Cisco ASA IPV6 - SLAAC and prefix delegation

TroyNorris54526 · ‎12-31-2020

Hello fellow networkers!

So i've been given a small project of implementing ipv6 on a customer firewall.

I must admit, IPv6 is not my strong force, and i barely touched it since i joined networking in 2010. My proudest ipv6 moment is probably ospfv3 in an ISP network.

Anyhow - i got an ASA 5506 and i need to get ipv6 up and running.

I've configured the router infront - and the outside interface of the ASA. All good here seems to be working.

On the inside my customer wants 2 things.

A /64 for the clients - xxxx:xxxx:1002::/64

and a /52 for prefix delegation xxxx:xxxx:1002:1000::/52

So for the clients i've configured the inside interface, and made a dhcp pool aswell.

ipv6 dhcp pool IPv6-DHCP
 dns-server 2001:4860:4860::8888
 dns-server 2001:4860:4860::8844


interface GigabitEthernet1/2
 nameif inside
 ipv6 address xxxx:xxxx:1002::1/64
 ipv6 nd other-config-flag
 ipv6 dhcp server IPv6-DHCP

I haven't tested it with the customer yet, but i do believe this works aswell, since i see clients in my show ipv6 neighbors.

So this is where my problem begins, because whenever i wanna add a prefix delegation it just tells me I can't when i have dhcp server configured.

(config-if)# ipv6 dhcp client pd Test-prefix  
 ERROR: Interface is in DHCPv6 server mode

I might just be stupid, but is there any way i can have this working?

www.mcdvoice.com

mcdvoicehelp · ‎01-25-2024

In the context of a Cisco ASA (Adaptive Security Appliance) device, both Stateless Address Autoconfiguration (SLAAC) and prefix delegation are important features for managing IPv6 connectivity and addressing.

SLAAC is a method that allows a device to self-configure its IPv6 address without the need for a DHCP server. It uses the IPv6 prefix that is advertised by a local router to generate an IPv6 address by combining it with a host-generated interface identifier.

Prefix Delegation (PD) is a feature used in DHCP for IPv6 (DHCPv6), where a DHCP server assigns a block of addresses (a prefix) to a requesting router, which then can distribute these addresses to devices on its local network. This is especially useful in scenarios where you want to manage the distribution of IPv6 addresses on a network that is hierarchically organized.

For a Cisco ASA device, configuring IPv6 with SLAAC and prefix delegation involves several steps:

Enable IPv6 on the ASA: You need to enable IPv6 on the interfaces where you want to use IPv6.
Configure SLAAC: The ASA can be configured to use SLAAC to obtain its own IPv6 address on the outside interface connected to the ISP.
Configure Prefix Delegation: The ASA can also act as a DHCPv6 Prefix Delegation client to obtain a prefix from the ISP that can be used for the internal network.
Advertise Prefixes: For the internal network, the ASA can advertise the obtained prefix so that the internal devices can use SLAAC to configure their IPv6 addresses.

For specific configuration commands and steps, you can refer to Cisco's official documentation or configuration guides, such as the Cisco ASA Series General Operations CLI Configuration Guide, which provides detailed instructions on how to set up IPv6, SLAAC, and prefix delegation on a Cisco ASA device.

Remember that when configuring IPv6 on a network device, it is important to also consider the security implications and ensure that appropriate firewall rules and security policies are in place to protect your network.

njmcdiirectonline · ‎07-19-2024

It seems like you're facing a common issue with Cisco ASA devices when trying to configure both DHCPv6 server and DHCPv6 client (for prefix delegation) on the same interface. The ASA typically does not support running both DHCPv6 server and client on the same interface simultaneously.