The firewall can act as a DHCPv6 client to request an IPv6 address for its interface and an IPv6 prefix and associated options (such as DNS and Domain Search List) from a DHCPv6 server, thereby provisioning a Layer 3 Ethernet, VLAN, or Aggregate Ethernet (AE) interface. The IPv6-enabled interface sends a Router Solicitation message to the delegating router to get additional information, such as the gateway. DHCPv6 client reduces your IPv6 address provisioning effort and potential errors, and automates the task of getting your hosts onto the network.

Furthermore, the DHCPv6 client firewall supports prefix delegation. An ISP assigns prefixes (with a prefix length from /48 to /64) to a DHCPv6 server, which in turn assigns prefixes to the DHCPv6 client firewall. The firewall then assigns a subnet from the prefix pool of delegated prefixes to one or more of its host-facing interfaces. The delegated interfaces distribute the addresses from the delegated pool to the local network using Neighbor Discovery Protocol (NDP) with SLAAC. The delegated interfaces also provide other parameters using NDP. Configure prefix delegation if there are hosts connected to the firewall that need dynamic IPv6 addressing. Prefix delegation simplifies network provisioning on customer-facing LAN networks.

To configure a firewall interface that is facing the hosts on the network, you configure the interface type to be inherited. Only inherited interfaces can advertise those selected prefixes from the prefix pool to the hosts (via an RA). Each host constructs its own IPv6 address using the delegated prefix and either its MAC address or EUI-64 (Extended Unique Identifier), at the discretion of the host. Only the prefix is delegated (inherited), not the full address.

The following example topology has a firewall, a DHCPv6 server north of the firewall, and hosts on two LANs south of the firewall.

The firewall interface that faces the delegating router is a Stateless Address Autoconfiguration (SLAAC) client. The firewall interface that faces the host is a SLAAC server; the host is a SLAAC client. The DHCPv6 client allocates a /64 prefix from the prefix pool to the inherited interface. The firewall configures an IPv6 address on an inherited interface using SLAAC and sends RAs with the prefix to autoconfigure the host interfaces using SLAAC.

RFC 8415 defines an Identity Association (IA) as a collection of leases assigned to a client. The DHCPv6 server provides:

When you configure the firewall interface that is facing the ISP, you configure the interface type to be DHCPv6 Client. The firewall requests a Non-Temporary address or a Temporary address (or both) for its interface. The firewall supports only one DHCPv6 server per interface. You can have more than one interface, each facing a different ISP so that if a connection to one ISP goes down, you have access to another ISP.

You configure prefix delegation on the interface that is facing the ISP because this is the interface that faces the DHCPv6 server, which provides the prefix. If you have more than one interface facing an ISP, use the Preference to control which ISP provides the delegated prefix to hosts.

If you enabled Advanced Routing, the Layer 3 interface you configure is assigned to a logical router.