Configure an IPv6 PPPoE Client

Where Can I Use This?	What Do I Need?
NGFW (Managed by PAN-OS or Panorama)

The firewall supports an Ethernet Layer 3 interface or subinterface acting as a Point-to-Point Protocol over Ethernet (PPPoE) IPv6 client to reach an ISP that provides IPv6 internet services. In PPPoE mode, the interface or subinterface can obtain an IPv6 address dynamically using DHCPv6 either in stateful or stateless mode. In stateful mode, the PPPoE interface acquires all connection parameters dynamically from the DHCPv6 server. In stateless mode, the IPv6 address of the PPPoE interface is obtained using stateless address autoconfiguration (SLAAC), but the other parameters (DNS and prefix delegation) are obtained through DHCPv6. Stateful and stateless DHCPv6 reduce provisioning effort and errors, and simplify address management.

Use stateful DHCPv6 to assign the PPPoEv6 client address because it's more secure than stateless autoconfiguration.

Only Ethernet Layer 3 interfaces and subinterfaces support an IPv6 PPPoE client (tunnel, AE, VLAN, and loopback interfaces don't support an IPv6 PPPoE client). A Layer 3 interface and its subinterface can't act as a PPPoEv6 client at the same time.

A limitation is that the interface configured with PPPoEv6 can't acquire a DNS server address and/or DNS prefix from Router Advertisements (RA-DNS). You'll have to rely on DHCPv6 to obtain the DNS information or configure those parameters manually.

After you configure an interface or subinterface for PPPoEv4 or PPPoEv6, you cannot assign the interface or subinterface a static IP address, nor can you configure the interface or subinterface as a DHCPv4, DHCPv6, or Inherited interface.

If you configure only a single stack PPPoE client (IPv4 or IPv6), you can't use both IPv4 and IPv6 PPPoE client connectivity. If you configure a PPPoEv4 client and connect to an ISP, you can use only IPv4 connectivity. If you configure a PPPoEv6 client and connect to an ISP, you can use only IPv6 connectivity. (If you configure a PPPoE v4/v6 client (dual stack mode) and connect to an ISP, you can use both IPv4 and IPv6 connectivity.)

If the Managed Address Configuration flag (M-flag) in the RA from the broadband network gateway (BNG) or another device is set to 0, the PPPoE client will use stateless autoconfiguration. If it's set to 1, the client will attempt to get its IPv6 address from a DHCPv6 server using stateful DHCPv6.

When the Other Configuration flag (O-flag) is set to 1, configuration information other than the IPv6 address should be available from the DHCPv6 server, such as the delegated prefix and the address of the recursive DNS servers.

IPv6CP negotiates the Interface Identifier for the client interface.

The following use case is for stateful DHCPv6. The following graphic illustrates the firewall using stateful DHCPv6 to receive its IPv6 address and delegated prefix. Ethernet interface 1/1 acts as a PPPoEv6 client, facing either an access concentrator, broadband network gateway, digital subscriber line access multiplexer (DSLAM), or PPPoEv6 server (depending on the ISP deployment). The PPPoEv6 client interface learns its IPv6 Interface Identifier (IID) through the IPv6 Control Protocol (IPv6CP). Once this IPv6 parameter is negotiated, it is used to assign the IPv6 Link Local Address (LLA) to the interface. There is no Duplicate Address Detection (DAD) performed because the IID is already negotiated. The sequence of events continues with address assignment via DHCPv6. Gateway(s) for the connection are also obtained from the Router Advertisement (RA).

The PPPoEv6 client receives a DHCPv6 delegated prefix from the ISP. The PPPoEv6 client can use that information to assign it to a pool. The pool can then be fragmented into multiple /64 prefixes, which in turn are assigned to the inherited interface eth1/2. Eth1/2 will create an IPv6 address using the EUI-64 mechanism. The hosts on the LAN segment attached to eth1/2 will use SLAAC to create their IPv6 address.

The following use case is for stateless DHCPv6 (SLAAC). The following graphic illustrates the firewall using stateless DHCPv6 to receive its IPv6 address and delegate a prefix to the IPv6 hosts. Ethernet interface 1/1 acts as a PPPoEv6 client, facing either an access concentrator, broadband network gateway, DSLAM, or PPPoEv6 server (depending on the ISP deployment). The PPPoEv6 client interface learns its IPv6 Interface Identifier (IID) through the IPv6 Control Protocol (IPv6CP). Once this IPv6 parameter is negotiated, it is used to assign the IPv6 Link Local Address (LLA) to the interface. There is no DAD performed because the IID is already negotiated. The sequence of events continues with address assignment via SLAAC. Gateway(s) for the connection are also obtained from the RA.

The firewall encapsulates northbound traffic (coming from the IPv6 hosts) in PPPoE and sends the traffic to the internet.

1. Configure an Ethernet Layer 3 interface or subinterface as an IPv6 PPPoE client.

   1. Select NetworkInterfacesEthernet and select an interface.
   2. Select Interface Type as Layer3.

      Alternatively, you could select a Layer 3 interface, add a subinterface, enter a subinterface number, add a Tag, and proceed to configure the subinterface as a PPPoEv6 client.
   3. Select IPv6 and Enable IPv6 on the interface.
   4. Select EUI-64 (Extended Unique Identifier), which a stateless address assignment uses so that a host can assign itself a unique 64-bit Version 6 interface identifier.
   5. Select the address assignment Type as PPPoEv6 Client.
2. Configure general settings for the PPPoEv6 client.

   1. Enable the interface.
   2. If you already have an interface configured for PPPoE client (IPv4), you can optionally Apply IPv4 Parameters, which copies the IPv4 parameters to the PPPoEv6 client. (The parameters copied are authentication type, username, password, access concentrator name, service, and passive setting.)

      • If you subsequently reconfigure a parameter on the PPPoE IPv4 client, the new parameter value is copied to the PPPoE IPv6 client.
      • If you reconfigure a parameter of either client, the session is reestablished, which causes traffic disruption.

      Even if you configure a PPPoE IPv4 client and a PPPoE IPv6 client independently, you must configure the two clients with the same authentication type, username, password, access concentrator name, service, and passive setting.
   3. If you want the PPPoEv6 client (interface) to wait for the PPPoEv6 server to initiate a connection, select Passive. If Passive isn't selected, the interface is allowed to initiate a connection.
   4. Select the type of Authentication for the interface.

      If you also configured this interface as a PPPoE IPv4 client, you must configure the two clients with the same authentication type, username, password, access concentrator name, and service.

      • CHAP—Interface uses Challenge Handshake Authentication Protocol (CHAP).
      • PAP—Interface uses Password Authentication Protocol (PAP). PAP sends usernames and passwords in plain text, and is less secure than CHAP.
      • auto—Interface negotiates the authentication method (CHAP or PAP) with the PPPoEv6 server.
   5. Enter the Username for authentication.
   6. Enter the Password and Confirm Password.
   7. If your ISP told you the name of the Access Concentrator to connect to, enter it (a string of 0 to 255 characters).
   8. If you want the interface as a PPPoEv6 client to request a specific service from the PPPoEv6 server, enter the Service (a string of 0 to 255 characters).
3. Configure address options.

   1. Select Address Assignment.
   2. Accept Router Advertised Route to allow the PPPoEv6 client to accept the RA.
   3. Set the Default Route Metric for the route from the interface to the ISP; range is 1 to 65,535; default is 10.
   4. Set the Preference of the PPPoEv6 client interface: High (default), Medium, or Low. In the event you have two interfaces (each connected to a different ISP for redundancy), you can assign the interface to one ISP a higher preference than the interface to the other ISP. The ISP connected to the preferred interface will be the ISP that provides the delegated prefix to send to a host-facing interface. If the interfaces have the same preference, both ISPs provide a delegated prefix and the host decides which prefix to use.
4. (For stateless autoconfiguration) Have the firewall autoconfigure the IPv6 address for the interface using the IPv6 Control Protocol (IPv6CP) Interface Identifier and the prefix from the Router Advertisement (using SLAAC).

   1. Select Autoconfig.
   2. Enable Autoconfig.
   3. Proceed to configure address resolution.
5. (For stateful configuration) Alternatively, configure the address assignment using DHCPv6.

   1. On the Address Assignment tab, select DHCPv6.
   2. Enable DHCPv6.
   3. Select DHCPv6 Options.
   4. Enable IPv6 Address to allow the PPPoEv6 client to use the address assigned by the DHCPv6 server.
   5. Select Rapid Commit to use the DHCPv6 process of Solicit and Reply messages (two messages), rather than the process of Solicit, Advertise, Request, and Reply messages (four messages).
   6. Select the DUID Type (DHCPv6 Unique Identifier) that the interface uses to identify itself to the DHCPv6 server:

      • DUID-LLT—The Link-Layer address of the interface, concatenated with a timestamp.
      • DUID-LL—The Link-Layer address of the interface.
6. If you chose DHCPv6 for address assignment, configure prefix delegation.

   1. Select Prefix Delegation.
   2. Enable Prefix Delegation to allow the firewall to support prefix delegation functionality. This means that the interface accepts a prefix from the upstream DHCPv6 server and places the prefix into the Prefix Pool, from which the firewall delegates a prefix to a host through an RA. The ability to enable or disable prefix delegation for an interface allows the firewall to support multiple ISPs (one ISP per interface). Enabling prefix delegation on this interface controls which ISP provides the prefix. The delegated prefix is used on the host-facing interface, and its IPv6 address is constructed with the MAC address and EUI-64 input.
   3. Select DHCP Prefix Length Hint to enable the firewall to send a preferred DHCPv6 prefix length to the DHCPv6 server.
   4. Enter the preferred DHCP Prefix Length (bits), which is sent as the hint to the DHCPv6 server; range is 0 to 128; default is 48. The DHCPv6 server has the discretion to send whatever prefix length it chooses.

      Requesting a prefix length of 48, for example, leaves 16 bits remaining for subnets (64 minus 48), which indicates you require many subdivisions of that prefix to delegate. Requesting a prefix length of 63 leaves 1 bit for delegating only two subnets. Of the 128 bits, there are still 64 more bits for a host address.

      The interface can receive a /48 prefix, but delegate a /64 prefix, for example, which means the firewall is subdividing the prefix it delegates.
   5. Enter the Prefix Pool Name of the pool where the firewall stores the received prefix. The name must be unique and contain a maximum of 63 alphanumeric characters, hyphens, periods, and underscores.

      Use a prefix pool name that reflects the ISP for easy recognition.
   6. Show Prefix Pool Assignment to view for each host-facing Inherited Interface: the Inherited Prefix (prefix that the interface is distributing to hosts), the Assigned IPv6 Address of the inherited interface itself (based on the prefix and constructed from the MAC address), the Router Preference, and the State of the interface.
7. Configure address resolution.

   1. Select Address Resolution.
   2. Enable Duplicate Address Detection (DAD).
   3. Set DAD Attempts, the number of DAD attempts within the neighbor solicitation (NS) interval before the attempt to identify neighbors fails; range is 1 to 10; default is 1.
   4. Set the Reachable Time (sec), the number of seconds that a neighbor remains reachable after a successful query and response; range is 10 to 36,000; default is 30.
   5. Set the NS Interval (sec); the number of seconds for DAD attempts before failure is indicated; range is 1 to 3,600; default is 1.
   6. Enable NDP Monitoring (Neighbor Discovery Protocol monitoring).
8. Configure DNS support.

   1. Select DNS Support.
   2. Select DNS Recursive Name Server. Select the Type:

      • DHCPv6—To have the DHCPv6 server send the recursive DNS (RDNS) name server information.
      • Manual—Add the IPv6 address of an RDNS name server and the Lifetime, the maximum number of seconds the client can use the specific RDNS server to resolve domain names; range is 4 to 3,600; default is 1,200. Select Manual if the PPPoEv6 client uses SLAAC to autoconfigure its IPv6 address.
   3. Select Domain Search List and select the Type:

      • DHCPv6—To have the DHCPv6 Server send the Domain Search List information.
      • Manual—Add one or more Domain names (suffixes) for the DNS search list (DNSSL) and the Lifetime, the maximum number of seconds the client can use the specific Domain Search List; range is 4 to 3,600; default is 1,200. Select Manual if the PPPoEv6 client uses SLAAC to autoconfigure its IPv6 address.
9. Click OK
10. Commit.
11. View PPPoEv6 client information.

    1. Select NetworkInterfacesEthernet and select the interface you configured.
    2. Show PPPoEv6 Client Runtime Info.