PAN-OS firewall functions as a DHCPv6 client, with or
without prefix delegation.
The firewall can act as a DHCPv6 client to request an
IPv6 address for its interface and an IPv6 prefix and associated
options (such as DNS and Domain Search List) from a DHCPv6 server,
thereby provisioning a Layer 3 Ethernet, VLAN, or Aggregate Ethernet
(AE) interface. The IPv6-enabled interface sends a Router Solicitation
message to the delegating router to get additional information,
such as the gateway. DHCPv6 client reduces your IPv6 address provisioning
effort and potential errors, and automates the task of getting your
hosts onto the network.
Furthermore, the DHCPv6 client firewall supports prefix delegation.
An ISP assigns prefixes (with a prefix length from /48 to /64) to
a DHCPv6 server, which in turn assigns prefixes to the DHCPv6 client
firewall. The firewall then assigns a subnet from the prefix pool
of delegated prefixes to one or more of its host-facing interfaces. The
delegated interfaces distribute the addresses from the delegated
pool to the local network using Neighbor Discovery Protocol (NDP)
with SLAAC. The delegated interfaces also provide other parameters
using NDP. Configure prefix delegation if there are hosts connected
to the firewall that need dynamic IPv6 addressing. Prefix delegation
simplifies network provisioning on customer-facing LAN networks.
To configure a firewall interface that is facing the hosts on
the network, you configure the interface type to be inherited.
Only inherited interfaces can advertise those selected prefixes
from the prefix pool to the hosts (via an RA). Each host constructs
its own IPv6 address using the delegated prefix and either its MAC
address or EUI-64 (Extended Unique Identifier), at the discretion
of the host. Only the prefix is delegated (inherited), not the full
address.
DHCPv6 functions differently from DHCPv4 in that the firewall does
not receive complete IPv6 addresses to assign to hosts. The firewall
does not know the full IPv6 addresses of the hosts.
The following example topology has a firewall, a DHCPv6 server
north of the firewall, and hosts on two LANs south of the firewall.
The firewall interface that faces the delegating router is a
Stateless Address Autoconfiguration (SLAAC) client. The firewall
interface that faces the host is a SLAAC server; the host is a SLAAC
client. The DHCPv6 client allocates a /64 prefix from the prefix
pool to the inherited interface. The firewall configures an IPv6 address
on an inherited interface using SLAAC and sends RAs with the prefix
to autoconfigure the host interfaces using SLAAC.
RFC 8415 defines an Identity
Association (IA) as a collection of leases assigned to a client.
The DHCPv6 server provides:
IA_NA (Identity Association for Non-temporary Addresses)
and IA_TA (Identity Association for Temporary Addresses)
for the firewall to assign to interfaces that face the delegating
router and ISP.
IA_PD (Identity Association for delegated prefixes) for the
firewall to assign to a prefix pool; firewall interfaces that face
the hosts inherit the prefix. The firewall selects a prefix from
the pool and distributes it hosts via RA. Hosts receive the prefix
and construct their own IPv6 address.
When you configure the firewall
interface that is facing the ISP, you configure the interface
type to be DHCPv6 Client. The firewall requests
a Non-Temporary address or a Temporary address (or both) for its interface.
The firewall supports only one DHCPv6 server per interface. You
can have more than one interface, each facing a different ISP so
that if a connection to one ISP goes down, you have access to another
ISP.
You configure prefix delegation on the interface that is facing
the ISP because this is the interface that faces the DHCPv6 server,
which provides the prefix. If you have more than one interface facing
an ISP, use the Preference to control which ISP provides the delegated
prefix to hosts.
If the firewall is the end consumer of IPv6 traffic and
does not have a connected LAN, the firewall can simply be a DHCPv6
client and no prefix delegation is necessary.
If you enabled Advanced Routing, the Layer 3 interface you configure
is assigned to a logical router.