Monday, June 15, 2015

Configuring Stateless and Stateful DHCPv6



Topology



Addressing Table
Device
Interface
IPv6 Address
Prefix Length
Default Gateway
R1
G0/1
2001:DB8:ACAD:A::1
64
N/A
S1
VLAN 1
Assigned by SLAAC
64
Assigned by SLAAC
PC-A
NIC
Assigned by SLAAC and DHCPv6
64
Assigned by R1
Objectives
Part 1: Build the Network and Configure Basic Device Settings
Part 2: Configure the Network for SLAAC
Part 3: Configure the Network for Stateless DHCPv6
Part 4: Configure the Network for Stateful DHCPv6
Background / Scenario
The dynamic assignment of IPv6 global unicast addresses can be configured in three ways:
·         Stateless Address Autoconfiguration (SLAAC) only
·         Stateless Dynamic Host Configuration Protocol for IPv6 (DHCPv6)
·         Stateful DHCPv6
With SLAAC (pronounced slack), a DHCPv6 server is not needed for hosts to acquire IPv6 addresses. It can be used to receive additional information that the host needs, such as the domain name and the domain name server (DNS) address. When SLAAC is used to assign the IPv6 host addresses and DHCPv6 is used to assign other network parameters, it is called Stateless DHCPv6.
With Stateful DHCPv6, the DHCP server assigns all information, including the host IPv6 address.
Determination of how hosts obtain their dynamic IPv6 addressing information is dependent on flag settings contained within the router advertisement (RA) messages.
In this lab, you will initially configure the network to use SLAAC. After connectivity has been verified, you will configure DHCPv6 settings and change the network to use Stateless DHCPv6. After verification that Stateless DHCPv6 is functioning correctly, you will change the configuration on R1 to use Stateful DHCPv6. Wireshark will be used on PC-A to verify all three dynamic network configurations.
Note: The routers used with CCNA hands-on labs are Cisco 1941 Integrated Services Routers (ISRs) with Cisco IOS Release 15.2(4)M3 (universalk9 image). The switches used are Cisco Catalyst 2960s with Cisco IOS Release 15.0(2) (lanbasek9 image). Other routers, switches and Cisco IOS versions can be used. Depending on the model and Cisco IOS version, the commands available and output produced might vary from what is shown in the labs. Refer to the Router Interface Summary Table at the end of this lab for the correct interface identifiers.
Note: Make sure that the router and switch have been erased and have no startup configurations. If you are unsure, contact your instructor.

Note: The default bias template (used by the Switch Database Manager (SDM)) does not provide IPv6 address capabilities. Verify that SDM is using either the dual-ipv4-and-ipv6 template or the lanbase-routing template. The new template will be used after reboot even if the config is not saved.
S1# show sdm prefer
Follow these steps to assign the dual-ipv4-and-ipv6 template as the default SDM template:
S1# config t
S1(config)# sdm prefer dual-ipv4-and-ipv6 default
S1(config)# end
S1# reload
Required Resources
·         1 Router (Cisco 1941 with Cisco IOS Release 15.2(4)M3 universal image or comparable)
·         1 Switch (Cisco 2960 with Cisco IOS Release 15.0(2) lanbasek9 image or comparable)
·         1 PC (Windows 7 or Vista with Wireshark and terminal emulation program, such as Tera Term)
·         Console cables to configure the Cisco IOS devices via the console ports
·         Ethernet cables as shown in the topology
Note: DHCPv6 client services are disabled on Windows XP. It is recommended to use a Windows 7 host for this lab.
Part 1:     Build the Network and Configure Basic Device Settings
In Part 1, you will set up the network topology and configure basic settings, such as device names, passwords and interface IP addresses.
Step 1:     Cable the network as shown in the topology.
Step 2:     Initialize and reload the router and switch as necessary.
Step 3:     Configure R1.
a.     Disable DNS lookup.
b.    Configure the device name.
c.     Encrypt plain text passwords.
d.    Create a MOTD banner warning users that unauthorized access is prohibited.
e.     Assign class as the encrypted privileged EXEC mode password.
f.     Assign cisco as the console and vty password and enable login.
g.    Set console logging to synchronous mode.
h.     Save the running configuration to the startup configuration.
Step 4:     Configure S1.
a.     Disable DNS lookup.
b.    Configure the device name.
c.     Encrypt plain text passwords.
d.    Create a MOTD banner warning users that unauthorized access is prohibited.
e.     Assign class as the encrypted privileged EXEC mode password.
f.     Assign cisco as the console and vty password and enable login.
g.    Set console logging to synchronous mode.
h.     Administratively disable all inactive interfaces.
i.      Save running configuration to the startup configuration.
Part 2:     Configure the Network for SLAAC
Step 1:     Prepare PC-A.
a.     Verify that the IPv6 protocol has been enabled on the Local Area Connection Properties window. If the Internet Protocol Version 6 (TCP/IPv6) check box is not checked, click to enable it.



b.    Start a Wireshark capture of traffic on the NIC.
c.     Filter the data capture to see only RA messages. This can be done by filtering on IPv6 packets with a destination address of FF02::1, which is the all-unicast client group address. The filter entry used with Wireshark is ipv6.dst==ff02::1, as shown here.




Step 2:     Configure R1.
a.     Enable IPv6 unicast routing.
b.    Assign the IPv6 unicast address to interface G0/1 according to the Addressing Table.
c.     Assign FE80::1 as the IPv6 link-local address for interface G0/1.
d.    Activate interface G0/1.
Step 3:     Verify that R1 is part of the all-router multicast group.
Use the show ipv6 interface g0/1 command to verify that G0/1 is part of the All-router multicast group (FF02::2). RA messages are not sent out G0/1 without that group assignment.
R1# show ipv6 interface g0/1
GigabitEthernet0/1 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::1
  No Virtual link-local address(es):
  Global unicast address(es):
    2001:DB8:ACAD:A::1, subnet is 2001:DB8:ACAD:A::/64
  Joined group address(es):
    FF02::1
    FF02::2
    FF02::1:FF00:1
  MTU is 1500 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ICMP unreachables are sent
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds (using 30000)
  ND advertised reachable time is 0 (unspecified)
  ND advertised retransmit interval is 0 (unspecified)
  ND router advertisements are sent every 200 seconds
  ND router advertisements live for 1800 seconds
  ND advertised default router preference is Medium
  Hosts use stateless autoconfig for addresses.
Step 4:     Configure S1.
Use the ipv6 address autoconfig command on VLAN 1 to obtain an IPv6 address through SLAAC.
S1(config)# interface vlan 1
S1(config-if)# ipv6 address autoconfig
S1(config-if)# end
Step 5:     Verify that SLAAC provided a unicast address to S1.
Use the show ipv6 interface command to verify that SLAAC provided a unicast address to VLAN1 on S1.
S1# show ipv6 interface
Vlan1 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::ED9:96FF:FEE8:8A40
  No Virtual link-local address(es):
  Stateless address autoconfig enabled
  Global unicast address(es):
    2001:DB8:ACAD:A:ED9:96FF:FEE8:8A40, subnet is 2001:DB8:ACAD:A::/64 [EUI/CAL/PRE]
      valid lifetime 2591988 preferred lifetime 604788
  Joined group address(es):
    FF02::1
    FF02::1:FFE8:8A40
  MTU is 1500 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ICMP unreachables are sent
  Output features: Check hwidb
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds (using 30000)
  ND NS retransmit interval is 1000 milliseconds
  Default router is FE80::1 on Vlan1
Step 6:     Verify that SLAAC provided IPv6 address information on PC-A.
a.     From a command prompt on PC-A, issue the ipconfig /all command. Verify that PC-A is showing an IPv6 address with the 2001:db8:acad:a::/64 prefix. The Default Gateway should have the FE80::1 address.



b.    From Wireshark, look at one of the RA messages that were captured. Expand the Internet Control Message Protocol v6 layer to view the Flags and Prefix information. The first two flags control DHCPv6 usage and are not set if DHCPv6 is not configured. The prefix information is also contained within this RA message.
Part 3:     Configure the Network for Stateless DHCPv6
Step 1:     Configure an IPv6 DHCP server on R1.
a.     Create an IPv6 DHCP pool.
R1(config)# ipv6 dhcp pool IPV6POOL-A
b.    Assign a domain name to the pool.
R1(config-dhcpv6)# domain-name ccna-statelessDHCPv6.com
c.     Assign a DNS server address.
R1(config-dhcpv6)# dns-server 2001:db8:acad:a::abcd
R1(config-dhcpv6)# exit
d.    Assign the DHCPv6 pool to the interface.
R1(config)# interface g0/1
R1(config-if)# ipv6 dhcp server IPV6POOL-A
e.     Set the DHCPv6 network discovery (ND) other-config-flag.
R1(config-if)# ipv6 nd other-config-flag
R1(config-if)# end
Step 2:     Verify DHCPv6 settings on interface G0/1 on R1.
Use the show ipv6 interface g0/1 command to verify that the interface is now part of the IPv6 multicast all-DHCPv6-servers group (FF02::1:2). The last line of the output from this show command verifies that the other-config-flag has been set.
R1# show ipv6 interface g0/1
GigabitEthernet0/1 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::1
  No Virtual link-local address(es):
  Global unicast address(es):
    2001:DB8:ACAD:A::1, subnet is 2001:DB8:ACAD:A::/64
  Joined group address(es):
    FF02::1
    FF02::2
    FF02::1:2
    FF02::1:FF00:1
    FF05::1:3
  MTU is 1500 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ICMP unreachables are sent
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds (using 30000)
  ND advertised reachable time is 0 (unspecified)
  ND advertised retransmit interval is 0 (unspecified)
  ND router advertisements are sent every 200 seconds
  ND router advertisements live for 1800 seconds
  ND advertised default router preference is Medium
  Hosts use stateless autoconfig for addresses.
  Hosts use DHCP to obtain other configuration.
Step 3:     View network changes to PC-A.
Use the ipconfig /all command to review the network changes. Notice that additional information, including the domain name and DNS server information, has been retrieved from the DHCPv6 server. However, the IPv6 global unicast and link-local addresses were obtained previously from SLAAC.
Step 4:     View the RA messages in Wireshark.
Scroll down to the last RA message that is displayed in Wireshark and expand it to view the ICMPv6 flag settings. Notice that the other configuration flag is set to 1.
Step 5:     Verify that PC-A did not obtain its IPv6 address from a DHCPv6 server.
Use the show ipv6 dhcp binding and show ipv6 dhcp pool commands to verify that PC-A did not obtain an IPv6 address from the DHCPv6 pool.
R1# show ipv6 dhcp binding
R1# show ipv6 dhcp pool
DHCPv6 pool: IPV6POOL-A
  DNS server: 2001:DB8:ACAD:A::ABCD
  Domain name: ccna-statelessDHCPv6.com
  Active clients: 0
Step 6:     Reset PC-A IPv6 network settings.
a.     Shut down interface F0/6 on S1.
Note: Shutting down the interface F0/6 prevents PC-A from receiving a new IPv6 address before you reconfigure R1 for Stateful DHCPv6 in Part 4.
S1(config)# interface f0/6
S1(config-if)# shutdown
b.    Stop Wireshark capture of traffic on the PC-A NIC.
c.     Reset the IPv6 settings on PC-A to remove the Stateless DHCPv6 settings.
1)     Open the Local Area Connection Properties window, deselect the Internet Protocol Version 6 (TCP/IPv6) check box, and click OK to accept the change.
2)     Open the Local Area Connection Properties window again, click to enable the Internet Protocol Version 6 (TCP/IPv6) check box, and then click OK to accept the change.
Part 4:     Configure the Network for Stateful DHCPv6
Step 1:     Prepare PC-A.
a.     Start a Wireshark capture of traffic on the NIC.
b.    Filter the data capture to see only RA messages. This can be done by filtering on IPv6 packets with a destination address of FF02::1, which is the all-unicast client group address.
Step 2:     Change the DHCPv6 pool on R1.
a.     Add the network prefix to the pool.
R1(config)# ipv6 dhcp pool IPV6POOL-A
R1(config-dhcpv6)# address prefix 2001:db8:acad:a::/64
b.    Change the domain name to ccna-statefulDHCPv6.com.
Note: You must remove the old domain name. It is not replaced by the domain-name command.
R1(config-dhcpv6)# no domain-name ccna-statelessDHCPv6.com
R1(config-dhcpv6)# domain-name ccna-StatefulDHCPv6.com
R1(config-dhcpv6)# end
c.     Verify DHCPv6 pool settings.
R1# show ipv6 dhcp pool
DHCPv6 pool: IPV6POOL-A
  Address allocation prefix: 2001:DB8:ACAD:A::/64 valid 172800 preferred 86400 (0 in use, 0 conflicts)
  DNS server: 2001:DB8:ACAD:A::ABCD
  Domain name: ccna-StatefulDHCPv6.com
  Active clients: 0
d.    Enter debug mode to verify the Stateful DHCPv6 address assignment.
R1# debug ipv6 dhcp detail
   IPv6 DHCP debugging is on (detailed)
Step 3:     Set the flag on G0/1 for Stateful DHCPv6.
Note: Shutting down the G0/1 interface before making changes ensures that an RA message is sent when the interface is activated.
R1(config)# interface g0/1
R1(config-if)# shutdown
R1(config-if)# ipv6 nd managed-config-flag
R1(config-if)# no shutdown
R1(config-if)# end
Step 4:     Enable interface F0/6 on S1.
Now that R1 has been configured for Stateful DHCPv6, you can reconnect PC-A to the network by activating interface F0/6 on S1.
S1(config)# interface f0/6
S1(config-if)# no shutdown
S1(config-if)# end
Step 5:     Verify Stateful DHCPv6 settings on R1.
a.     Issue the show ipv6 interface g0/1 command to verify that the interface is in Stateful DHCPv6 mode.
R1# show ipv6 interface g0/1
GigabitEthernet0/1 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::1
  No Virtual link-local address(es):
  Global unicast address(es):
    2001:DB8:ACAD:A::1, subnet is 2001:DB8:ACAD:A::/64
  Joined group address(es):
    FF02::1
    FF02::2
    FF02::1:2
    FF02::1:FF00:1
    FF05::1:3
  MTU is 1500 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ICMP unreachables are sent
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds (using 30000)
  ND advertised reachable time is 0 (unspecified)
  ND advertised retransmit interval is 0 (unspecified)
  ND router advertisements are sent every 200 seconds
  ND router advertisements live for 1800 seconds
  ND advertised default router preference is Medium
  Hosts use DHCP to obtain routable addresses.
  Hosts use DHCP to obtain other configuration.
b.    In a command prompt on PC-A, type ipconfig /release6 to release the currently assigned IPv6 address. Then type ipconfig /renew6 to request an IPv6 address from the DHCPv6 server.
c.     Issue the show ipv6 dhcp pool command to verify the number of active clients.
R1# show ipv6 dhcp pool
DHCPv6 pool: IPV6POOL-A
  Address allocation prefix: 2001:DB8:ACAD:A::/64 valid 172800 preferred 86400 (1 in use, 0 conflicts)
  DNS server: 2001:DB8:ACAD:A::ABCD
  Domain name: ccna-StatefulDHCPv6.com
  Active clients: 1
d.    Issue the show ipv6 dhcp binding command to verify that PC-A received its IPv6 unicast address from the DHCP pool. Compare the client address to the link-local IPv6 address on PC-A using the ipconfig /all command. Compare the address provided by the show command to the IPv6 address listed with the ipconfig /all command on PC-A.
R1# show ipv6 dhcp binding
Client: FE80::D428:7DE2:997C:B05A
  DUID: 0001000117F6723D000C298D5444
  Username : unassigned
  IA NA: IA ID 0x0E000C29, T1 43200, T2 69120
    Address: 2001:DB8:ACAD:A:B55C:8519:8915:57CE
            preferred lifetime 86400, valid lifetime 172800
            expires at Mar 07 2013 04:09 PM (171595 seconds)
e.     Issue the undebug all command on R1 to stop debugging DHCPv6.
Note: Typing u all is the shortest form of this command and is useful to know if you are trying to stop debug messages from continually scrolling down your terminal session screen. If multiple debugs are in process, the undebug all command stops all of them.
R1# u all
All possible debugging has been turned off
f.     Review the debug messages that appeared on your R1 terminal screen.
1)     Examine the solicit message from PC-A requesting network information.
*Mar  5 16:42:39.775: IPv6 DHCP: Received SOLICIT from FE80::D428:7DE2:997C:B05A on GigabitEthernet0/1
*Mar  5 16:42:39.775: IPv6 DHCP: detailed packet contents
*Mar  5 16:42:39.775:   src FE80::D428:7DE2:997C:B05A (GigabitEthernet0/1)
*Mar  5 16:42:39.775:   dst FF02::1:2
*Mar  5 16:42:39.775:   type SOLICIT(1), xid 1039238
*Mar  5 16:42:39.775:   option ELAPSED-TIME(8), len 2
*Mar  5 16:42:39.775:     elapsed-time 6300
*Mar  5 16:42:39.775:   option CLIENTID(1), len 14
2)     Examine the reply message sent back to PC-A with the DHCP network information.
*Mar  5 16:42:39.779: IPv6 DHCP: Sending REPLY to FE80::D428:7DE2:997C:B05A on GigabitEthernet0/1
*Mar  5 16:42:39.779: IPv6 DHCP: detailed packet contents
*Mar  5 16:42:39.779:   src FE80::1
*Mar  5 16:42:39.779:   dst FE80::D428:7DE2:997C:B05A (GigabitEthernet0/1)
*Mar  5 16:42:39.779:   type REPLY(7), xid 1039238
*Mar  5 16:42:39.779:   option SERVERID(2), len 10
*Mar  5 16:42:39.779:     00030001FC994775C3E0
*Mar  5 16:42:39.779:   option CLIENTID(1), len 14
*Mar  5 16:42:39.779:     00010001
R1#17F6723D000C298D5444
*Mar  5 16:42:39.779:   option IA-NA(3), len 40
*Mar  5 16:42:39.779:     IAID 0x0E000C29, T1 43200, T2 69120
*Mar  5 16:42:39.779:     option IAADDR(5), len 24
*Mar  5 16:42:39.779:       IPv6 address 2001:DB8:ACAD:A:B55C:8519:8915:57CE
*Mar  5 16:42:39.779:       preferred 86400, valid 172800
*Mar  5 16:42:39.779:   option DNS-SERVERS(23), len 16
*Mar  5 16:42:39.779:     2001:DB8:ACAD:A::ABCD
*Mar  5 16:42:39.779:   option DOMAIN-LIST(24), len 26
*Mar  5 16:42:39.779:     ccna-StatefulDHCPv6.com
Step 6:     Verify Stateful DHCPv6 on PC-A
a.     Stop the Wireshark capture on PC-A.
b.    Expand the most recent RA message listed in Wireshark. Verify that the Managed address configuration flag has been set.
c.     Change the filter in Wireshark to view DHCPv6 packets only by typing dhcpv6, and then Apply the filter. Highlight the last DHCPv6 reply listed and expand the DHCPv6 information. Examine the DHCPv6 network information that is contained in this packet.
Reflection
1.     What IPv6 addressing method uses more memory resources on the router configured as a DHCPv6 server, Stateless DHCPv6 or Stateful DHCPv6? Why?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
2.     Which type of dynamic IPv6 address assignment is recommended by Cisco, Stateless DHCPv6 or Stateful DHCPv6?
_______________________________________________________________________________________
_______________________________________________________________________________________
Router Interface Summary Table
Router Interface Summary
Router Model
Ethernet Interface #1
Ethernet Interface #2
Serial Interface #1
Serial Interface #2
1800
Fast Ethernet 0/0 (F0/0)
Fast Ethernet 0/1 (F0/1)
Serial 0/0/0 (S0/0/0)
Serial 0/0/1 (S0/0/1)
1900
Gigabit Ethernet 0/0 (G0/0)
Gigabit Ethernet 0/1 (G0/1)
Serial 0/0/0 (S0/0/0)
Serial 0/0/1 (S0/0/1)
2801
Fast Ethernet 0/0 (F0/0)
Fast Ethernet 0/1 (F0/1)
Serial 0/1/0 (S0/1/0)
Serial 0/1/1 (S0/1/1)
2811
Fast Ethernet 0/0 (F0/0)
Fast Ethernet 0/1 (F0/1)
Serial 0/0/0 (S0/0/0)
Serial 0/0/1 (S0/0/1)
2900
Gigabit Ethernet 0/0 (G0/0)
Gigabit Ethernet 0/1 (G0/1)
Serial 0/0/0 (S0/0/0)
Serial 0/0/1 (S0/0/1)
Note: To find out how the router is configured, look at the interfaces to identify the type of router and how many interfaces the router has. There is no way to effectively list all the combinations of configurations for each router class. This table includes identifiers for the possible combinations of Ethernet and Serial interfaces in the device. The table does not include any other type of interface, even though a specific router may contain one. An example of this might be an ISDN BRI interface. The string in parenthesis is the legal abbreviation that can be used in Cisco IOS commands to represent the interface.

No comments:

Post a Comment