How to create a static DHCPv6 entry in the SonicWall Appliance

03/26/2020 6 People found this article helpful 31,573 Views

Download

Print

Share

• LinkedIn
• Twitter
• Facebook
• Email
• Copy URL The link has been copied to clipboard

Description

How to create a static DHCPv6 entry in the SonicWall Appliance

Resolution

Feature/Application:

The SonicWall DHCPv6 server can be configured similar to IPv4, using Dynamic or Static IPv6 addresses. This KB article describes how to create a static DHCPv6 scope to lease static IPv6 addresses to designated hosts.

Procedure:

Step 1 Preparing the X0 IPv6 Interface

• Login to the SonicWall Management GUI
• Navigate to the Network > Interfaces page.
• Select the radio button IPv6 under View IP Version.
• Click on the Configure icon for the interface you want to configure the DHCPv6 Server address for and the Edit Interface window will be displayed.

General Tab

• In the IP Assignment pulldown menu, select Static.
• IPv6 Address: A unique IPv6 unicast address. Example: 2002:c0a8:a8a8:1::1
• Prefix Length: The network bit. Example: a prefix of 64 for the above IPv6 address would mean a network with addresses from 2002:c0a8:a8a8:0001:0000:0000:0000:0000  to 2002:c0a8:a8a8:0001:ffff:ffff:ffff:ffff
• Enable Router Advertisement: Enable this option to make this an advertising interface that distributes network. Routers Advertisements are sent in ICMPv6 Type 134 packet to the multicast group ff02::1.
• Advertise Subnet Prefix of IPv6 Primary Static Address: Leave this option unchecked. This will later enable clients to get IPv6 addresses from the DHCPv6 server rather than assigning themselves a stateless IPv6 address with the advertised prefix.

Advanced Tab

• Enable Listening to Router Advertisement: Leave this option unchecked.
• Enable Stateless Address Auto configuration: Leave this option unchecked.

Router Advertisement Tab

• Enable Router Advertisement: This would be automatically checked if Enable Router Advertisement in the General tab is checked.
• Optionally, you can modify the following Router Advertisement settings
  • Router Adv Interval Range - The time interval allowed between sending unsolicited multicast Router Advertisements from the interface, in seconds.
  • Link MTU - The recommended MTU for the interface link. A value of 0 means firewall will not advertise link MTU for the link.
  • Reachable Time - The time that a node assumes a neighbor is reachable after having received a reachability confirmation. A value of 0 means this parameter is unspecified by this firewall.
  • Retrans Timer - The time between retransmitted Neighbor Solicitation messages. A value of 0 means this parameter is unspecified by this firewall.
  • Current Hop Limit - The default value that should be placed in the Hop Count field of the IP header for outgoing IP packets. A value of 0 means this parameter is unspecified by this firewall.
  • Router Lifetime - The lifetime when firewall is accepted as a default router. A value of 0 means that the router is not a default router.
• Managed checkbox:  Enable this option to make the SonicWall send Managed Address Configuration Flag, also known as the M flag, set to 1 in their Router Advertisements. When an IPv6 host receives a Router Advertisement with this flag set, and if SonicWall DHCPv6 server is enabled with an IPv6 address range, IPv6 hosts can obtain IPv6 addresses from within the range. If this option is checked and the SonicWall DHCPv6 server is not enabled, IPv6 hosts configure their own IPv6 addresses based on the subnet prefix in Router Advertisements.
• Other Configuration checkbox: Enabling this option will make the SonicWall send the Other Stateful Configuration Flag, also known as the O flag, set to 1 in its Router Advertisements. When an IPv6 host receives a Router Advertisement with this flag set, and if a DHCPv6 server is available, IPv6 hosts can obtain configuration settings other than their IPv6 address, such as the DNS server address.
• Prefix List Settings: Leave this option unchecked.
• Click on OK to save the changes.

Step 2 - Obtaining the DUID and IAID of clients

To create a static DHCPv6 entry, the DUID and IAID of the client must be entered. This section explains how to obtain this information in a client.

The DHCP Unique Identifier (DUID)

Each DHCP client and server has a DUID.  DHCP servers use DUIDs to identify clients for the selection of configuration parameters and in the association of IAs (Identity Association) with clients. DHCP clients use DUIDs to identify a server in messages where a server needs to be identified. For more information, see RFC3315.

Identity Association ID (IAID)

An "identity-association" (IA) is a construct through which a server and a client can identify, group, and manage a set of related IPv6 addresses.  Each IA consists of an IAID and associated configuration information.

A client must associate at least one distinct IA with each of its network interfaces for which it is to request the assignment of IPv6 addresses from a DHCP server.  The client uses the IAs assigned to an interface to obtain configuration information from a server for that interface.  Each IA must be associated with exactly one interface. For more information, see RFC3315.

In Windows (7 & 8), the DUID and IAID can be obtained by entering ipconfig/all at the command prompt.

Note: This will be visible only after preparing the interface (the server) in the manner described in Step 1.

In the Registry, the DUID is under HKLMSYSTEMCurrentControlSetservicesTCPIP6Parameters. A client has an IAID for each of its interfaces. Therefore, identify the interface and look for Dhcpv6Iaid under HKLMSYSTEMCurrentControlSetservicesTCPIP6ParametersInterfaces.

In Linux OS, I was unable to find where these are stored. Therefore, after following Step 1 above, restart the network service while doing a packet capture. In the capture look for the DUID & IAID in the DHCPv6 messages from the client.

Step 3 - Creating a static DHCPv6 entry in the SonicWall

• Navigate to the Network > DHCP Server page
• Select the radio button under IPv6 on the far right side of the page under View IP Version, to change to the DHCPv6 interface.
• Enable check box Enable DHCPv6 Server.
• Click on the Accept button to save the changes.
• Click on the Add Static button to bring up the Add DHCPv6 Static Scope window.
• Enter the following information:
  • Enter a name for this static scope
  • Enter the subnet prefix under Prefix: 2002:c0a8:a8a8:1::
  • Under Static IPv6 Address, enter the IP address to be assigned to the client. In this case 2002:c0a8:a8a8:1::2
  • Under IAID, enter the IAID of the client. IAID must be decimal value.
  • Under DUID, enter the DUID of the client. DUID value must be alphanumeric with no spaces or hyphens.
  • Under Valid Lifetime (minutes), enter the valid lifetime of the IPv6 address leased by this scope. The minimum value is 0 and maximum is 71582789. The default is 2160. Valid Lifetime is the length of time an address remains in the valid state (i.e., the time until invalidation). The valid lifetime must be greater then or equal to the preferred lifetime.  When the valid lifetime expires, the address becomes invalid. When an address becomes invalid it is not assigned to any interface. The valid lifetime must be greater then or equal to the preferred lifetime. Source: RFC 2462
  • Under Preferred Lifetime (minutes), enter the preferred lifetime of the IPv6 address leased by this scope. The minimum value is 0 and maximum is 71582789. The default is 2160.  Preferred lifetime is the length of time that a valid address is preferred (i.e., the time until deprecation). When the preferred lifetime expires, the address becomes deprecated. An address assigned to an interface whose use is discouraged, but not forbidden.  A deprecated address should no longer be used as a source address in new communications, but packets sent from or to deprecated addresses are delivered as expected.
• Click on OK to save. Source: RFC 2462

IPv6 hosts will automatically be assigned the static addresses. If not, release and renew the interface to obtain the address.

Related Articles

• How to enable and configure NTP?
• Cannot edit App Control Signatures, "Error: property 'value' can't be empty value"
• SSL-VPN 2FA: How to unbind TOTP for a single user or multiple users

Categories

• Firewalls > TZ Series
• Firewalls > SonicWall SuperMassive E10000 Series
• Firewalls > SonicWall SuperMassive 9000 Series
• Firewalls > SonicWall NSA Series