requests to all DHCPv6 servers. The DHCPv6 clients select the DHCPv6 server from which the first received DHCP reply comes.

If the DHCPv6 relay agent uses the master-backup algorithm, it forwards DHCPv6 requests to the master DHCPv6 server first. If the master DHCPv6 server is not available, the relay agent forwards the subsequent DHCPv6 requests to a backup DHCPv6 server. If the backup DHCPv6 server is not available, the relay agent selects the next backup DHCP server, and so on. If no backup DHCPv6 server is available, it repeats the process starting from the master DHCPv6 server.

In a network where remote BAS IPv6 pools are configured on the DHCPv6 relay agent, the first specified DHCPv6 server in the pool is the master. The other DHCP servers in the pool are backup. Example networks are IPoE networks.

Specifying the DHCPv6 server selection algorithm on an interface

1. Enter system view.

system-view

2. Enter interface view.

interface interface-type interface-number

3. Specify the DHCPv6 server selection algorithm.

ipv6 dhcp relay server-address algorithm { master-backup | polling }

By default, the polling algorithm is used. The DHCPv6 relay agent forwards DHCPv6 requests to all DHCPv6 servers.

Specifying the DHCPv6 server selection algorithm in a remote BAS IPv6 address pool

1. Enter system view.

system-view

2. Enter IPv6 address pool view.

ipv6 pool pool-name

3. Specify the DHCPv6 server selection algorithm.

remote-server algorithm { master-backup | polling }

By default, the polling algorithm is used. The DHCPv6 relay agent forwards DHCPv6 requests to all DHCPv6 servers.

Configuring DHCPv6 server liveness detection

About this task

This feature is applicable when the relay agent selects a DHCPv6 server from a DHCPv6 address pool.

This feature enables the relay agent to detect the liveness of the DHCPv6 servers.

The DHCPv6 server liveness detection mechanism differs depending on the server selection algorithm.

If the master-backup selection algorithm applies, the relay agent uses the following mechanism to determine whether a DHCPv6 server is available:

1. When relaying the first request to a selected DHCPv6 server, the DHCPv6 relay agent starts the request counter and the timeout timer configured for that server.

2. The relay agent determines the availability of the DHCPv6 server:

¡ On receipt of a reply before the timeout timer expires, the relay agent resets the request counter and stops the timeout timer.

The agent determines that the DHCPv6 server is not available and places it in down state, if the reply indicates an address or prefix assignment failure.

The relay agent restarts the timer and the request counter when it relays a new request to the server.

¡ If the relay agent has not received a reply from the server when the timeout timer expires, the relay agent checks the request counter against the dead-count-value setting.

- If the number of requests does not exceed the dead-count-value setting, the relay agent continues to send new requests to the server without resetting the request counter.

- If the number of requests exceeds the dead-count-value setting, the relay agent determines that the DHCPv6 server is not available and places it in down state.

3. On receipt of a new request after it placed the server in down state, the relay agent forwards the new request to the next available server.

4. If none of the servers are available, the relay agent forwards the new request to all servers. In this situation, the relay agent does not start the timeout timer.

If the polling selection algorithm applies, the relay agent uses the following mechanism to determine whether a DHCPv6 server is available:

1. When receiving the first request, the DHCPv6 relay agent forwards that request to all available servers. At the same time, it starts the request counter and the timeout timer. The timeout timer is set to the highest timeout value among all servers.

2. The relay agent determines the availability of the DHCPv6 server:

¡ On receipt of a reply before the timeout timer expires, the relay agent takes one of the following actions depending on the reply content:

- If the reply contains a usable IPv6 address or prefix, the relay agent resets the request counter and stops the timeout timer.

- If the reply indicates an address or prefix assignment failure, the relay agent determines that the reply sender is unavailable and places it in down state. In this situation, the relay agent does not reset the request counter. It continues to wait for replies from other servers until a reply is received or until the timeout timer expires.

¡ If the relay agent has not received a reply from any servers when the timeout timer expires, the relay agent checks the request counter again the dead-count-value setting.

- If the number of requests does not exceed the dead-count-value setting, the relay agent continues to send new requests to all servers without resetting the request counter.

- If the number of requests exceeds the dead-count-value setting, the relay agent determines that none of the DHCPv6 servers is available and places them in down state.

3. When the relay agent receives a new request after it placed all the servers in down state, it forwards the new request to all the servers without restarting the timeout timer.

The relay agent starts the dead-time timer for a DHCPv6 server after it determines that the server is unavailable. The relay agent will not relay requests to that server until after the timer expires.

When a DHCPv6 server is marked as dead, the relay agent starts the dead time for the server. Within the dead period, the relay agent does not relay any packets to this DHCPv6 server. After the dead period expires, the relay agent determines that the DHCPv6 server becomes alive, and starts forwarding packets to this server.

Restrictions and guidelines

The liveness detection settings specific to a DHCP server have a higher priority than the shared settings. If no DHCP server-specific settings are configured, the shared ones apply.

You can specify multiple server liveness detection rules for different DHCPv6 server addresses. If you do not specify a DHCPv6 server for the command, you are creating a shared detection rule. The DHCP server-specific detection rule or the shared rule takes effect as follows:

· If you specify the same rule keyword but with different values in each command execution, the most recent configuration takes effect.

· If you specify different rule keywords in each command execution, all configurations take effect.

Procedure

1. Enter system view.

system-view

2. Configure DHCPv6 server liveness detection.

ipv6 dhcp remote-server [ ipv6-address [ vpn-instance vpn-instance-name ] ] { dead-count dead-count-value | dead-time dead-time | timeout timeout } *

By default, the relay agent marks the DHCP server as dead if the DHCP relay agent does not receive a reply from a DHCP server within 55 seconds.

Specifying a gateway address for DHCPv6 clients

About this task

By default, the DHCPv6 relay agent fills the link-address field of DHCPv6 Solicit and Request packets with the first IPv6 address of the relay interface. This task is required if a relay interface connects to multiple subnets and you want the DHCP server to assign IPv6 addresses to clients in a specific subnet. When receiving DHCPv6 Solicit and Request packets from a client of this subnet, the DHCPv6 relay agent uses the specified gateway address to fill the link-address field of the packets.

Procedure

1. Enter system view.

system-view

2. Enter interface view.

interface interface-type interface-number

3. Specify a gateway address for DHCPv6 clients.

ipv6 dhcp relay gateway ipv6-address

By default, the DHCPv6 relay agent uses the first IPv6 address of the relay interface as the clients' gateway address.

Specifying the source IPv6 address for relayed DHCPv6 requests

About specifying the source IP address for relayed DHCP requests

This task is required if multiple relay interfaces share the same IPv6 address or if a relay interface does not have routes to DHCPv6 servers. You can use this command to specify the IPv6 address of another interface (typically a loopback interface) on the DHCPv6 relay agent as the source IPv6 address for relayed DHCP requests.

Restrictions and guidelines

Specify the gateway keyword if the DHCPv6 relay agent has a reachable route to the DHCPv6 address from the address filled in the Link-address field.

Specifying the source IP address for relayed DHCP requests (DHCPv6 relay address pool view)

1. Enter system view.

system-view

2. Enter DHCPv6 relay address pool view.

ipv6 pool pool-name

3. Specify the source IPv6 address of the DHCPv6 requests that the DHCPv6 relay agent forwards to the DHCPv6 server.

dhcpv6-relay source-address { ipv6-address | gateway | interface interface-type interface-number }

By default, the relay agent chooses the source IPv6 address for relayed requests depending on whether its server-side interface and the DHCPv6 server belong to the same VPN instance:

¡ If they belong to the same VPN instance, the relay agent uses an IPv6 global unicast address of the output interface for relayed requests as their source IP address.

¡ If they belong to different VPN instances, the relay agent uses the lowest IPv6 address that is in the same VPN instance as the DHCPv6 server as their source IP address.

Specifying the source IP address for relayed DHCP requests (interface view)

1. Enter system view.

system-view

2. Enter interface view.

interface interface-type interface-number

3. Specify the source IP address for DHCP requests.

ipv6 dhcp relay source-address { ipv6-address | interface interface-type interface-number }

By default, the relay agent chooses the source IPv6 address for relayed requests depending on whether its server-side interface and the DHCPv6 server belong to the same VPN instance:

¡ If they belong to the same VPN instance, the relay agent uses an IPv6 global unicast address of the output interface for relayed requests as their source IP address.

¡ If they belong to different VPN instances, the relay agent uses the lowest IPv6 address that is in the same VPN instance as the DHCPv6 server as their source IP address.

If the specified interface does not have an IPv6 global unicast address, the relay agent follows the default rule to specify the source IPv6 address for relayed DHCPv6 requests.

Setting the DSCP value for DHCPv6 packets sent by the DHCPv6 relay agent

About this task

The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet.

Procedure

1. Enter system view.

system-view

2. Set the DSCP value for DHCPv6 packets sent by the DHCPv6 relay agent.

ipv6 dhcp dscp dscp-value

The default DSCP value is 56.

Specifying a padding mode for the Interface-ID option

About this task

This feature enables the relay agent to fill the Interface-ID option in the specified mode. When receiving a DHCPv6 packet from a client, the relay agent fills the Interface-ID option in the mode and then forwards the packet to the DHCPv6 server.

Procedure

1. Enter system view.

system-view

2. Enter interface view.

interface interface-type interface-number

3. Specify a padding mode for the Interface-ID option.

ipv6 dhcp relay interface-id { bas [ merge ] | cn-telecom | interface | tr-101 }

By default, the relay agent fills the Interface-ID option with the index of the interface.

Enabling the DHCPv6 relay agent to support Option 79

About this task

If DHCPv6 relay agents exist in the network, the DHCPv6 server needs the MAC address of the DHCPv6 client for authentication or for IPv6 address or prefix assignment. To meet the requirement, enable the DHCPv6 relay agent that the client first passes to support Option 79. This feature allows the DHCPv6 relay agent to learn the MAC address in the client request. When the relay agent generates a Relay-Forward packet for the request, it fills the MAC address of the client in Option 79. The Relay-Forward packet is then forwarded to the DHCPv6 server.

Procedure

1. Enter system view.

system-view

2. Enter interface view.

interface interface-type interface-number

3. Enable the DHCPv6 relay agent to support Option 79.

ipv6 dhcp relay client-link-address enable

By default, the DHCPv6 relay agent does not support Option 79.

Enabling the DHCPv6 relay agent to advertise IPv6 prefixes

About this task

A DHCPv6 client can obtain an IPv6 prefix through DHCPv6 and use this IPv6 prefix to assign IPv6 address to clients in a downstream network. If the IPv6 prefix is in a different subnet than the IPv6 address of the DHCPv6 client's upstream interface, the clients in the downstream network cannot access the external network. You can enable the DHCPv6 relay agent that is on the same link as the DHCPv6 client to advertise the IPv6 prefix.

This feature enables the DHCPv6 relay agent to generate a routing entry for the IPv6 prefix when it receives a reply message with the IPv6 prefix. The DHCPv6 relay agent advertises this entry to the dynamic routing protocol. After the DHCPv6 client learns this route through the dynamic routing protocol, clients in the downstream network can access the external network.

Prerequisites

Before you perform this task, make sure the DHCPv6 relay agent is enabled to record DHCPv6 relay entries.

Procedure

1. Enter system view.

system-view

2. Enable the DHCPv6 relay agent to advertise IPv6 prefixes.

ipv6 dhcp advertise pd-route

By default, the DHCPv6 relay agent does not advertise IPv6 prefixes.

Configuring DHCPv6 relay security features

Enabling the DHCPv6 relay agent to record relay entries

About this task

This feature enables the DHCPv6 relay agent to automatically record DHCPv6 relay entries after DHCPv6 clients obtain IPv6 addresses or prefixes through DHCPv6. A DHCPv6 relay entry contains the binding between a client's hardware address and IPv6 address or prefix.

Some security features, such as IP source guard, use DHCPv6 relay entries to check incoming packets and block packets that do not match any entry. Hosts using manually configured IPv6 addresses are denied to access external networks through the relay agent. For more information about IP source guard, see Security Configuration Guide.

Restrictions and guidelines

The following information applies to WAN access users (for example, IPoE or PPPoE users):

· Without an authorized IPv6 pool, the DHCPv6 relay agent generates relay entries for WAN access users automatically, which cannot be manually disabled.

· With an authorized IPv6 pool, the relay agent does not generate relay entries for WAN access users

Procedure

1. Enter system view.

system-view

2. Enter interface view.

interface interface-type interface-number

3. Enable the recording of DHCPv6 relay entries.

ipv6 dhcp relay client-information record

By default, the DHCPv6 relay agent does not record relay entries.

Enabling IPv6 release notification

About this task

This feature enables the DHCPv6 relay agent to send a Release message to the DHCPv6 server after it deletes a DHCPv6 relay entry. After the DHCPv6 server receives the message, it reclaims the IPv6 address or prefix and marks the lease as expired.

If you do not enable this feature, the DHCPv6 relay agent will not send a Release message after it deletes a relay entry.

Procedure

1. Enter system view.

system-view

2. Enter interface view.

interface interface-type interface-number

3. Enable IPv6 release notification.

ipv6 dhcp relay release-agent

By default, IPv6 release notification is disabled.

Enabling client offline detection

About this task

This feature enables the DHCPv6 relay agent to detect the status of ND entries. After an ND entry ages out, the DHCPv6 relay agent considers the client offline and deletes the relay entry for the client. For more information about ND, see "Configuring basic IPv6 settings."

Procedure

1. Enter system view.

system-view

2. Enter interface view.

interface interface-type interface-number

3. Enable client offline detection.

ipv6 dhcp client-detect

By default, client offline detection is disabled.

Configuring DHCPv6 flood attack protection

About this task

The DHCPv6 flood attack protection enables the DHCPv6 relay agent to detect DHCPv6 flood attacks according to the DHCPv6 packet rate threshold on a per-MAC basis.

When the DHCPv6 relay agent receives a DHCPv6 packet from a client (MAC address), it creates a DHCPv6 flood attack protection entry in check state. If the number of DHCPv6 packets from the same MAC address reaches the upper limit in the detection duration, the relay agent determines that the client is launching a DHCPv6 flood attack. The DHCPv6 flood attack protection entry changes to the restrain state, and the DHCPv6 relay agent discards the DHCPv6 packets from that client. When the aging time of the entry is reached, the DHCPv6 relay agent examines the drop rate of DHCPv6 packets sent from the MAC address.

· If the drop rate is lower than the DHCPv6 flood attack threshold, the DHCPv6 relay agent deletes the entry. If later a DHCPv6 packet from that MAC address arrives, the DHCPv6 relay agent will create a new flood attack protection entry and count the number of incoming DHCPv6 packets for that client again.

· If the packet drop rate is equal to or higher than the DHCPv6 flood attack threshold, the DHCPv6 relay agent resets the aging time for the entry.

Procedure

1. Enter system view.

system-view

2. (Optional.) Set the DHCPv6 packet rate threshold for triggering DHCPv6 flood attack protection.

ipv6 dhcp flood-protection threshold packet-number milliseconds

By default, the device allows a maximum of 10 DHCPv6 packets per 5000 milliseconds from each DHCPv6 client.

3. (Optional.) Set the aging time of DHCPv6 flood attack protection entries.

ipv6 dhcp flood-protection aging-time time

The default setting is 300 seconds.

4. Enable DHCPv6 flood attack protection globally.

Ipv6 dhcp flood-protection global enable

By default, DHCPv6 flood attack protection is disabled globally.

5. Enable DHCPv6 flood attack protection only on one interface.

a. Disable DHCPv6 flood attack protection globally.

undo ipv6 dhcp flood-protection global enable

By default, DHCPv6 flood attack protection is disabled globally.

b. Enter interface view.

interface interface-type interface-number

c. Enable DHCPv6 flood attack protection on the interface.

ipv6 dhcp flood-protection enable

By default, DHCPv6 flood attack protection is disabled on interfaces.

Configuring interface-based DHCPv6 attack suppression

About this task

DHCPv6 attack suppression protects an interface from DHCPv6 attacks by limiting the rate of incoming DHCPv6 packets after the specified threshold is crossed.

When an interface protected with DHCPv6 attack suppression receives a DHCPv6 packet, the DHCPv6 relay agent creates a DHCPv6 attack suppression entry in check state for the interface. If the incoming DHCPv6 packet rate on the interface reaches the threshold, a DHCPv6 attack occurs on the interface. The suppression entry changes to the restrain state. To protect the CPU against DHCPv6 attack packets, the device limits the incoming DHCPv6 packet rate on the interface before the aging time of the suppression entry is reached.

When the aging time of the DHCPv6 attack suppression entry on an interface is reached, the device examines the incoming DHCPv6 packet rate on the interface.

· If the incoming packet rate is above the suppression threshold, the device resets the aging timer.

Restrictions and guidelines

You can enable DHCPv6 attack suppression globally or on a per-interface basis.

· To enable DHCPv6 attack suppression on all interfaces, enable it globally.

Procedure

1. Enter system view.

system-view

2. (Optional.) Set the DHCP packet rate threshold for triggering interface-based DHCP attack suppression.

ipv6 dhcp interface-rate-suppression threshold packet-number milliseconds

By default, the device can receive a maximum of 3000 DHCP packets per 5000 milliseconds on an interface.

3. (Optional.) Set the aging time of interface-based DHCPv6 attack suppression entries.

ipv6 dhcp interface-rate-suppression aging-time time

The default setting is 300 seconds.

4. Enable DHCPv6 attack suppression.

¡ To enable DHCPv6 attack suppression on all interfaces:

ipv6 dhcp interface-rate-suppression global enable

By default, global DHCPv6 attack suppression is disabled.

¡ To enable DHCPv6 attack suppression only on some of the interfaces:

i Disable global DHCPv6 attack suppresion if it has been enabled.

undo ipv6 dhcp interface-rate-suppression global enable

ii Enter interface view.

interface interface-type interface-number

iii Enable DHCPv6 attack suppression on the interface.

ipv6 dhcp interface-rate-suppression enable

By default, DHCPv6 attack suppression is disabled on interfaces.

Specifying a DHCPv6 request processing method for roaming DHCPv6 clients

About this task

When a DHCPv6 client (for example, a wireless client) roams in a network, the client sends an offline request to the DHCP relay agent before request a new address or prefix. If the DHCP relay agent does not receive the offline request, it will discard the DHCP client's address or prefix request because it determines that the request is an attack packet.

This feature allows the DHCP relay agent to process address or prefix requests as follows upon receiving them from roaming DHCP clients:

· The fast-renew method enables the relay agent to inform the DHCP server to release existing address or prefix leases of roaming clients and forward the requests to the DHCP server.

· The roam method enables the relay agent to forward the address or prefix requests to the DHCP server. The clients can use the original IP addresses or prefixes to access the network without another authentication.

Restrictions and guidelines

This feature is applicable to only IPoE networks.

For more information about IPoE roaming, see IPoE configuration in BRAS Services Configuration Guide.

Procedure

1. Enter system view.

system-view

2. Enter interface view.

interface interface-type interface-number

3. Specify a method for the DHCPv6 relay agent to process address or prefix requests of roaming clients.

ipv6 dhcp session-mismatch action { fast-renew | roam }

By default, the DHCPv6 relay agent discards DHCPv6 address or prefix requests sent from roaming DHCPv6 clients.

Enabling the non-first-hop DHCPv6 relay agent feature

About this task

Multiple DHCPv6 relay agents might exist between a DHCPv6 client and a DHCPv6 server. By default, only the first DHCPv6 relay agent connected to the client processes the DHCPv6 requests from the client. The subsequent DHCPv6 relay agents only forward the requests. If you enable access authentication on the relay interface that acts as a non-first DHCPv6 relay agent, you must execute this command on that interface. This command enables the relay agent to deliver incoming DHCPv6 requests to the authentication module for authentication and authorization.

Restrictions and guidelines

Enable this feature only on the non-first-hop relay interface where access authentication is enabled. To have this feature take effect on the interface, you must first enable the DHCPv6 relay agent on that interface.

Procedure

1. Enter system view.

system-view

2. Enter interface view.

interface interface-type interface-number

3. Enable the non-first-hop DHCPv6 relay agent feature.

ipv6 dhcp relay non-first-hop enable

By default, the non-first-hop DHCPv6 relay agent feature is disabled.

Display and maintenance commands for DHCPv6 relay agent

Execute display commands in any view and reset commands in user view.

Task	Command
Display the DUID of the local device.	display ipv6 dhcp duid
Display information about DHCPv6 flood attack protection entries.	display ipv6 dhcp flood-protection slot slot-number [ mac-address mac-address [ interface interface-type interface-number ] \| state { check \| restrain } [ verbose ] \| statistics \| verbose ]
Display information about interface-based DHCPv6 attack suppression entries.	display ipv6 dhcp interface-rate-suppression slot slot-number [interface interface-type interface-number \| state { check \| restrain } [ verbose ] \| statistics \| verbose ]
Display packet statistics for the DHCPv6 packet rate-limiting feature.	display ipv6 dhcp rate-limit slot slot-number
Display DHCPv6 relay entries that record clients' IPv6 address information.	display ipv6 dhcp relay client-information address [ interface interface-type interface-number \| ipv6 ipv6-address ] [ vpn-instance vpn-instance-name ]
Display DHCPv6 relay entries that record clients' IPv6 prefix information.	display ipv6 dhcp relay client-information pd [ interface interface-type interface-number \| prefix prefix/prefix-len ] [ vpn-instance vpn-instance-name ]
Display the DHCPv6 server configuration and status in the DHCPv6 address pool on the DHCPv6 relay agent.	display ipv6 dhcp relay remote-server-info [ vpn-instance vpn-name ] [ slot slot-number ]
Display DHCPv6 server addresses specified on the DHCPv6 relay agent.	display ipv6 dhcp relay server-address [ interface interface-type interface-number ]
Display packet statistics on the DHCPv6 relay agent.	display ipv6 dhcp relay packet statistics [ interface interface-type interface-number ]
Delete DHCPv6 flood attack protection entries.	reset ipv6 dhcp flood-protection slot slot-number [ mac-address mac-address [ interface interface-type interface-number ] ] [ packet-statistics ]
Delete interface-based DHCPv6 attack suppression entries.	reset ipv6 dhcp interface-rate-suppression slot slot-number [ interface interface-type interface-number ] [ packet-statistics ]
Clear packet statistics for the DHCPv6 packet rate-limiting feature.	reset ipv6 dhcp rate-limit slot slot-number
Clear DHCPv6 relay entries that record clients' IPv6 address information.	reset ipv6 dhcp relay client-information address [ interface interface-type interface-number \| ipv6 ipv6-address ] [ vpn-instance vpn-instance-name ]
Clear DHCPv6 relay entries that record clients' IPv6 prefix information.	reset ipv6 dhcp relay client-information pd [ interface interface-type interface-number \| prefix prefix/prefix-len ] [ vpn-instance vpn-instance-name ]
Clear packets statistics on the DHCPv6 relay agent.	reset ipv6 dhcp relay packet statistics [ interface interface-type interface-number ]

‌

DHCPv6 relay agent configuration examples

Example: Configuring DHCPv6 relay agent

Network configuration

As shown in Figure 16, configure the DHCPv6 relay agent on Router A to relay DHCPv6 packets between DHCPv6 clients and the DHCPv6 server.

Router A acts as the gateway of network 1::/64. It sends RA messages to notify the hosts to obtain IPv6 addresses and other configuration parameters through DHCPv6. For more information about RA messages, see "Configuring basic IPv6 settings."

Figure 16 Network diagram

‌

Procedure

# Specify IPv6 addresses for Ten-GigabitEthernet 3/0/1 and Ten-GigabitEthernet 3/0/2.

<RouterA> system-view

[RouterA] interface ten-gigabitethernet 3/0/2

[RouterA-Ten-GigabitEthernet3/0/2] ipv6 address 2::1 64

[RouterA-Ten-GigabitEthernet3/0/2] quit

[RouterA] interface ten-gigabitethernet 3/0/1

[RouterA-Ten-GigabitEthernet3/0/1] ipv6 address 1::1 64

# Disable RA message suppression on Ten-GigabitEthernet 3/0/1.

[RouterA-Ten-GigabitEthernet3/0/1] undo ipv6 nd ra halt

# Set the M flag to 1 in RA advertisements to be sent on Ten-GigabitEthernet 3/0/1. Hosts that receive the RA messages will obtain IPv6 addresses through DHCPv6.

[RouterA-Ten-GigabitEthernet3/0/1] ipv6 nd autoconfig managed-address-flag

# Set the O flag to 1 in RA advertisements to be sent on Ten-GigabitEthernet 3/0/1. Hosts that receive the RA messages will obtain information other than IPv6 address through DHCPv6.

[RouterA-Ten-GigabitEthernet3/0/1] ipv6 nd autoconfig other-flag

# Enable the DHCPv6 relay agent on Ten-GigabitEthernet 3/0/1 and specify the DHCPv6 server on the relay agent.

[RouterA-Ten-GigabitEthernet3/0/1] ipv6 dhcp select relay

[RouterA-Ten-GigabitEthernet3/0/1] ipv6 dhcp relay server-address 2::2

Verifying the configuration

# Display DHCPv6 server address information on Router A.

[RouterA-Ten-GigabitEthernet3/0/1] display ipv6 dhcp relay server-address

Interface: Ten-GigabitEthernet3/0/1

Server address Outgoing Interface

2::2

# Display packet statistics on the DHCPv6 relay agent.

[RouterA-Ten-GigabitEthernet3/0/1] display ipv6 dhcp relay packet statistics

Packets dropped : 0

Packets received : 14

Solicit : 0

Request : 0

Confirm : 0

Renew : 0

Rebind : 0

Release : 0

Decline : 0

Information-request : 7

Relay-forward : 0

Relay-reply : 7

Packets sent : 14

Advertise : 0

Reconfigure : 0

Reply : 7

Relay-forward : 7

Relay-reply : 0

Configuring the DHCPv6 client

About the DHCPv6 client

With DHCPv6 client configured, an interface can obtain configuration parameters from the DHCPv6 server.

A DHCPv6 client can use DHCPv6 to complete the following functions:

· Obtain an IPv6 address, an IPv6 prefix, or both, and obtain other configuration parameters. If DHCPv6 server is enabled on the device, the client can automatically save the obtained parameters to a DHCPv6 option group. With the obtained IPv6 prefix, the client can generate its global unicast address.

· Support stateless DHCPv6 to obtain configuration parameters except IPv6 address and IPv6 prefix. The client obtains an IPv6 address through stateless IPv6 address autoconfiguration. If the client receives an RA message with the M flag set to 0 and the O flag set to 1 during address acquisition, stateless DHCPv6 starts.

Restrictions and guidelines: DHCPv6 client configuration

Do not configure the DHCPv6 client on the same interface as the DHCPv6 server or the DHCPv6 relay agent.

DHCPv6 client tasks at a glance

To configure a DHCPv6 client, perform the following tasks:

1. (Optional.) Configuring the DHCPv6 client DUID

2. Configuring the DHCPv6 client to obtain IPv6 addresses, IPv6 prefixes and other network parameters

Choose the following tasks as needed:

¡ Configuring IPv6 address acquisition

¡ Configuring IPv6 prefix acquisition

¡ Configuring IPv6 address and prefix acquisition

¡ Configuring acquisition of configuration parameters except IP addresses and prefixes

3. (Optional.) Setting the DSCP value for DHCPv6 packets sent by the DHCPv6 client

Configuring the DHCPv6 client DUID

About this task

The DUID of a DHCPv6 client is the globally unique identifier of the client. The client pads its DUID into Option 1 of the DHCPv6 packet that it sends to the DHCPv6 server. The DHCPv6 server can assign specific IPv6 addresses or prefixes to DHCPv6 clients with specific DUIDs.

Restrictions and guidelines

Make sure the DUID that you configure is unique.

Procedure

1. Enter system view.

system-view

2. Enter interface view.

interface interface-type interface-number

3. Configure the DHCPv6 client DUID.

ipv6 dhcp client duid { ascii ascii-string | hex hex-string | mac interface-type interface-number }

By default, the interface uses the device bridge MAC address to generate its DHCPv6 client DUID.

Configuring IPv6 address acquisition

1. Enter system view.

system-view

2. Enter interface view.

interface interface-type interface-number

3. Configure the interface to use DHCPv6 to obtain an IPv6 address and other configuration parameters.

ipv6 address dhcp-alloc [ option-group group-number | rapid-commit ] *

By default, the interface does not use DHCPv6 for IPv6 address acquisition.

Configuring IPv6 prefix acquisition

1. Enter system view.

system-view

2. Enter interface view.

interface interface-type interface-number

3. Configure the interface to use DHCPv6 to obtain an IPv6 prefix and other configuration parameters.

ipv6 dhcp client pd prefix-number [ option-group group-number | rapid-commit ] *

By default, the interface does not use DHCPv6 for IPv6 prefix acquisition.

Configuring IPv6 address and prefix acquisition

1. Enter system view.

system-view

2. Enter interface view.

interface interface-type interface-number

3. Configure the interface to use DHCPv6 to obtain an IPv6 address, an IPv6 prefix, and other configuration parameters.

ipv6 dhcp client stateful prefix prefix-number [ option-group option-group-number | rapid-commit ] *

By default, the interface does not use DHCPv6 for IPv6 address and prefix acquisition.

Configuring acquisition of configuration parameters except IP addresses and prefixes

About this task

When a DHCPv6 client has obtained an IPv6 address and prefix, you can configure the following methods for the client to obtain other network configuration parameters:

· Execute the ipv6 address auto command to enable an interface to automatically generate an IPv6 global unicast address and a link-local address. Then stateless DHCPv6 will be triggered when the M flag is set to 0 and the O flag is set to 1 in a received RA message. For more information about the commands, see Layer 3—IP services Command Reference.

· Executing the ipv6 dhcp client stateless enable command on an interface to enable the interface to act as a DHCPv6 client to obtain configuration parameters from a DHCPv6 server.

If you execute both the ip address auto and ipv6 dhcp client stateless enable commands, the interface acts as follows:

· Generate a global unicast address and a link-local address.

· Obtain other configuration parameters from a DHCPv6 server.

Procedure

1. Enter system view.

system-view

2. Enter interface view.

interface interface-type interface-number

3. Configure the interface to support stateless DHCPv6. Choose the options to configure as needed:

¡ Enable stateless IPv6 address autoconfiguration:

ipv6 address auto

¡ Configure the client to obtain network parameters from DHCPv6 servers:

ipv6 dhcp client stateless enable

By default, the interface does not support stateless DHCPv6.

Setting the DSCP value for DHCPv6 packets sent by the DHCPv6 client

About this task

The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet.

Procedure

1. Enter system view.

system-view

2. Set the DSCP value for DHCPv6 packets sent by the DHCPv6 client.

ipv6 dhcp client dscp dscp-value

By default, the DSCP value in DHCPv6 packets sent by the DHCPv6 client is 56.

Display and maintenance commands for DHCPv6 client

Execute the display commands in any view, and execute the reset command in user view.

Task	Command
Display the DHCPv6 client information.	display ipv6 dhcp client [ interface interface-type interface-number ]
Display the DHCPv6 client statistics.	display ipv6 dhcp client statistics [ interface interface-type interface-number ]
Clear the DHCPv6 client statistics.	reset ipv6 dhcp client statistics [ interface interface-type interface-number ]

‌

DHCPv6 client configuration examples

Example: Configuring IPv6 address acquisition

Network configuration

As shown in Figure 17, configure the router to use DHCPv6 to obtain configuration parameters from the DHCPv6 server. The parameters include IPv6 address, DNS server address, domain name suffix, SIP server address, and SIP server domain name.

Figure 17 Network diagram

‌

Prerequisites

Configure the DHCPv6 server before configuring the DHCPv6 client. For information about configuring the DHCPv6 server, see "Configuring the DHCPv6 server." in BRAS Services Configuration Guide.

Procedure

# Configure Ten-GigabitEthernet 3/0/1 as a DHCPv6 client for IPv6 address acquisition. Configure the DHCPv6 client to support DHCPv6 rapid address assignment. Configure the DHCPv6 client to create a dynamic DHCPv6 option group for saving configuration parameters.

<Router> system-view

[Router] interface ten-gigabitethernet 3/0/1

[Router-Ten-GigabitEthernet3/0/1] ipv6 address dhcp-alloc rapid-commit option-group 1

[Router-Ten-GigabitEthernet3/0/1] quit

Verifying the configuration

# Verify that the DHCPv6 client has obtained configuration parameters from the server.

[Router] display ipv6 dhcp client

Ten-GigabitEthernet3/0/1:

Type: Stateful client requesting address

State: OPEN

Client DUID: 00030001d07e28db74fb

Preferred server:

Reachable via address: FE80::2E0:1FF:FE00:19

Server DUID: 00030001000fe20a0a00

IA_NA: IAID 0x00000a02, T1 50 sec, T2 80 sec

Address: 1:2::2/128

Preferred lifetime 100 sec, valid lifetime 200 sec

Will expire on Mar 27 2014 at 15:35:55 (196 seconds left)

DNS server addresses:

2000::FF

Domain name:

example.com

SIP server addresses:

2:2::4

SIP server domain names:

bbb.example.com

# After DHCPv6 server is enabled on the device, verify that configuration parameters are saved in a dynamic DHCPv6 option group.

[Router-Ten-GigabitEthernet3/0/1] display ipv6 dhcp option-group 1

DHCPv6 option group: 1

DNS server addresses:

Type: Dynamic (DHCPv6 address allocation)

Interface: Ten-GigabitEthernet3/0/1

2000::FF

Domain name:

Type: Dynamic (DHCPv6 address allocation)

Interface: Ten-GigabitEthernet3/0/1

example.com

SIP server addresses:

Type: Dynamic (DHCPv6 address allocation)

Interface: Ten-GigabitEthernet3/0/1

2:2::4

SIP server domain names:

Type: Dynamic (DHCPv6 address allocation)

Interface: Ten-GigabitEthernet3/0/1

bbb.example.com

# Verify that the DHCPv6 client has obtained an IPv6 address.

[Router] display ipv6 interface brief

*down: administratively down

(s): spoofing

Interface Physical Protocol IPv6 Address

Ten-GigabitEthernet3/0/1 up up 1:1::2

Example: Configuring IPv6 prefix acquisition

Network configuration

As shown in Figure 18, configure the router to use DHCPv6 to obtain configuration parameters from the DHCPv6 server. The parameters include IPv6 prefix, DNS server address, domain name suffix, SIP server address, and SIP server domain name.

Figure 18 Network diagram

‌

Prerequisites

Configure the DHCPv6 server before configuring the DHCPv6 client. For information about configuring the DHCPv6 server, see "Configuring the DHCPv6 server."

Procedure

# Configure an IPv6 address for Ten-GigabitEthernet 3/0/1 that is connected to the DHCPv6 server.

<Router> system-view

[Router] interface ten-gigabitethernet 3/0/1

[Router-Ten-GigabitEthernet3/0/1] ipv6 address 1::2/48

# Configure Ten-GigabitEthernet 3/0/1 as a DHCPv6 client for IPv6 prefix acquisition. Configure the DHCPv6 client to support DHCPv6 rapid prefix assignment. Configure the DHCPv6 client to assign an ID to the obtained IPv6 prefix and create a dynamic DHCPv6 option group for saving configuration parameters.

[Router-Ten-GigabitEthernet3/0/1] ipv6 dhcp client pd 1 rapid-commit option-group 1

[Router-Ten-GigabitEthernet3/0/1] quit

Verifying the configuration

# Verify that the DHCPv6 client has obtained an IPv6 prefix and other configuration parameters from the DHCPv6 server.

[Router] display ipv6 dhcp client

Ten-GigabitEthernet3/0/1:

Type: Stateful client requesting prefix

State: OPEN

Client DUID: 00030001d07e28db74fb

Preferred server:

Reachable via address: FE80::2E0:1FF:FE00:19

Server DUID: 0003000100e001000000

IA_PD: IAID 0x00000a02, T1 50 sec, T2 80 sec

Prefix: 12:34::/48

Preferred lifetime 100 sec, valid lifetime 200 sec

Will expire on Feb 4 2014 at 15:37:20(80 seconds left)

DNS server addresses:

2000::FF

Domain name:

example.com

SIP server addresses:

2:2::4

SIP server domain names:

bbb.example.com

# Verify that the client has obtained an IPv6 prefix.

[Router] display ipv6 prefix 1

Number: 1

Type : Dynamic

Prefix: 12:34::/48

Preferred lifetime 100 sec, valid lifetime 200 sec

# After DHCPv6 server is enabled on the device, verify that configuration parameters are saved in a dynamic DHCPv6 option group.

[Router] display ipv6 dhcp option-group 1

DHCPv6 option group: 1

DNS server addresses

Type: Dynamic (DHCPv6 prefix allocation)

Interface: Ten-GigabitEthernet3/0/1

2000::FF

Domain name:

Type: Dynamic (DHCPv6 prefix allocation)

Interface: Ten-GigabitEthernet3/0/1

example.com

SIP server addresses:

Type: Dynamic (DHCPv6 prefix allocation)

Interface: Ten-GigabitEthernet3/0/1

2:2::4

SIP server domain names:

Type: Dynamic (DHCPv6 prefix allocation)

Interface: Ten-GigabitEthernet3/0/1

bbb.example.com

Example: Configuring IPv6 address and prefix acquisition

Network configuration

As shown in Figure 19, configure the router to use DHCPv6 to obtain configuration parameters from the DHCPv6 server. The parameters include IPv6 address, IPv6 prefix, DNS server address, domain name suffix, SIP server address, and SIP server domain name.

Figure 19 Network diagram

‌

Prerequisites

Configure the DHCPv6 server before configuring the DHCPv6 client. For information about configuring the DHCPv6 server, see "Configuring the DHCPv6 server."

Procedure

# Configure an IPv6 address for Ten-GigabitEthernet 3/0/1 that is connected to the DHCPv6 server.

<Router> system-view

[Router] interface ten-gigabitethernet 3/0/1

[Router-Ten-GigabitEthernet3/0/1] ipv6 address 1::2/48

# Configure Ten-GigabitEthernet 3/0/1 as a DHCPv6 client for IPv6 address and prefix acquisition. Specify IDs for the dynamic IPv6 prefix and dynamic DHCPv6 option group, and configure the client to support rapid address and prefix assignment.

[Router-Ten-GigabitEthernet3/0/1] ipv6 dhcp client stateful prefix 1 rapid-commit option-group 1

[Router-Ten-GigabitEthernet3/0/1] quit

Verifying the configuration

# Display DHCPv6 client information. The output shows that the DHCPv6 client has obtained an IPv6 address, an IPv6 prefix, and other configuration parameters from the DHCPv6 server.

[Router] display ipv6 dhcp client

Ten-GigabitEthernet3/0/1:

Type: Stateful client requesting address and prefix

State: OPEN

Client DUID: 00030001d07e28db74fb

Preferred server:

Reachable via address: FE80::2E0:1FF:FE00:19

Server DUID: 0003000100e001000000

IA_NA: IAID 0x00000a02, T1 50 sec, T2 80 sec

Address: 1:1::2/128

Preferred lifetime 100 sec, valid lifetime 200 sec

Will expire on Mar 27 2014 at 15:29:34 (198 seconds left)

IA_PD: IAID 0x00000a02, T1 50 sec, T2 80 sec

Prefix: 12:34::/48

Preferred lifetime 100 sec, valid lifetime 200 sec

Will expire on Mar 27 2014 at 15:29:34 (198 seconds left)

DNS server addresses:

2000::FF

Domain name:

example.com

SIP server addresses:

2:2::4

SIP server domain names:

bbb.example.com

# Display brief IPv6 information for all interfaces on the device. The output shows that the DHCPv6 client has obtained an IPv6 address.

[Router] display ipv6 interface brief

*down: administratively down

(s): spoofing

Interface Physical Protocol IPv6 Address

Ten-GigabitEthernet3/0/1 up up 1:1::2

# Display information about the dynamic IPv6 prefix. The output shows that the client has obtained an IPv6 prefix.

[Router] display ipv6 prefix 1

Number: 1

Type : Dynamic

Prefix: 12:34::/48

Preferred lifetime 100 sec, valid lifetime 200 sec

# After DHCPv6 server is enabled on the device, display information about the dynamic DHCPv6 option group. The output shows that a dynamic DHCPv6 option group exists for saving configuration parameters.

[Router] display ipv6 dhcp option-group 1

DHCPv6 option group: 1

DNS server addresses:

Type: Dynamic (DHCPv6 address and prefix allocation)

Interface: Ten-GigabitEthernet3/0/1

2000::FF

Domain name:

Type: Dynamic (DHCPv6 address and prefix allocation)

Interface: Ten-GigabitEthernet3/0/1

example.com

SIP server addresses:

Type: Dynamic (DHCPv6 address and prefix allocation)

Interface: Ten-GigabitEthernet3/0/1

2:2::4

SIP server domain names:

Type: Dynamic (DHCPv6 address and prefix allocation)

Interface: Ten-GigabitEthernet3/0/1

bbb.example.com

Example: Configuring stateless DHCPv6

Network configuration

As shown in Figure 20, configure Router A to use stateless DHCPv6 to obtain configuration parameters except IPv6 address and IPv6 prefix. Router B acts as the gateway and advertises RA messages periodically.

Figure 20 Network diagram

‌

Prerequisites

Configure the DHCPv6 server before configuring the DHCPv6 client. For information about configuring the DHCPv6 server, see "Configuring the DHCPv6 server."

Procedure

1. Configure the gateway Router B:

# Configure an IPv6 address for Ten-GigabitEthernet 3/0/1.

<RouterB> system-view

[RouterB] interface ten-gigabitethernet 3/0/1

[RouterB-Ten-GigabitEthernet3/0/1] ipv6 address 1::1 64

# Set the O flag to 1 in RA advertisements to be sent on Ten-GigabitEthernet 3/0/1. Hosts that receive the RA advertisements will obtain information other than IPv6 address through DHCPv6.

[RouterB-Ten-GigabitEthernet3/0/1] ipv6 nd autoconfig other-flag

# Disable RA message suppression on Ten-GigabitEthernet 3/0/1.

[RouterB-Ten-GigabitEthernet3/0/1] undo ipv6 nd ra halt

2. Configure the DHCPv6 client on Router A:

# Enable stateless IPv6 address autoconfiguration on Ten-GigabitEthernet 3/0/1.

<RouterA> system-view

[RouterA] interface ten-gigabitethernet 3/0/1

[RouterA-Ten-GigabitEthernet3/0/1] ipv6 address auto

With stateless IPv6 address autoconfiguration enabled, but no IPv6 address configured for Ten-GigabitEthernet 3/0/1, Router A generates a link-local address. It sends an RS message to Router B to request configuration information for IPv6 address generation. Upon receiving the RS message, Router B sends back an RA message. After receiving an RA message with the M flag set to 0 and the O flag set to 1, Router A performs stateless DHCPv6 to get other configuration parameters.

Verifying the configuration

# Display the DHCPv6 client information.

[RouterA-Ten-GigabitEthernet3/0/1] display ipv6 dhcp client interface ten-gigabitethernet 3/0/1

Ten-GigabitEthernet3/0/1:

Type: Stateless client

State: OPEN

Client DUID: 00030001000fe2ff0000

Preferred server:

Reachable via address: FE80::213:7FFF:FEF6:C818

Server DUID: 0003000100137ff6c818

DNS server addresses:

1:2:4::5

1:2:4::7

Domain name:

abc.example.com

# Display the DHCPv6 client statistics.

[RouterA-Ten-GigabitEthernet3/0/1] display ipv6 dhcp client statistics

Interface : Ten-GigabitEthernet3/0/1

Packets received : 1

Reply : 1

Advertise : 0

Reconfigure : 0

Invalid : 0

Packets sent : 5

Solicit : 0

Request : 0

Renew : 0

Rebind : 0

Information-request : 5

Release : 0

Decline : 0

Configuring DHCPv6 snooping

About DHCPv6 snooping

It guarantees that DHCPv6 clients obtain IP addresses from authorized DHCPv6 servers. Also, it records IP-to-MAC bindings of DHCPv6 clients (called DHCPv6 snooping entries) for security purposes.

DHCPv6 snooping defines trusted and untrusted ports to make sure that clients obtain IPv6 addresses only from authorized DHCPv6 servers.

· Trusted—A trusted port can forward DHCPv6 messages correctly to make sure the clients get IPv6 addresses from authorized DHCPv6 servers.

· Untrusted—An untrusted port discards received messages sent by DHCPv6 servers to prevent unauthorized servers from assigning IPv6 addresses.

DHCPv6 snooping reads DHCP-ACK messages received from trusted ports and DHCP-REQUEST messages to create DHCPv6 snooping entries. A DHCPv6 snooping entry includes the MAC and IP addresses of a client, the port that connects to the DHCPv6 client, and the VLAN. You can use the display ipv6 dhcp snooping binding command to display the IP addresses of users for management.

Application of trusted and untrusted ports

Configure ports facing the DHCPv6 server as trusted ports, and configure other ports as untrusted ports.

As shown in Figure 21, configure the DHCPv6 snooping device's port that is connected to the DHCPv6 server as a trusted port. The trusted port forwards response messages from the DHCPv6 server to the client. The untrusted port connected to the unauthorized DHCPv6 server discards incoming DHCPv6 response messages.

Figure 21 Trusted and untrusted ports

‌

Restrictions and guidelines: DHCPv6 snooping configuration

DHCPv6 snooping works between the DHCPv6 client and server, or between the DHCPv6 client and DHCPv6 relay agent.

DHCPv6 snooping does not work between the DHCPv6 server and DHCPv6 relay agent.

DHCPv6 snooping tasks at a glance

To configure DHCPv6 snooping, perform the following tasks:

1. Configuring basic DHCPv6 snooping

2. (Optional.) Configuring DHCP snooping support for Option 18

3. (Optional.) Configuring DHCP snooping support for Option 37

4. (Optional.) Configuring DHCPv6 snooping entry auto backup

5. (Optional.) Setting the maximum number of DHCPv6 snooping entries

6. (Optional.) Enabling DHCPv6-REQUEST check

7. (Optional.) Configuring a DHCPv6 packet blocking port

8. (Optional.) Enabling DHCPv6 snooping logging

Configuring basic DHCPv6 snooping

Restrictions and guidelines

· To make sure DHCPv6 clients can obtain valid IPv6 addresses, specify the ports connected to authorized DHCPv6 servers as trusted ports. The trusted ports and the ports connected to DHCPv6 clients must be in the same VLAN.

· If you configure DHCPv6 snooping settings on a Layer 2 Ethernet interface that is a member port of a Layer 2 aggregate interface, the settings do not take effect unless the interface is removed from the aggregation group.

Procedure

1. Enter system view.

system-view

2. Enable DHCPv6 snooping.

ipv6 dhcp snooping enable

By default, DHCPv6 snooping is disabled.

3. Enter interface view.

interface interface-type interface-number

This interface must connect to the DHCPv6 server.

4. Specify the port as a trusted port.

ipv6 dhcp snooping trust

By default, all ports are untrusted ports after DHCPv6 snooping is enabled.

5. (Optional.) Enable recording of client information in DHCPv6 snooping entries.

a. Return to system view.

quit

b. Enter interface view.

interface interface-type interface-number

This interface must connect to the DHCPv6 client.

c. Enable recording of client information in DHCPv6 snooping entries.

ipv6 dhcp snooping binding record

By default, DHCPv6 snooping does not record client information.

Configuring DHCP snooping support for Option 18

1. Enter system view.

system-view

2. Enter interface view.

interface interface-type interface-number

3. Enable DHCP snooping support for Option 18.

ipv6 dhcp snooping option interface-id enable

By default, DHCP snooping support for Option 18 is disabled.

4. (Optional.) Specify the content as the interface ID.

ipv6 dhcp snooping option interface-id [ vlan vlan-id ] string interface-id

By default, the DHCPv6 snooping device uses its DUID as the content for Option 18.

Configuring DHCP snooping support for Option 37

1. Enter system view.

system-view

2. Enter interface view.

interface interface-type interface-number

3. Enable DHCP snooping support for Option 37.

ipv6 dhcp snooping option remote-id enable

By default, DHCP snooping support for Option 37 is disabled.

4. (Optional.) Specify the content as the remote ID.

ipv6 dhcp snooping option remote-id [ vlan vlan-id ] string remote-id

By default, the DHCPv6 snooping device uses its DUID as the content for Option 37.

Configuring DHCPv6 snooping entry auto backup

About this task

The auto backup feature saves DHCPv6 snooping entries to a backup file, and allows the DHCPv6 snooping device to download the entries from the backup file at reboot. The entries on the DHCPv6 snooping device cannot survive a reboot. The auto backup helps the security features provide services if these features (such as IP source guard) must use DHCPv6 snooping entries for user authentication.

Restrictions and guidelines

· If you disable DHCPv6 snooping with the undo ipv6 dhcp snooping enable command, the device deletes all DHCPv6 snooping entries, including those stored in the backup file.

· If you execute the ipv6 dhcp snooping binding database filename command, the DHCPv6 snooping device backs up DHCPv6 snooping entries immediately and runs auto backup. This command automatically creates the file if you specify a non-existent file.

· The waiting period starts when a DHCPv6 snooping entry is learned, updated, or removed. The DHCPv6 snooping device updates the backup file when the specified waiting period is reached. All changed entries during the period will be saved to the backup file. If no DHCPv6 snooping entry changes, the backup file is not updated.

Procedure

1. Enter system view.

system-view

2. Configure the DHCPv6 snooping device to back up DHCPv6 snooping entries to a file.

ipv6 dhcp snooping binding database filename { filename | url url [ username username [ password { cipher | simple } string ] ] }

By default, the DHCPv6 snooping device does not back up the DHCPv6 snooping entries.

3. (Optional.) Manually save DHCPv6 snooping entries to the backup file.

ipv6 dhcp snooping binding database update now

4. (Optional.) Set the waiting time after a DHCPv6 snooping entry change for the DHCPv6 snooping device to update the backup file.

ipv6 dhcp snooping binding database update interval interval

By default, the DHCP snooping device waits 300 seconds to update the backup file after a DHCP snooping entry change. If no DHCP snooping entry changes, the backup file is not updated.

Setting the maximum number of DHCPv6 snooping entries

About this task

Perform this task to prevent the system resources from being overused.

Procedure

1. Enter system view.

system-view

2. Enter interface view.

interface interface-type interface-number

3. Set the maximum number of DHCPv6 snooping entries for the interface to learn.

ipv6 dhcp snooping max-learning-num max-number

By default, the number of DHCPv6 snooping entries for an interface to learn is not limited.

Enabling DHCPv6-REQUEST check

About this task

Perform this task to use the DHCPv6-REQUEST check feature to protect the DHCPv6 server against DHCPv6 client spoofing attacks. Attackers can forge DHCPv6-RENEW messages to renew leases for legitimate DHCPv6 clients that no longer need the IP addresses. The forged messages disable the victim DHCPv6 server from releasing the IP addresses. Attackers can also forge DHCPv6-DECLINE or DHCPv6-RELEASE messages to terminate leases for legitimate DHCPv6 clients that still need the IP addresses.

The DHCPv6-REQUEST check feature enables the DHCPv6 snooping device to check every received DHCPv6-RENEW, DHCPv6-DECLINE, or DHCPv6-RELEASE message against DHCPv6 snooping entries.

· If any criterion in an entry is matched, the device compares the entry with the message information.

¡ If they are consistent, the device considers the message valid and forwards it to the DHCPv6 server.

¡ If they are different, the device considers the message forged and discards it.

· If no matching entry is found, the device forwards the message to the DHCPv6 server.

Procedure

1. Enter system view.

system-view

2. Enter interface view.

interface interface-type interface-number

3. Enable DHCPv6-REQUEST check.

ipv6 dhcp snooping check request-message

By default, DHCPv6-REQUEST check is disabled.

Configuring a DHCPv6 packet blocking port

About this task

Perform this task to configure a port as a DHCPv6 packet blocking port. The DHCPv6 packet blocking port drops all incoming DHCPv6 requests.

Procedure

1. Enter system view.

system-view

2. Enter interface view.

interface interface-type interface-number

3. Configure the port to block DHCPv6 requests.

ipv6 dhcp snooping deny

By default, the port does not block DHCPv6 requests.

CAUTION:

To avoid IPv6 address and prefix acquisition failure, configure a port to block DHCPv6 packets only if no DHCPv6 clients are connected to it.

‌

Enabling DHCPv6 snooping logging

About this task

The DHCPv6 snooping logging feature enables the DHCPv6 snooping device to generate DHCPv6 snooping logs and send them to the information center. For information about the log destination and output rule configuration in the information center, see Network Management and Monitoring Configuration Guide.

Restrictions and guidelines

As a best practice, disable this feature if the log generation affects the device performance.

Procedure

1. Enter system view.

system-view

2. Enable DHCPv6 snooping logging.

ipv6 dhcp snooping log enable

By default, DHCPv6 snooping logging is disabled.

Display and maintenance commands for DHCPv6 snooping

Execute display commands in any view, and reset commands in user view.

Task	Command
Display information about trusted ports.	display ipv6 dhcp snooping trust
Display DHCPv6 snooping entries.	display ipv6 dhcp snooping binding [ address ipv6-address [ vlan vlan-id ] ]
Display information about backup DHCPv6 snooping entries.	display ipv6 dhcp snooping binding database
Display DHCPv6 packet statistics for DHCPv6 snooping.	display ipv6 dhcp snooping packet statistics [ slot slot-number ]
Clear DHCPv6 snooping entries.	reset ipv6 dhcp snooping binding { all \| address ipv6-address [ vlan vlan-id ] }
Clear DHCPv6 packet statistics for DHCPv6 snooping.	reset ipv6 dhcp snooping packet statistics [ slot slot-number ]

‌

DHCPv6 snooping configuration examples

Example: Configuring DHCPv6 snooping

Network configuration

As shown in Figure 22, Router B is connected to the authorized DHCPv6 server through Ten-GigabitEthernet 3/0/1, to the unauthorized DHCPv6 server through Ten-GigabitEthernet 3/0/3, and to the DHCPv6 client through Ten-GigabitEthernet 3/0/2.

Configure only the port connected to the authorized DHCPv6 server to forward the responses from the DHCPv6 server. Enable the DHCPv6 snooping device to record client information in DHCPv6 snooping entries.

Figure 22 Network diagram

‌

Procedure

# Enable DHCPv6 snooping.

<RouterB> system-view

[RouterB] ipv6 dhcp snooping enable

# Specify Ten-GigabitEthernet 3/0/1 as a trusted port.

[RouterB] interface ten-gigabitethernet 3/0/1

[RouterB-Ten-GigabitEthernet3/0/1] ipv6 dhcp snooping trust

[RouterB-Ten-GigabitEthernet3/0/1] quit

# Enable the recording of DHCPv6 snooping entries on Ten-GigabitEthernet 3/0/2.

[RouterB]interface ten-gigabitethernet 3/0/2

[RouterB-Ten-GigabitEthernet3/0/2] ipv6 dhcp snooping binding record

[RouterB-Ten-GigabitEthernet3/0/2] quit

Verifying the configuration

# Verify that the DHCPv6 client obtains an IPv6 address and all other configuration parameters only from the authorized DHCPv6 server. (Details not shown.)

# Display DHCPv6 snooping entries on the DHCPv6 snooping device.

[RouterB] display ipv6 dhcp snooping binding

15-BRAS Services Configuration Guide

DHCPv6 overview

Rapid assignment involving two messages

Address/prefix lease renewal

Protocols and standards

Multicast addresses used by DHCPv6

DUID

IA

IAID

PD

IPv6 address pool

Address allocation mechanisms

Prefix allocation mechanisms

Address pool selection

DHCPv6 server tasks at a glance

Configuring IPv6 prefix assignment

About this task

Procedure

About this task

Restrictions and guidelines

About this task

Configuring network parameters in an IPv6 address pool

About this task

Restrictions and guidelines

Procedure

About this task

Procedure

About this task

Restrictions and guidelines

Procedure

About this task

Enabling route logging for all IPv6 address pools

Enabling route logging for a single IPv6 address pool

About this task

Procedure

About this task

Procedure

Application scenarios

IPv6 pool selection policy

About this task

Restrictions and guidelines

Procedure

About this task

Procedure

About this task

Restrictions and guidelines

Procedure

About this task

Restrictions and guidelines

Procedure

About this task

Restrictions and guidelines

Procedure

About this task

Procedure

Setting the DSCP value for DHCPv6 packets sent by the DHCPv6 server

About this task

Procedure

About this task

Procedure

About this task

Procedure

Restrictions and guidelines for DHCPv6 server security feature configuration

About this task

Procedure

About this task

Restrictions and guidelines

Procedure

Enabling DHCPv6 logging on the DHCPv6 server

About this task

Restrictions and guidelines

Procedure

Enabling IPv6 resource exhaustion notifications

Enabling IPv6 resource allocation failure alarming

Enabling IPv6 resource exhaustion alarming for IPv6 address pool groups

About this task

Restrictions and guidelines

Enabling IPv6 resource exhaustion alarming for common IPv6 address pool groups

About this task

Restrictions and guidelines

Enabling IPv6 resource exhaustion logging for an IP v6 address pool group