Document:PAN-OS® Networking Administrator’s Guide

Configure an Interface as a DHCPv6 Client with Prefix Delegation

Filter

Networking
- Networking Introduction
Configure Interfaces
- Tap Interfaces
- Virtual Wire Interfaces
- Layer 2 Interfaces
- Layer 3 Interfaces
  - Configure Layer 3 Interfaces
  - Manage IPv6 Hosts Using NDP
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
Virtual Routers
- Virtual Router Overview
- Configure Virtual Routers
Service Routes
- Service Routes Overview
- Configure Service Routes
Static Routes
- Static Route Overview
- Static Route Removal Based on Path Monitoring
- Configure a Static Route
- Configure Path Monitoring for a Static Route
RIP
- RIP Overview
- Configure RIP
OSPF
- OSPF Concepts
- Configure OSPF
- Configure OSPFv3
- Configure OSPF Graceful Restart
- Confirm OSPF Operation
BGP
- BGP Overview
- MP-BGP
- Configure BGP
- Configure a BGP Peer with MP-BGP for IPv4 or IPv6 Unicast
- Configure a BGP Peer with MP-BGP for IPv4 Multicast
- BGP Confederations
IP Multicast
- IGMP
- PIM
- Configure IP Multicast
- View IP Multicast Information
Route Redistribution
- Route Redistribution Overview
- Configure Route Redistribution
GRE Tunnels
- GRE Tunnel Overview
- Create a GRE Tunnel
DHCP
- DHCP Overview
- Firewall as a DHCP Server and Client
- Firewall as a DHCPv6 Client
- DHCP Messages
- DHCP Addressing
  - DHCP Address Allocation Methods
  - DHCP Leases
- DHCP Options
- Configure an Interface as a DHCP Server
- Configure an Interface as a DHCPv4 Client
- Configure an Interface as a DHCPv6 Client with Prefix Delegation
- Configure the Management Interface as a DHCP Client
- Configure an Interface as a DHCP Relay Agent
- Monitor and Troubleshoot DHCP
DNS
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Configure a Web Proxy
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
DDNS
- Dynamic DNS Overview
- Configure Dynamic DNS for Firewall Interfaces
NAT
- NAT Policy Rules
- Source NAT and Destination NAT
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
- Configure NAT
- NAT Configuration Examples
NPTv6
- NPTv6 Overview
  - Unique Local Addresses
  - Reasons to Use NPTv6
- How NPTv6 Works
- NDP Proxy
- NPTv6 and NDP Proxy Example
- Create an NPTv6 Policy
NAT64
- NAT64 Overview
- IPv4-Embedded IPv6 Address
- DNS64 Server
- Path MTU Discovery
- IPv6-Initiated Communication
- Configure NAT64 for IPv6-Initiated Communication
- Configure NAT64 for IPv4-Initiated Communication
- Configure NAT64 for IPv4-Initiated Communication with Port Translation
ECMP
- ECMP Load-Balancing Algorithms
- Configure ECMP on a Virtual Router
- Enable ECMP for Multiple BGP Autonomous Systems
- Verify ECMP
LLDP
- LLDP Overview
- Supported TLVs in LLDP
- LLDP Syslog Messages and SNMP Traps
- Configure LLDP
- View LLDP Settings and Status
- Clear LLDP Statistics
BFD
- BFD Overview
- Configure BFD
- Reference: BFD Details
Session Settings and Timeouts
- Transport Layer Sessions
- TCP
- UDP
- ICMP
  - Security Policy Rules Based on ICMP and ICMPv6 Packets
  - ICMPv6 Rate Limiting
- Control Specific ICMP or ICMPv6 Types and Codes
- Configure Session Timeouts
- Configure Session Settings
- Session Distribution Policies
  - Session Distribution Policy Descriptions
  - Change the Session Distribution Policy and View Statistics
- Prevent TCP Split Handshake Session Establishment
Tunnel Content Inspection
- Tunnel Content Inspection Overview
- Configure Tunnel Content Inspection
- View Inspected Tunnel Activity
- View Tunnel Information in Logs
- Create a Custom Report Based on Tagged Tunnel Traffic
- Tunnel Acceleration Behavior
- Disable Tunnel Acceleration
Network Packet Broker
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
Advanced Routing
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Configure MSDP
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
PoE
- PoE Overview
- Configure PoE

Configure an Interface as a DHCPv6 Client with Prefix Delegation

Configure a DHCPv6 Client Interface with Prefix Delegation.

Before you configure DHCPV6 Client, learn about how a Layer 3 Ethernet, VLAN, or AE interface on the firewall can function as a DHCPv6 client, with or without prefix delegation.

The following task begins by showing how to configure the interface facing the DHCPv6 server to be a DHCPv6 client and request a Non-Temporary or Temporary address for itself. This interface also requests a delegated prefix on behalf of the host-facing interface. The task then shows how to configure an interface facing the hosts as an

inherited

interface that provides prefix delegation to the LAN hosts.

Select an Ethernet, AE, or VLAN interface (that faces the DHCPv6 server and ISP) to be a DHCPv6 client.

Select

Network

Interfaces

Ethernet

or select

Network

Interfaces

Ethernet

and select an AE interface, or select

Network

Interfaces

VLAN

For

Interface Type

, select

Layer3

(Optional)

Add Subinterface

if you want a single Ethernet or VLAN interface facing the ISP to be separated into subinterfaces.

On the

Config

tab, assign the interface to a

Virtual Router

and

Security Zone

Select

IPv6

Enable IPv6 on the interface

For

Interface ID

, enter the

EUI-64 (default 64-bit Extended Unique Identifier)

in hexadecimal format (for example, 00:26:08:FF:FE:DE:4E:29). If you leave this field blank, the firewall uses the EUI-64 generated from the MAC address of the physical interface.

Configure the interface that faces the ISP to be a DHCPv6 client and request its leased, temporary IPv6 address and/or non-temporary IPv6 address.

For

Type

, select

DHCPv6 Client

Select

Address Assignment

and

Accept Router Advertised Route

to allow the DHCPv6 Client to accept the Router Advertisement.

Enter a

Default Route Metric

for the route from the interface to the ISP; range is 1 to 65,535; default is 10.

Select

Preference

of the DHCPv6 client interface (

low

medium

high

) so that, in the event you have two interfaces (each connected to a different ISP for redundancy), you can assign the interface to one ISP a higher preference than the interface to the other ISP. The ISP connected to the preferred interface will be the ISP that provides the delegated prefix to send to a host-facing interface. If the interfaces have the same preference, both ISPs provide a delegated prefix and the host decides which prefix to use.

Select

DHCPv6 Options

and

Enable IPv6 Address

In the Request Address Type area, select

Non-Temporary Address

(default setting). This address type has a longer lifespan.

Select

Temporary Address

for a greater level of security because the address is intended to be used for a short period of time.

Whether you request a Non-Temporary Address or Temporary Address for the interface is based on your discretion and the capability of the DHCPv6 server; some servers can provide only a temporary address. The best practice is to select both Non-Temporary Address and Temporary Address, in which case the firewall will prefer the Non-Temporary Address.

Select

Rapid Commit

to use the DHCPv6 process of Solicit and Reply messages (two messages), rather than the process of Solicit, Advertise, Request, and Reply messages (four messages).

Select

Prefix Delegation

and

Enable Prefix Delegation

to allow the firewall to support prefix delegation functionality. This means that the interface accepts a prefix from the upstream DHCPv6 server and places the prefix into the Prefix Pool, from which the firewall delegates a prefix to a host via RA. The ability to enable or disable prefix delegation for an interface allows the firewall to support multiple ISPs (one ISP per interface). Enabling prefix delegation on this interface controls which ISP provides the prefix.

The delegated prefix is used on the host-facing interface, and its IPv6 address is constructed with the MAC address and EUI-64 input. In our example, the inherited interface receives the inherited prefix displayed in the step to view DHCPv6 information.

Select

DHCP Prefix Length Hint

to enable the firewall to send a preferred DHCPv6 prefix length to the DHCPv6 server.

Enter the preferred

DHCP Prefix Length (bits)

in the range from 48 to 64, which is sent as the hint to the DHCPv6 server. The DHCPv6 server has the discretion to send whatever prefix length it chooses.

Requesting a prefix length of 48, for example, leaves 16 bits remaining for subnets (64-48), which indicates you require many subdivisions of that prefix to delegate. On the other hand, requesting a prefix length of 63 leaves 1 bit for delegating only two subnets. Of the 128 bits, there are still 64 more bits for host address.

The interface can receive a /48 prefix, but delegate a /64 prefix, for example, which means the firewall is subdividing the prefix it delegates.

Enter a

Prefix Pool Name

for the pool where the firewall stores the received prefix. The name must be unique and contain a maximum of 63 alphanumeric characters, hyphens, periods, and underscores.

Use a prefix pool name that reflects the ISP for easy recognition.

For a DHCPv6 Client, configure address resolution.

Select

Address Resolution

Enable Duplicate Address Detection

(DAD) if you want the uniqueness of a potential IPv6 address to be verified before it is assigned to the interface (enabled by default).

If you selected

Enable Duplicate Address Detection

, specify the number of

DAD Attempts

within the neighbor solicitation (NS) interval before the attempt to identify neighbors fails; range is 1 to 10; default is 1.

Enter the

Reachable Time (sec)

, the length of time in seconds that the client assumes a neighbor is reachable after receiving a Reachability Confirmation message; range is 10 to 36,000; default is 30.

Enter the

NS Interval (sec)

, which is the length of time between Neighbor Solicitations; range is 1 to 3,600; default is 1.

Neighbor solicitations are sent every second using a well-known multicast group. The interface is asking if a device with the same IPv6 address exists on the network by sending NS, including its own address in the request. If another device has the same address, it responds to these requests.

Enable NDP Monitoring

to enable Neighbor Discovery Protocol monitoring. When enabled, you can select the NDP icon (

in the Features column) and view information such as the IPv6 address of a neighbor the firewall has discovered, the corresponding MAC address, User-ID, and status (on a best-case basis).

For a DHCPv6 Client, configure DNS support.

Select

DNS Support

Enable

DNS Recursive Name Server

and select:

DHCPv6

—To have the DHCPv6 Server send the DNS Recursive Name Server information to the client.

Manual

—To manually configure the DNS Recursive Name Server.

Add

the IPv6 address of the

Server

, for example, 2001:4860:4860:0:0:0:8888. Enter a

Lifetime

in seconds, which is the maximum length of time the client can use the specific DNS Recursive Name Server to resolve domain names. The Lifetime range is 4 to 3,600; default is 1,200.

Enable

Domain Search List

and select:

DHCPv6

—To have the DHCPv6 Server send the Domain Search List information to the client.

Manual

—To manually configure the Domain Search List.

Add

Domain

suffix to add to a partial name in DNS to form a fully qualified domain name. For example, enter company.org. Enter a

Lifetime

in seconds for the list; range is 4 to 3,600; default is 1,200.

Click

to save the DHCPv6 Client configuration.

Configure a host-facing interface to inherit the IPv6 prefix and advertise allocated /64 prefixes from the pool to the hosts.

Select

Network

Interfaces

Ethernet

or select

Network

Interfaces

Ethernet

and select an AE interface, or select

Network

Interfaces

VLAN

Select a Layer 3 interface.

Select

IPv6

Enable IPv6 on the interface

For

Type

, select

Inherited

Select

Address Assignment

and

Add

an address by entering a

Name

. The name can be a maximum of 63 alphanumeric characters, hyphens, periods, and underscores.

For

Address Type

, select one of the following:

GUA from Pool

—Global Unicast Address (GUA) that comes from the Prefix Pool chosen below.

ULA

—Unique Local Address is a private address in the address range fc00::/7 for connectivity within a private network. Select ULA if there is no DHCPv6 server. The DHCPv6 server has the discretion to send whatever prefix length it chooses.

It is recommended to also configure a ULA to maintain local connectivity in case the connection to the DHCPv6 server is lost.

Enable on Interface

(GUA) or

Enable Address on Interface

(ULA) to enable this address.

(GUA only) Select the

Prefix Pool

from which to get the GUA.

(GUA only) Select

Assignment Type

Dynamic

—The DHCPv6 client is responsible for choosing an identifier to configure the inherited interface.

Dynamic with Identifier

—You are responsible for choosing an identifier in the range 0 to 4,000 and maintaining a unique Identifier across the DHCPv6 clients.

If you received a /64 prefix from the DHCPv6 server, do not select

Dynamic with Identifier

If you are applying

Dynamic with Identifier

to more than one address, assign the lowest Identifier value to the first address, and a higher Identifier value to each subsequent address you configure.

(ULA only) Enter an

Address

(ULA only) Select

Use interface ID as host portion

to use the interface ID as the host portion of the IPv6 address.

(ULA only) Select

Anycast

to make the IPv6 address an Anycast address, which means multiple locations can advertise the same prefix, and IPv6 sends the Anycast traffic to the node it considers the nearest, based on routing protocol costs and other factors.

Select

Send Router Advertisement

to send RAs from the inherited interface to the LAN hosts.

If you chose ULA, enter a

Valid Lifetime

and

Preferred Lifetime

Select

On-Link

if systems that have addresses within the prefix are reachable without a router.

Select

Autonomous

if systems can independently create an IPv6 address by combining the advertised prefix with an Interface ID.

Click

to save address assignment.

For Inherited interface, configure address resolution.

Select

Address Resolution

Enable Duplicate Address Detection

(DAD) if you want such detection (enabled by default).

If you selected

Enable Duplicate Address Detection

, specify the number of

DAD Attempts

within the neighbor solicitation (NS) interval before the attempt to identify neighbors fails; range is 1 to 10; default is 1.

Enter the

Reachable Time (sec)

that the client will use to assume a neighbor is reachable after receiving a Reachability Confirmation message; range is 10 to 36,000; default is 30.

Enter the

NS Interval (sec)

, which is the length of time between Neighbor Solicitation requests; range is 1 to 3,600; default is 1.

Enable NDP Monitoring

to enable Neighbor Discovery Protocol monitoring. When enabled, you can select the NDP icon (

in the Features column) and view information such as the IPv6 address of a neighbor the firewall has discovered, the corresponding MAC address, User-ID, and status (on a best-case basis).

For Inherited interface, configure Router Advertisement so that this interface can send RAs to the hosts advertising the prefix that the hosts can use to construct their own IPv6 address.

Select

Router Advertisement

and

Enable Router Advertisement

so this interface can reply to Router Solicitations from the hosts by sending RAs to hosts (default is enabled). The following 11 fields all pertain to the RA.

Set the

Min Interval (sec)

, the minimum interval, in seconds, between RAs the firewall sends (range is 3 to 1,350; default is 200). The firewall sends RAs at random intervals between the minimum and maximum values you set.

Set

Max Interval (sec)

, the maximum interval, in seconds between RAs the firewall sends (range is 4 to 1,800; default is 600). The firewall sends RAs at random intervals between the minimum and maximum values you set.

Set

Hop Limit

to apply to clients for outgoing packets (range is 1 to 255; default is 64). Select

unspecified

to use the system default.

Set

Link MTU

, the link maximum transmission unit (MTU) to apply to clients (range is 1,280 to 9,216; default is

unspecified

, which means the system default.

Set

Reachable Time (ms)

, in milliseconds, that the client will use to assume a neighbor is reachable after receiving a Reachability Confirmation message (range is 0 to 3,600,000; default is

unspecified

Set

Retrans Timer (ms)

, the retransmission timer that determines how long the client will wait, in milliseconds, before retransmitting Neighbor Solicitation messages. Select

unspecified

for no retransmission time (range is 0 to 4,294,967,295; default is

unspecified

Set

Lifetime (sec)

to specify how long, in seconds, the client will use the firewall as the default gateway (range is 0 to 9,000; default is 1,800). Zero specifies that the firewall is not the default gateway. When the lifetime expires, the client removes the firewall entry from its Default Router List and uses another router as the default gateway.

Set

Router Preference

in case there are two or more inherited interfaces on different routers sending RAs to a host.

High

Medium

, or

Low

is the priority that the RA advertises indicating the relative priority and the host uses the prefix from the higher prioritized router.

Select

Managed Configuration

to indicate to the client that addresses are available via DHCPv6.

Select

Other Configuration

to indicate to the client that other address information (such as DNS-related settings) is available via DHCPv6.

Select

Consistency Check

to have the firewall verify that RAs sent from other routers are advertising consistent information on the link. The firewall logs any inconsistencies.

For Inherited interface, configure DNS Support.

Select

DNS Support

Enable

DNS Recursive Name Server

and select

DHCPv6

Manual

DHCPv6

—To have the DHCPv6 Server send the DNS Recursive Name Server information. Select a

Prefix Pool

. When the DNS Recursive Namer Server is from the DHCPv6 server, an inherited interface can derive information indirectly from the prefix pool. (If on the

Address Assignment

tab you configured the Address Type as

ULA

, the Prefix Pool will be

None

Manual

—To manually configure the DNS Recursive Name Server.

Add

an IPv6 address of the

Server

, for example, 2001:4860:4860:0:0:0:8888. Enter a

Lifetime

for the server; the range is any value equal to or between the

Max Interval

(that you configured on the

Router Advertisement

tab) and two times that Max Interval. Default is 1200 seconds.

Enable

Domain Search List

and select:

DHCPv6

—to have the DHCPv6 Server send the Domain Search List information. Select a

Prefix Pool

. When the Domain Search List is from the DHCPv6 server, an inherited interface can derive information indirectly from the prefix pool. (If on the

Address Assignment

tab you configured the Address Type as

ULA

, the Prefix Pool will be

None

Manual

—To manually configure the Domain Search List.

Add

Domain

suffix to add to a partial name in DNS to form a fully qualified domain name. For example, enter company.org. Enter a

Lifetime

for the domain; the range is any value equal to or between the

Max Interval

(that you configured on the

Router Advertisement

tab) and two times that Max Interval. Default is 1200.

Document:PAN-OS® Networking Administrator’s Guide

Configure an Interface as a DHCPv6 Client with Prefix Delegation

Table of Contents

Configure an Interface as a DHCPv6 Client with Prefix Delegation