Firewall as a DHCPv6 Client
Focus
Focus

Firewall as a DHCPv6 Client

Table of Contents
End-of-Life (EoL)

Firewall as a DHCPv6 Client

PAN-OS firewall functions as a DHCPv6 client, with or without prefix delegation.
The firewall can act as a DHCPv6 client to request an IPv6 address for its interface and an IPv6 prefix and associated options (such as DNS and Domain Search List) from a DHCPv6 server, thereby provisioning a Layer 3 Ethernet, VLAN, or Aggregate Ethernet (AE) interface. The IPv6-enabled interface sends a Router Solicitation message to the delegating router to get additional information, such as the gateway. DHCPv6 client reduces your IPv6 address provisioning effort and potential errors, and automates the task of getting your hosts onto the network.
Furthermore, the DHCPv6 client firewall supports prefix delegation. An ISP assigns prefixes (with a prefix length from /48 to /64) to a DHCPv6 server, which in turn assigns prefixes to the DHCPv6 client firewall. The firewall then assigns a subnet from the prefix pool of delegated prefixes to one or more of its host-facing interfaces. The delegated interfaces distribute the addresses from the delegated pool to the local network using Neighbor Discovery Protocol (NDP) with SLAAC. The delegated interfaces also provide other parameters using NDP. Configure prefix delegation if there are hosts connected to the firewall that need dynamic IPv6 addressing. Prefix delegation simplifies network provisioning on customer-facing LAN networks.
To configure a firewall interface that is facing the hosts on the network, you configure the interface type to be inherited. Only inherited interfaces can advertise those selected prefixes from the prefix pool to the hosts (via an RA). Each host constructs its own IPv6 address using the delegated prefix and either its MAC address or EUI-64 (Extended Unique Identifier), at the discretion of the host. Only the prefix is delegated (inherited), not the full address.
DHCPv6 functions differently from DHCPv4 in that the firewall does not receive complete IPv6 addresses to assign to hosts. The firewall does not know the full IPv6 addresses of the hosts.
The following example topology has a firewall, a DHCPv6 server north of the firewall, and hosts on two LANs south of the firewall.
The firewall interface that faces the delegating router is a Stateless Address Autoconfiguration (SLAAC) client. The firewall interface that faces the host is a SLAAC server; the host is a SLAAC client. The DHCPv6 client allocates a /64 prefix from the prefix pool to the inherited interface. The firewall configures an IPv6 address on an inherited interface using SLAAC and sends RAs with the prefix to autoconfigure the host interfaces using SLAAC.
RFC 8415 defines an Identity Association (IA) as a collection of leases assigned to a client. The DHCPv6 server provides:
  • IA_NA (Identity Association for Non-temporary Addresses) and IA_TA (Identity Association for Temporary Addresses) for the firewall to assign to interfaces that face the delegating router and ISP.
  • IA_PD (Identity Association for delegated prefixes) for the firewall to assign to a prefix pool; firewall interfaces that face the hosts inherit the prefix. The firewall selects a prefix from the pool and distributes it hosts via RA. Hosts receive the prefix and construct their own IPv6 address.
When you configure the firewall interface that is facing the ISP, you configure the interface type to be DHCPv6 Client. The firewall requests a Non-Temporary address or a Temporary address (or both) for its interface. The firewall supports only one DHCPv6 server per interface. You can have more than one interface, each facing a different ISP so that if a connection to one ISP goes down, you have access to another ISP.
You configure prefix delegation on the interface that is facing the ISP because this is the interface that faces the DHCPv6 server, which provides the prefix. If you have more than one interface facing an ISP, use the Preference to control which ISP provides the delegated prefix to hosts.
If the firewall is the end consumer of IPv6 traffic and does not have a connected LAN, the firewall can simply be a DHCPv6 client and no prefix delegation is necessary.
If you enabled Advanced Routing, the Layer 3 interface you configure is assigned to a logical router.