topic Re: Firepower 1010 IPv6 DHCP on outside interface in Network Security

Firepower 1010 IPv6 DHCP on outside interface

Squared — Fri, 28 May 2021 16:09:35 GMT

Hi,

I have a Firepower 1010 with currently version 7.0.0 FTD image installed (also tried with 6.6 and 6.7), but i am unable to get IPv6 working.

My ISP provides me with IPv4 address through PPPoE, and a /48 IPv6 prefix through normal DHCP.

IPv4 is working, but i cannot find the right settings to get an IP address on my outside interface.

I tried different settings for the IPv6 interface, but it is not clear how to get an IPv6 address (and route) through DHCP.

Any tips on how to set this up?

Re: Firepower 1010 IPv6 DHCP on outside interface

Marvin Rhoads — Fri, 28 May 2021 17:04:35 GMT

New as of 7.0:

"By default, the IP address is obtained using IPv4 DHCP and IPv6 autoconfiguration, but you can set a static address during initial configuration."

Looking in the online help ("Step 5" copied below), it at first appears it only support stateless autoconfig or static IPv6 addressing. i.e., NOT IPv6 DHCP.

However, look under the Advanced tab ("Step 8") - there is an option there for IPv6 DHCP.

Step 8

Modify the IPv6 Configuration settings.

Enable DHCP for IPv6 address configuration—Whether to set the Managed Address Configuration flag in the IPv6 router advertisement packet. This flag informs IPv6 autoconfiguration clients that they should use DHCPv6 to obtain addresses, in addition to the derived stateless autoconfiguration address.
Enable DHCP for IPv6 non-address configuration—Whether to set the Other Address Configuration flag in the IPv6 router advertisement packet. This flag informs IPv6 autoconfiguration clients that they should use DHCPv6 to obtain additional information from DHCPv6, such as the DNS server address.
DAD Attempts—How often the interface performs Duplicate Address Detection (DAD), from 0 - 600. The default is 1. During the stateless autoconfiguration process, DAD verifies the uniqueness of new unicast IPv6 addresses before the addresses are assigned to interfaces. If the duplicate address is the link-local address of the interface, the processing of IPv6 packets is disabled on the interface. If the duplicate address is a global address, the address is not used. The interface uses neighbor solicitation messages to perform Duplicate Address Detection. Set the value to 0 to disable duplicate address detection (DAD) processing.

Step 5

(Optional.) Click the IPv6 Address tab and configure the IPv6 address.

State—To enable IPv6 processing and to automatically configure the link-local address when you do not configure the global address, select Enabled. The link local address is generated based on the interface MAC addresses (Modified EUI-64 format).

Note

Disabling IPv6 does not disable IPv6 processing on an interface that is configured with an explicit IPv6 address or that is enabled for autoconfiguration.
Address Auto Configuration—Select this option to have the address automatically configured. IPv6 stateless autoconfiguration will generate a global IPv6 address only if the link on which the device resides has a router configured to provide IPv6 services, including the advertisement of an IPv6 global prefix for use on the link. If IPv6 routing services are not available on the link, you will get a link-local IPv6 address only, which you cannot access outside of the device's immediate network link. The link local address is based on the Modified EUI-64 interface ID.

Although RFC 4862 specifies that hosts configured for stateless autoconfiguration do not send Router Advertisement messages, the FTD device does send Router Advertisement messages in this case. Select Suppress RA to suppress messages and conform to the RFC.

Static Address/Prefix—If you do not use stateless autoconfiguration, enter the full static global IPv6 address and network prefix. For example, 2001:0DB8::BA98:0:3210/48. For more information on IPv6 addressing, see IPv6 Addressing.

If you want to use the address as link local only, select the Link - Local option. Link local addresses are not accessible outside the local network. You cannot configure a link-local address on a bridge group interface.

Note

A link-local address should start with FE8, FE9, FEA, or FEB, for example fe80::20d:88ff:feee:6a82. Note that we recommend automatically assigning the link-local address based on the Modified EUI-64 format. For example, if other devices enforce the use of the Modified EUI-64 format, then a manually-assigned link-local address may cause packets to be dropped.

Standby IP Address—If you configure high availability, and you are monitoring this interface for HA, also configure a standby IPv6 address on the same subnet. The standby address is used by this interface on the standby device. If you do not set the standby IP address, the active unit cannot monitor the standby interface using network tests; it can only track the link state.
Suppress RA—Whether to suppress router advertisements. The Firepower Threat Defense device can participate in router advertisements so that neighboring devices can dynamically learn a default router address. By default, router advertisement messages (ICMPv6 Type 134) are periodically sent out each IPv6 configured interface.

Router advertisements are also sent in response to router solicitation messages (ICMPv6 Type 133). Router solicitation messages are sent by hosts at system startup so that the host can immediately autoconfigure without needing to wait for the next scheduled router advertisement message.

You might want to suppress these messages on any interface for which you do not want the FTD device to supply the IPv6 prefix (for example, the outside interface).

Re: Firepower 1010 IPv6 DHCP on outside interface

Squared — Fri, 28 May 2021 17:17:50 GMT

Thanks for checking!

I tried setting those DHCP for IPv6 options, however the device doesn't seem to pick up an IPv6 address:

outside is up, line protocol is up
IPv6 is enabled, link-local address is fe80::a2b4:39ff:fe3a:76c8
No global unicast address is configured
Joined group address(es):
ff02::1:ff00:0
ff02::2
ff02::1:ff3a:76c8
ff02::1
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
Hosts use DHCP to obtain routable addresses.
Hosts use DHCP to obtain other configuration.

I can enter the /48 prefix i got from my ISP, but then i won't receive any routes, and i'm not aware of a gateway address.

(I'm a bit new to IPv6, but this would help me learn more about it)

Re: Firepower 1010 IPv6 DHCP on outside interface

johnlloyd_13 — Sun, 30 May 2021 03:03:53 GMT

hi,

try to isolate if this is an ISP issue. directly connect your laptop (or a router) to the ISP cable/handoff and see if you get an IPv6 address.

Re: Firepower 1010 IPv6 DHCP on outside interface

Squared — Mon, 31 May 2021 15:15:43 GMT

Thanks for the replies.

I pushed my laptop into the ISP-VLAN, but didn't get an IPv6 address by DHCP.

Will need to do an extra check; maybe i need my laptop to setup the IPv4 PPPoE aswel to be able to get an IPv6 address though.

I will probably check that tonight.

Re: Firepower 1010 IPv6 DHCP on outside interface

Squared — Tue, 01 Jun 2021 08:22:22 GMT

I'm a bit further with information from my ISP.

It turns out that they use IPv6 prefix delegation, so i should setup the Firepower interface to use that.
I cannot find how to set up prefix delegation, but i found a bit of asa code to set an interface to ipv6 prefix delegation:

ipv6 dhcp client pd Outside-Prefix
ipv6 dhcp client pd hint 2001:DB8:ABCD:1230::/60

However, these commands are blocked by Flexconfig 😞 (Block list CLI error)

Is there another way to configure prefix delegation on a Firepower 1010 with on the box management?

Re: Firepower 1010 IPv6 DHCP on outside interface

Squared — Wed, 02 Jun 2021 14:06:58 GMT

I opened a TAC case for this, looks like prefix delegation isn't possible without Firepower Management Center.

TAC pointed me to https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvx24561, so i'll keep an eye on that.

Re: Firepower 1010 IPv6 DHCP on outside interface

Marvin Rhoads — Wed, 02 Jun 2021 15:33:17 GMT

Good to know - another thing that's not supported in FDM.

That's why the FMC 7.0 config guide is 3202 pages (vs. 856 pages for FDM). 🙂