Understanding and Configuration of VRF-Lite in Cisco IOS

Introduction

Virtual Routing and Forwarding Instances (VRFs) are used to segregate traffic at Layer 3. They are similar in concept to VLANs that are used to segregate traffic at Layer 2. VRFs create virtual routers with separate instances of the routing table (RIB) and forwarding table (FIB) independent from the global routing table. VRFs segment traffic in the data-plane and the control-plane based on the logical or physical interface that you assign to the VRF. The concept of VRFs is similar to that of virtual machines (VMs). It is important to note that the concept of VRF is locally significant to the device on which it is configured. VRFs improve network functionality because network paths can be segmented without requiring multiple physical routers. VRF-Lite is a feature of VRF that provides VRF without MPLS configuration.

If VRFs are configured on more than one router to ensure end to end connectivity, the links interconnecting the routers will need to be configured as a trunk (for layer 2 switches) or sub-interfaces (for routers) if a single link is to be shared with traffic from other separate VRFs or the default routing table. VRFs leverage trunk links with 802.1Q encapsulation to maintain connectivity with same VRFs on remote devices.

By default, all routers have single running VRF instance referred to as the global VRF instance. All interfaces, the global routing table, the forwarding table are assigned to this global VRF instance. One or more VRF instances can be configured on a single router that are separate from the global routing VRF instance. The configured VRF instances can then be identified by their configured VRF names. Interfaces or sub-interfaces are then assigned to the configured VRFs. IP addresses configured on these VRF instances can overlap if the interfaces are assigned to different VRFs. These IP addreses are not included in the global routing table. If routing protocols are configured for each VRF instance, then separate SFP (OSPF) or DUAL (EIGRP) calculation instances take place for each VRF instance.

VRFs generically segment traffic at Layer 3. However, it is possible to leak traffic between VRFs if such connectivity is required. This can be done through:

• Through importing or exporting routes between the multiple routing tables.
• Static routing.
• Physical cable to leak traffic.

Minimum configuration of VRF is called VRF Lite; VRFs without any MPLS configuration. The main reason for VRF Lite is separation of the control-plane.

The number of VRFs on a single device should be limited to a small number as each VRF instance consumes local resources.

Business Use Cases of VRF

• ISPs use VRFs to keep IP routing tables of customers logically separate to create separate VPNs for each customer when layer 3 end-to-end connectivity is provided; thus the technology is also referred to as VPN routing and forwarding.
• Network segmentation for different applications, departments
• Security concerns
• Corporate mergers
• Data Centre access

VRF-Aware Routing

To support dynamic routing in VRFs, the routing protocols in use should be VRF aware. Static routes support VRF. VRF-aware dynamic routing protocols include: RIP, EIGRP, OSPF, IS-IS, MP-BGP. Policy routing is also VRF-aware.

Configuration

Step 1: Specify Locally Significant VRF Name

VRFs can be configured in one of two ways:

• ip vrf <vrf-name>: This global configuration command supports only IPv4 VRFs.

  R2(config)#ip vrf RESEARCH
R2(config)#ip vrf FINANCE
R2(config-vrf)#description Finance VRF


• vrf definition <name>: This global configuration command supports IPv4 and IPv6 VRFs. It is generally recommended to configure VRFs using this format. The address family should be additionally configured using the VRF mode command address-family ipv4. The address family needs to be explicitly configured after defining the VRF name.

  R3(config)#vrf definition RESEARCH
R3(config-vrf)#description Research and Development Department VRF
R3(config-vrf)#address-family ipv4
R3(config-vrf-af)#exit
R3(config-vrf)#exit
R3(config)#vrf definition FINANCE
R3(config-vrf)#description Finance Department VRF
R3(config-vrf)#address-family ipv4


Cisco IOS has additional commands that enable VRFs created using the command ip vrf <vrf-name> to support IPv6. To enable support for IPv6 VRFs, in global configuration mode issue the command vrf upgrade-cli multi-af-mode common-policies vrf <vrf-name> . By default all VRFs will be configured to support IPv4 and IPv6. If the optional VRF name is configured, only the specified VRF will support IPv4 and IPv6. The keyword common-policies copies the pre-configured parameters such as route-target, route distinguisher to be applied to IPv6 as previously configured under IPv4. Any IPv6 addresses configured on the interfaces assigned to any VRF will be removed. When you view the running configuration file, the syntax will be changed to vrf definition <vrf-name> which is the new format.

The VRF description can be added to provide helpful information on the purpose of the VRF. It can be added using the VRF mode command description <description>.

CAUTION:

• If deleting a VRF using the command no ip vrf <vrf-name> the IPv4 addresses configured on the interfaces assigned to that VRF will be removed.
• VRF names are case sensitive. It is recommended to use all upper case letters for VRF names.

In VRF-lite, there is no need to specify the import and export route target (RT). and route distinguisher (RD).

Step 2: Apply VRF to the Interface

Interfaces, physical or logical, can belong to only one VRF at a time. Interfaces assigned to the VRF belong to that VRF's routing table instance. Interfaces not in a VRF are in the global or default VRF. Interfaces are assigned to VRFs depending on the way the VRF was created using one of the following interface mode commands:

• ip vrf forwarding <vrf-name>: This command is used when the VRF was created using the global configuration command ip vrf <name>.
  R1(config)#interface gigabitethernet1/0
R1(config-if)#ip vrf forwarding FINANCE


• vrf forwarding <vrf-name>: This command is used when the VRF was created using the global configuration command vrf definition <vrf-name>.
  R3(config)#interface gigabitethernet3/0
R3(config-if)#vrf forwarding FINANCE


Caution: If an IP address was configured on the interface, it gets removed. Always view the interface configuration for IP address before assigning any interface to a VRF.

Step 3: Routing with the VRF

VRF-aware Static Route

To configure a static route for a VRF, run the global configuration command: ip route vrf <vrf-name> <network> <mask> <next-hop>

R1(config)#ip route vrf FINANCE 172.17.1.0 255.255.255.0 10.20.13.2

VRF-Aware Dynamic Routing

The following routing protocols are VRF-aware: EIGRP, IS-IS, OSPF, BGP, RIP.

EIGRP

EIGRP is VRF-aware in both classic and named mode. The configuration of VRF routing for classic and named mode is similar.

EIGRP Named Mode

router eigrp EIGRP_NAMED
address-family ipv4 vrf <vrf-name> autonomous-system <id>

R2(config)#router eigrp EIGRP_NAMED
R2(config-router)#address-family ipv4 unicast vrf FINANCE autonomous-system 1


EIGRP Classic Mode

R2(config)#router eigrp 1 vrf FINANCE


OSPF

router ospf <process-id> vrf <vrf-name>

R2(config)#router ospf 1 vrf RESEARCH
R2(config-router)#capability vrf-lite

The command R2(config-router)#capability vrf-lite causes OSPF to not perform PE specific checks.

BGP

Service providers use BGP VRFs extensively to segregate customer traffic. To utilize VRFs in BGP, the route distinguisher needs to be configured to uniquely identify traffic. Configuration of the route target is done using the VRF configuration mode command rd <ASN:nn> or rd <ip-address:nn> The RD is used to keep the routes from various clients unique regardless of whether the IP addresses used are overlapping; how we distinguish one route in one VRF from a route in another VRF particularly when the IP addresses are overlapping in prefix and prefix-length. In some versions of IOS, the RD needs to be configured otherwise the following error message is displayed when configuring VRF support in BGP.

R2(config)#router bgp 65000
R2(config-router)#bgp router-id 2.2.2.2
R2(config-router)#address-family ipv4 unicast vrf FINANCE
% VRF FINANCE does not have an RD configured.

In the newer versions, you can skip over this step.

If two VRF instances X and Y have overlapping IP addresses, such as 10.0.0.0/24. and VRF X has a configured RD of 1:1 and Y 2:2, the addresses will be differentiated such that X's addresses will be 1:1:10.0.0.0/24 and Y 2:2:10.0.0./24. In the case of MP-BGP, these count as two separate routes.

R2(config)#ip vrf FINANCE
R2(config-vrf)#rd 65000:100
R2(config)#router bgp 65000
R2(config-router)#address-family ipv4 unicast vrf FINANCE
R2(config-router-af)#neighbor 10.20.13.2 ebgp-multihop 2
R2(config-router-af)#address-family vpnv4 unicast


On remote router:

R3(config-router)#vrf definition FINANCE
R3(config-vrf)#rd 65001:200
R3(config-if)#router bgp 65001
R3(config-router)#address-family ipv4 unicast vrf FINANCE
R3(config-router-af)#neighbor 10.20.12.2 remote-as 65000
R3(config-router-af)#neighbor 10.20.12.2 ebgp-multihop 2
R3(config-router-af)#network 10.3.10.0 mask 255.255.255.0
R3(config-router)#address-family vpnv4 unicast


Verification

All testing or verification commands have to include the specific VRF whose features you would like to view.

show ip route vrf <vrf-name>

To view the IP routing table of a specific VRF.

R2#show ip route vrf RESEARCH

Routing Table: RESEARCH
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 10 subnets, 3 masks
C        10.2.14.0/24 is directly connected, Loopback14
L        10.2.14.1/32 is directly connected, Loopback14
C        10.2.15.0/24 is directly connected, Loopback15
L        10.2.15.1/32 is directly connected, Loopback15
B        10.3.14.0/24 [20/0] via 10.10.13.2, 00:43:49
B        10.3.15.0/24 [20/0] via 10.10.13.2, 00:44:17
B        10.3.16.0/24 [20/0] via 10.10.13.2, 00:44:09
C        10.10.12.0/30 is directly connected, GigabitEthernet0/0.10
L        10.10.12.2/32 is directly connected, GigabitEthernet0/0.10
O        10.10.13.0/30 [110/2] via 10.10.12.1, 01:17:12, GigabitEthernet0/0.10
      172.30.0.0/24 is subnetted, 1 subnets
O        172.30.0.0 [110/3] via 10.10.12.1, 01:17:12, GigabitEthernet0/0.10
      172.31.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.31.1.0/24 is directly connected, GigabitEthernet1/0
L        172.31.1.1/32 is directly connected, GigabitEthernet1/0
R2#


ping vrf <vrf-name>

Check reachability of remote networks.

R2#ping vrf RESEARCH 10.2.14.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.14.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/12 ms
R2#


show run vrf <vrf-name>

To view VRF configurations for a specific vrf.

R2#show run vrf FINANCE
Building configuration...

Current configuration : 715 bytes
ip vrf FINANCE
 description Finance VRF
 rd 65000:100
!
!
interface GigabitEthernet0/0
 no ip address
 duplex auto
 speed auto
 media-type gbic
 negotiation auto
!
interface GigabitEthernet0/0.20
 encapsulation dot1Q 20
 ip vrf forwarding FINANCE
 ip address 10.20.12.2 255.255.255.252
!
interface FastEthernet4/0
 ip vrf forwarding FINANCE
 ip address 172.16.1.10 255.255.255.0
 duplex auto
 speed auto
!
router eigrp 1
!
address-family ipv4 vrf FINANCE autonomous-system 1
  network 10.20.12.0 0.0.0.3
 exit-address-family
!
router bgp 65000
 !
 address-family ipv4 vrf FINANCE
  neighbor 10.20.13.2 remote-as 65001
  neighbor 10.20.13.2 ebgp-multihop 2
  neighbor 10.20.13.2 activate
 exit-address-family
!
end


show ip vrf

To view configured VRFs.

R2#show ip vrf
  Name                             Default RD          Interfaces
  FINANCE                          65000:100           Gi0/0.20
                                                       Fa4/0
  RESEARCH                         65000:200           Gi0/0.10
                                                     Gi1/0
                                                     Lo14
                                                     Lo15


show ip route vrf *

To view the IP routing table for all VRFs at once.

R2#show ip route vrf *
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set


Routing Table: FINANCE
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 7 subnets, 3 masks
B        10.3.10.0/24 [20/0] via 10.20.13.2, 04:25:16
B        10.3.11.0/24 [20/0] via 10.20.13.2, 02:22:08
B        10.3.12.0/24 [20/0] via 10.20.13.2, 02:21:21
B        10.3.13.0/24 [20/0] via 10.20.13.2, 01:45:26
C        10.20.12.0/30 is directly connected, GigabitEthernet0/0.20
L        10.20.12.2/32 is directly connected, GigabitEthernet0/0.20
D        10.20.13.0/30
           [90/3072] via 10.20.12.1, 05:28:49, GigabitEthernet0/0.20
      172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
C        172.16.1.0/24 is directly connected, FastEthernet4/0
L        172.16.1.10/32 is directly connected, FastEthernet4/0
D        172.16.2.0/24
           [90/28672] via 10.20.12.1, 05:28:49, GigabitEthernet0/0.20

Routing Table: RESEARCH
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 10 subnets, 3 masks
C        10.2.14.0/24 is directly connected, Loopback14
L        10.2.14.1/32 is directly connected, Loopback14
C        10.2.15.0/24 is directly connected, Loopback15
L        10.2.15.1/32 is directly connected, Loopback15
B        10.3.14.0/24 [20/0] via 10.10.13.2, 01:24:15
B        10.3.15.0/24 [20/0] via 10.10.13.2, 01:24:43
B        10.3.16.0/24 [20/0] via 10.10.13.2, 01:24:35
C        10.10.12.0/30 is directly connected, GigabitEthernet0/0.10
L        10.10.12.2/32 is directly connected, GigabitEthernet0/0.10
O        10.10.13.0/30 [110/2] via 10.10.12.1, 01:57:38, GigabitEthernet0/0.10
      172.30.0.0/24 is subnetted, 1 subnets
O        172.30.0.0 [110/3] via 10.10.12.1, 01:57:38, GigabitEthernet0/0.10
      172.31.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.31.1.0/24 is directly connected, GigabitEthernet1/0
L        172.31.1.1/32 is directly connected, GigabitEthernet1/0
R2#


show ip interfaces vrf <vrf-name>

Display interfaces in specified VRF.

show ip protocols vrf <vrf-name>

View dynamic protocols running in a VRF.

R2#show ip protocols vrf FINANCE
*** IP Routing is NSF aware ***

Routing Protocol is "eigrp 1"
  Outgoing update filter list for all interfaces is not set
  Incoming update filter list for all interfaces is not set
  Default networks flagged in outgoing updates
  Default networks accepted from incoming updates
  EIGRP-IPv4 Protocol for AS(1) VRF(FINANCE)
    Metric weight K1=1, K2=0, K3=1, K4=0, K5=0
    NSF-aware route hold timer is 240
    Router-ID: 172.16.1.10
    Topology : 0 (base)
      Active Timer: 3 min
      Distance: internal 90 external 170
      Maximum path: 4
      Maximum hopcount 100
      Maximum metric variance 1
      Total Prefix Count: 3
      Total Redist Count: 0

  Automatic Summarization: disabled        
  Maximum path: 4                          
  Routing for Networks:                    
    10.20.12.0/30                          
  Routing Information Sources:            
    Gateway         Distance      Last Update
    10.20.12.1            90      04:45:54
  Distance: internal 90 external 170      
                                          
Routing Protocol is "bgp 65000"            
  Outgoing update filter list for all interfaces is not set
  Incoming update filter list for all interfaces is not set
  IGP synchronization is disabled          
  Automatic route summarization is disabled
  Neighbor(s):                            
    Address          FiltIn FiltOut DistIn DistOut Weight RouteMap
    10.20.13.2                            
  Maximum path: 1                          
  Routing Information Sources:            
    Gateway         Distance      Last Update
    10.20.13.2            20      01:02:31
  Distance: external 20 internal 200 local 200

R2#


EIGRP

show ip eigrp vrf <vrf-name> topology

R2#show ip eigrp vrf FINANCE topology
EIGRP-IPv4 Topology Table for AS(1)/ID(172.16.1.10) VRF(FINANCE)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status
              
P 10.20.12.0/30, 1 successors, FD is 2816
        via Connected, GigabitEthernet0/0.20
P 172.16.2.0/24, 1 successors, FD is 28672
        via 10.20.12.1 (28672/28416), GigabitEthernet0/0.20
P 10.20.13.0/30, 1 successors, FD is 3072
        via 10.20.12.1 (3072/2816), GigabitEthernet0/0.20


show ip eigrp vrf <vrf-name> neighbors

R2#show ip eigrp vrf FINANCE neighbors detail
EIGRP-IPv4 Neighbors for AS(1) VRF(FINANCE)                                      
H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq
                                                   (sec)         (ms)       Cnt Num
0   10.20.12.1              Gi0/0.20                 12 04:34:57   17   102  0  7
   Version 10.0/2.0, Retrans: 0, Retries: 0, Prefixes: 2                          
   Topology-ids from peer - 0                                                    


show ip eigrp vrf <vrf-name> interfaces

Alternative command show eigrp address-family ipv4 vrf <vrf-name> interfaces

R2#show ip eigrp vrf FINANCE interface detail
EIGRP-IPv4 Interfaces for AS(1) VRF(FINANCE)
                              Xmit Queue   PeerQ        Mean   Pacing Time   Multicast    Pending
Interface              Peers  Un/Reliable  Un/Reliable  SRTT   Un/Reliable   Flow Timer   Routes
Gi0/0.20                 1        0/0       0/0          17       0/0           64           0  
  Hello-interval is 5, Hold-time is 15
  Split-horizon is enabled
  Next xmit serial
  Packetized sent/expedited: 1/0
  Hello's sent/expedited: 3579/2                  
  Un/reliable mcasts: 0/1  Un/reliable ucasts: 1/1
  Mcast exceptions: 0  CR packets: 0  ACKs suppressed: 0
  Retransmissions sent: 0  Out-of-sequence rcvd: 1
  Topology-ids on interface - 0
  Authentication mode is not set
R2#


BGP

show bgp vpnv4 unicast all

To view all the shared prefixes in all VRFs

R2(config-if)#do show bgp vpnv4 unicast all
BGP table version is 10, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path  
Route Distinguisher: 65000:100 (default for vrf FINANCE)              
 *>  10.3.10.0/24     10.20.13.2               0             0 65001 i
 *>  10.3.11.0/24     10.20.13.2               0             0 65001 i
 *>  10.3.12.0/24     10.20.13.2               0             0 65001 i
 *>  10.3.13.0/24     10.20.13.2               0             0 65001 i
Route Distinguisher: 65000:200 (default for vrf RESEARCH)            
 *>  10.2.14.0/24     0.0.0.0                  0         32768 i      
 *>  10.2.15.0/24     0.0.0.0                  0         32768 i      
 *>  10.3.14.0/24     10.10.13.2               0             0 65001 i
 *>  10.3.15.0/24     10.10.13.2               0             0 65001 i
 *>  10.3.16.0/24     10.10.13.2               0             0 65001 i
R2(config-if)#

show bgp vpnv4 unicast vrf <vrf-name> summary

To view routes in the BGP table in a specific VRF

R2(config-if)#do show bgp vpnv4 unicast vrf RESEARCH
BGP table version is 10, local router ID is 2.2.2.2                    
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,    
Origin codes: i - IGP, e - EGP, ? - incomplete                          
RPKI validation codes: V valid, I invalid, N Not found                  
                                                                        
     Network          Next Hop            Metric LocPrf Weight Path    
Route Distinguisher: 65000:200 (default for vrf RESEARCH)              
 *>  10.2.14.0/24     0.0.0.0                  0         32768 i        
 *>  10.2.15.0/24     0.0.0.0                  0         32768 i        
 *>  10.3.14.0/24     10.10.13.2               0             0 65001 i  
 *>  10.3.15.0/24     10.10.13.2               0             0 65001 i  
 *>  10.3.16.0/24     10.10.13.2               0             0 65001 i  


show bgp vpnv4 unicast vrf <vrf-name> neighbor

To view BGP neighbors formed in a specific VRF

R2#show bgp vpnv4 unicast vrf RESEARCH neighbor
BGP neighbor is 10.10.13.2, vrf RESEARCH, remote AS 65001, external link
  BGP version 4, remote router ID 3.3.3.3                          
  BGP state = Established, up for 00:36:27                        
  Last read 00:00:42, last write 00:00:27, hold time is 180, keepalive interval is 60 seconds
  Neighbor sessions:                                              
    1 active, is not multisession capable (disabled)              
  Neighbor capabilities:                                          
    Route refresh: advertised and received(new)                    
    Four-octets ASN Capability: advertised and received            
    Address family IPv4 Unicast: advertised and received          
    Enhanced Refresh Capability: advertised and received          
    Multisession Capability:                                      
    Stateful switchover support enabled: NO for session 1          
  Message statistics:                                              
    InQ depth is 0                                                
    OutQ depth is 0                                                
                                                                  
                         Sent       Rcvd                          
    Opens:                  1          1                          
    Notifications:          0          0                          
    Updates:                3          4                          
    Keepalives:            40         41                          
    Route Refresh:          0          0                          
    Total:                 44         46                          
  Default minimum time between advertisement runs is 0 seconds    
                                                                  
For address family: VPNv4 Unicast                                
  Translates address family IPv4 Unicast for VRF RESEARCH          
  Session: 10.10.13.2                                              
  BGP table version 10, neighbor version 10/0                      
  Output queue size : 0                                            
  Index 2, Advertise bit 0                                        
  2 update-group member                                            
  Slow-peer detection is disabled                                  
  Slow-peer split-update-group dynamic is disabled                
                                 Sent       Rcvd                  
  Prefix activity:               ----       ----                  
    Prefixes Current:               2          3 (Consumes 192 bytes)
    Prefixes Total:                 2          3                  
    Implicit Withdraw:              0          0                  
    Explicit Withdraw:              0          0                  
    Used as bestpath:             n/a          3                  
    Used as multipath:            n/a          0                  
                                                                  
                                   Outbound    Inbound            
  Local Policy Denied Prefixes:    --------    -------            
    Bestpath from this peer:              3        n/a            
    Total:                                3          0            
  Number of NLRIs in the update sent: max 1, min 0                
  Last detected as dynamic slow peer: never                        
  Dynamic slow peer recovered: never                              
  Refresh Epoch: 1                                                
  Last Sent Refresh Start-of-rib: never                            
  Last Sent Refresh End-of-rib: never                              
  Last Received Refresh Start-of-rib: never                        
  Last Received Refresh End-of-rib: never                          
                                       Sent       Rcvd            
        Refresh activity:              ----       ----            
          Refresh Start-of-RIB          0          0              
          Refresh End-of-RIB            0          0              
                                                                  
  Address tracking is enabled, the RIB does have a route to 10.10.13.2
  Connections established 1; dropped 0                            
  Last reset never                                                
  External BGP neighbor may be up to 2 hops away.                  
  Transport(tcp) path-mtu-discovery is enabled                    
  Graceful-Restart is disabled                                    
Connection state is ESTAB, I/O status: 1, unread input bytes: 0    
Connection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL 2
Local host: 10.10.12.2, Local port: 179
Foreign host: 10.10.13.2, Foreign port: 17911
Connection tableid (VRF): 2
Maximum output segment queue size: 50

Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes)

Event Timers (current time is 0x124CFC4):      
Timer          Starts    Wakeups            Next
Retrans            43          0             0x0
TimeWait            0          0             0x0
AckHold            45         41             0x0
SendWnd             0          0             0x0
KeepAlive           0          0             0x0
GiveUp              0          0             0x0
PmtuAger            0          0             0x0
DeadWait            0          0             0x0
Linger              0          0             0x0
ProcessQ            0          0             0x0

iss: 3387542972  snduna: 3387543921  sndnxt: 3387543921
irs: 2815833713  rcvnxt: 2815834735                
                                                  
sndwnd:  15436  scale:      0  maxrcvwnd:  16384  
rcvwnd:  15363  scale:      0  delrcvwnd:   1021  
                                                  
SRTT: 997 ms, RTTO: 1025 ms, RTV: 28 ms, KRTT: 0 ms
minRTT: 16 ms, maxRTT: 1000 ms, ACK hold: 200 ms  
Status Flags: passive open, gen tcbs              
Option Flags: VRF id set, nagle, path mtu capable  
IP Precedence value : 6

Datagrams (max data segment is 1460 bytes):
Rcvd: 90 (out of order: 0), with data: 46, total data bytes: 1021
Sent: 88 (retransmit: 0, fastretransmit: 0, partialack: 0, Second Congestion: 0), with data: 44, total data bytes: 948

 Packets received in fast path: 0, fast processed: 0, slow path: 0
 fast lock acquisition failures: 0, slow path: 0
TCP Semaphore      0x6AAD22B4  FREE

R2#


OSPF

OSPF commands do not require the inclusion of the VRF keyword and VRF name within the command.

show ip ospf

Displays the VRF operational state of OSPF.

R2#show ip ospf
 Routing Process "ospf 1" with ID 172.31.1.1
   Domain ID type 0x0005, value 0.0.0.1
 Start time: 00:00:55.892, Time elapsed: 06:21:24.020
 Supports only single TOS(TOS0) routes
 Supports opaque LSA
 Supports Link-local Signaling (LLS)
 Supports area transit capability
 Supports NSSA (compatible with RFC 3101)
 Connected to MPLS VPN Superbackbone, VRF RESEARCH
 Event-log disabled
 It is an area border router
 Router is not originating router-LSAs with maximum metric
 Initial SPF schedule delay 5000 msecs
 Minimum hold time between two consecutive SPFs 10000 msecs
 Maximum wait time between two consecutive SPFs 10000 msecs
 Incremental-SPF disabled
 Minimum LSA interval 5 secs
 Minimum LSA arrival 1000 msecs
 LSA group pacing timer 240 secs
 Interface flood pacing timer 33 msecs
 Retransmission pacing timer 66 msecs
 Number of external LSA 0. Checksum Sum 0x000000
 Number of opaque AS LSA 0. Checksum Sum 0x000000
 Number of DCbitless external and opaque AS LSA 0
 Number of DoNotAge external and opaque AS LSA 0
 Number of areas in this router is 1. 1 normal 0 stub 0 nssa
 Number of areas transit capable is 0
 External flood list length 0
 IETF NSF helper support enabled
 Cisco NSF helper support enabled
 Reference bandwidth unit is 100 mbps
    Area BACKBONE(0)
        Number of interfaces in this area is 2
        Area has no authentication
        SPF algorithm last executed 01:59:51.104 ago
        SPF algorithm executed 12 times
        Area ranges are
        Number of LSA 5. Checksum Sum 0x01F6CD
        Number of opaque link LSA 0. Checksum Sum 0x000000
        Number of DCbitless LSA 0
        Number of indication LSA 0
        Number of DoNotAge LSA 0
        Flood list length 0


IPv6 Prefix Assignment

Introduction and Overview

The Dynamic Host Configuration Protocol for IPv6 (DHCPv6) enables DHCPv6 servers to pass configuration parameters such as IPv6 network addresses to IPv6 nodes. It offers the capability of automatic allocation of reusable network addresses and additional configuration flexibility. DHCPv6 is defined by RFC 3315(Dynamic Host Configuration Protocol for IPv6 (DHCPv6).

DHCPv6 Operating Modes

IOS devices can be configured to operate as:

• Server: device that provides stateless or stateful DHCPv6 services.
• Client: device that acquires IPv6 configuration from a DHCPv6 server.
• Relay Agent: router provides DHCPv6 forwarding services when the client and the server are located on different networks.

Clients listen for DHCPv6 messages on UDP port 546. Servers and relay agents listen for DHCPv6 messages on UDP port 547.

Unique Identifiers

DHCPv6 servers, clients and relay agents have exactly one DHCPv6 Unique Identifier(DUID) that uniquely identifies the device.

An Identity Association(IA) is a collection of addresses assigned to a client. Each client has at least one IA assigned for each interface using DHCPv6. For each IA, the client assigns an an Identity Association Identifier(IAID) that uniquely identifies the IA. The IAID identifies a specific interface on the client. Each interface on the DHCPv6 client or server is identified using an IAID.

IPv6 Global Unicast Address Assignment

IPv6 global unique addresses(GUA) are assigned to host devices using one of three methods:

1. Stateless Address Autoconfiguration(SLAAC)
2. SLAAC with DHCPv6 (Stateless DHCPv6)
3. Stateful DHCPv6

The method used to receive IPv6 network configuration parameters is dictated by the router advertisement(RA) messages sent by the local router. The RA messages contain flags that guide the host devices on how their IPv6 prefix, prefix-length, DNS servers, domain-name can be obtained.

Message Flags

How a client obtains an IPv6 GUA depends on the settings in the RA message. An ICMPv6 RA message includes the following three flags:

1. A-flag (address autoconfiguration): notifies the device to use SLAAC to create an IPv6 GUA. The host uses the RA message for network configuration parameters such as prefix, prefix-length. This is the default method used by IOS devices to assign IPv6 prefixes to their interfaces.
2. O-flag (Other configuration): notifies the host that it should create its IPv6 prefix using SLAAC. Additional network configuration parameters such as DNS server addresses, domain names are available from a stateless DHCPv6 server. The hosts use the RA and a DHCPv6 server to obtain complete IPv6 network configuration information. This is the implementation of stateless DHCP i.e., SLAAC and DHCPv6. The "A" flag is also set here.
3. M-flag (Managed address configuration): notifies the host to use a stateful DHCPv6 server to obtain an IPv6 GUA and all other network configuration parameters. This implements stateful DHCPv6.

Using different combinations of the A, O, and M flags, RA messages inform the host about the dynamic options available. The following table summarizes the RA advertisement flag options for the different methods of dynamic IPv6 address assignment:

RA Address Allocation Method	A (Address Autoconfiguration)	O	M
SLAAC (default)	1	0	0
SLAAC with Stateless DHCPv6	1	1	0
Stateful DHCPv6	0	0 (ignored if set to 1)	1

Stateful DHCPv6

With stateful DHCPv6, a DHCPv6 server is managing the assignment of IPv6 network configuration parameters. Router RA message M-flag informs hosts to contact a DHCPv6 server or DHCPv6-enabled router for all configuration information except the default gateway address. Hosts contact a DHCPv6 server to acquire all of their IPv6 configuration parameters except the default gateway which they receive through router RA messages. Although host operating systems follow the suggestion of the RA, the actual decision is ultimately up to the host. As the DHCPv6 server is stateful, it maintains a list of IPv6 address bndings.

Most environments that implement stateful DHCPv6 have an addressing need or policy where devices obtain their address only from the stateful DHCPv6 server. This makes it easier to manage and track IPv6 addresses on the network.

ICMPv6 RA messages are sent periodically by an IPv6 router(default is 200 seconds) or when the router receives a router solicitation message from the host device. When a host receives an RA message with the M-flag set, sends a DHCPv6 SOLICIT message seeking additional information from a stateful DHCPv6 server.

Stateful DHCPv6 does not require SLAAC while stateless DHCPv6 does. When an RA M-flag is set(to the value 1) indicating the use of stateful DHCPv6:

• The host sends an RS message.
• The router responds with an RA message.
• The host sends a DHCPv6 SOLICIT message.
• The DHCPv6 server responds with an ADVERTISE message.
• The host responds to the DHCPv6 server with a REQUEST message.
• The DHCPv6 server sends a REPLY message.

Note: Server to client DHCPv6 messages use UDP destination port 546 while client to server DHCPv6 messages use destination port UDP 547.

The RA message contains the following information:

• IPv6 GUA network prefix and prefix length
• A flag set to 0 informing the host to contact a DHCPv6 server.
• O flag set to 0 informing the host to contact a DHCPv6 server.
• M flag set to 1.

Stateful DHCPv6 RA Message

The RA message sent by a router running a stateful DHCPv6 server includes:

• Destination IPv6 address: FF02::1(All IPv6 devices multicast)
• Source IPv6 address: link-local address on interface
• Prefix: prefix e.g., 2001:db8:cafe:2::
• Prefix-length: /64
• Managed-config-flag: 1
• Autonomous address flag: 0

DHCPv6 GUA Assignment Sequence

The DHCPv6 address assignment process is similar to that of DHCP for IPv4 with that uses DORA to assign IPv4 network configuration parameters. With DHCPv6, the sequence consists of four stateges: SOLICIT, ADVERTISE, REQUEST, REPLY (SARR). When a client sends an RS message on the link, an RA message is sent in reply to the all devices IPv6 multicast address FF02::1:

1. The client sends a SOLICIT message on the local link requesting for network configuration parameters.
2. ADVERTISE: The server responds to the SOLICIT message with an ADVERTISE message containing IPv6 configuration information.
3. REQUEST or INFORMATION REQUEST: REQUEST DHCPv6 message is sent by clients using stateful DHCPv6. INFORMATION REQUEST DHCPv6 message is sent by clients using stateless DHCPv6.
4. REPLY: the DHCPv6 server confirms the IPv6 network configuration parameters issued to the client.

The client can request a renewal of IPv6 network configuration parameters by sending a RENEW DHCPv6 message to the server. The DHCPv6 server sends a REPLY message confirming the renewal of the IPv6 address and other network configuration parameters.

Rapid Commit

The rapid-commit option uses two DHCPv6 messages instead of four. The rapid-commit option sends the initial DHCPv6 SOLICIT message. However, this SOLICIT message has the rapid-commit option set. This informs the server that it wants to shorten the exchange from 4 messages to 2. The use of the rapid-commit option on the server can be enabled using the interface configuration command: ipv6 dhcp server <dhcpv6-pool> rapid-commit. This is enabled on the interface connecting to the clients.

Configuration of Stateful DHCPv6

Server

The stateful DHCPv6 server option requires that the IPv6 enabled router tells the host to contact a DHCPv6 server to obtain all necessary IPv6 network addressing information. There are five steps to configure and verify a router as a stateful DHCPv6 server:

1. Enable IPv6 routing: using the ipv6 unicast-routing command.
2. Define a DHCPv6 pool: using ipv6 dhcp pool <pool-name> command.
3. Configure the DHCPv6 pool with options: common options include:
   • address prefix 2001:db8:acad:1::/64. This command is what causes this DHCPv6 GUA assignment to be stateful in nature.
   • domain-name EXAMPLE.COM
   • DNS server IP address
4. Bind the interface to the pool: using ipv6 dhcp server <pool-name> interface config command.
   1. Manually change the M flag from 0 to 1 using the ipv6 nd managed-config-flag.
   2. Manually change the A flag from 1 to 0 using the ipv6 nd prefix default no-autoconfig interface command to inform the client to not use SLAAC to create GUA. The router will now respond to stateful DHCPv6 requests with the information contained in the pool.

   On the interface;
   ipv6 address fe80::1 link-local
ipv6 address 2001:db8:acad:1::1/64
ipv6 nd managed-config-flag
ipv6 nd prefix default no-autoconfig|ipv6 nd default no-autoconfig|ipv6 nd <prefix/length> no-autoconfig
ipv6 dhcp server IPV6-STATEFUL

   With the M-flag set, the O-flag is ignored.

5. Verify that the hosts have received IPv6 addressing information: using ipconfig /all command.

Client

Most hosts have IPv6 autoconfiguration set. If the client is an IOS device, it needs to have ipv6 unicast-routing enabled and an IPv6 link-local address to send and receive IPv6 messages. There are five steps to configure and verify a router as a stateless DHCPv6 client:

1. Enable IPv6 routing: using ipv6 unicast-routing.
2. Configure the client router to create an LLA: An IPv6 link-local address is created on a router interface when a global unicast address is configured, or without a GUA using the ipv6 enable interface configuration command. Cisco IOS uses EUI-64 to create an interface ID.
3. Configure the client router to use DHCPv6: using the ipv6 address dhcp interface config command.
4. Verification:
   • Verify that the client is assigned a GUA: using the show ipv6 interface brief command.
   • Verify that the client router received other necessary DHCPv6 information: using the show ipv6 dhcp interface g0/0/1 command.

Stateless Assignment

Stateless address assignments involve assignment of prefixes and network configuration information using stateless address autoconfiguration (SLAAC) and stateless DHCPv6. Under stateless network configuration, no device is tracking the assignment of IPv6 prefixes.

Stateless Address Autoconfiguration (SLAAC)

When assigning prefixes using SLAAC, a router sends RA messages providing all IPv6 network configuration information i.e., network prefix, prefix-length and default gateway information. The domain name and DNS server list may be included if the router and host support RFC 6106 (IPv6 RA options for DNS configuration). Hosts use the RA information exclusively for all their addressing including creating their own GUA.

This ICMPv6 RA message has the following parameters:

• Type: value is 134 indicating a Router Advertisement message.
• Cur Hop Limit: value the router recommends for hosts on the link to use as their Hop Limit. A value of zero(0) indicates that hosts should determine the hop limit. The default value is 64.
• Destination IPv6 address: FF02::1(all IPv6 devices multicast address)
• Source IPv6 address: router's local interface's link-local address
• Flags: A = 1, O = 0, M = 0, default router preference: default value is medium(0 0). Other values for default router preference are: high(0 1), low(1 1), and Reserved(1 0).
• Next header: 0x3a(an ICMPv6 header, 58 in decimal).
• Router lifetime: duration, in seconds, for which the router should be used as the dfault gateway. A value of zero indicates that the router is not a default router.
• MTU: informs the hosts the maximum MTU for the network.
• Prefix length: provides necessary information for on-link determination (when combined with the L-flag in the prefix information option).
• Valid and Preferred lifetimes: length of time public address remains in the valid state(30days by default). Preferred lifetime is the length of time a valid address(public) is preferred(7 days by default).
• Other parameters: DNS server address etc.

If the M flag is set and the O flag is set, the O flag is ignored. For stateful DHCP, the A flag should be turned off. For SLAAC, the A flag is set and the O flag and M flags are disabled.

Interface ID

The 64-bit interface ID is generated using EUI-64(Extended Unique Identifier-64) or randomly generated known as a privacy extension. If EUI-64 is used, the host uses its interface MAC address to generate the address.

EUI-64

The MAC address is a 48-bit address that consists of two sections the OUI(24-bits) and Device Identifier(24-bits). The OUI (Organization Unique Identifier) is a code unique to the manufacturer of an interface card. EUI-64 generates an interface ID through two states:

1. Inserting FF:FE between the OUI and Device Identifier sections of the MAC address creating a new address. This increases the size of the MAC address from 48-bit to 64-bit.
2. Flipping the 7^th-bit i.e., 0 → 1 or 1 → 0. This results in the second hexadecimal digit changing.

Randomly Generated Number

The method used to create a randomly generated number to be used as the Interface ID depends on the operating system. Windows uses a randomly generated number by default.

Privacy Extensions

The use of EUI-64 for generation of Interface ID values is considered by some to be a security risk as the MAC address does not change. This results in the Interface ID being predicable across the different IPv6 networks that the device may connect to. This makes tracking this device easier.

RFC 4941 proposes the use of privacy extensions for SLAAC:

• Generation of randomized Interface IDs: creating an interface ID that is not traceable to a physical device.
• Generation of temporary addresses: these are addresses that have relatively short lifetimes. This address is used as a source address when originating connections.

The public address uses a randomized Interface ID instead of EUI-64. Temporary addresses are generated and use only a randomized Interface ID.

Configuration

Servers

To configure SLAAC:

1. Enable IPv6 routing:
   R1(config)#ipv6 unicast-routing

2. Configure a GUA on the interface: By default, the A-flag is set to 1. If it is disabled, enable it using the following command ipv6 address <prefix>/<prefix-length> :
   R1(config)#interface gigabitethernet0/0
R1(config-if)#ipv6 address 2001:db8:cafe:1::1:1/64

Clients

• IOS Devices

  If an IOS device is a DHCPv6 client, then the following configuration is required on the interface:

  R7(config-if)#ipv6 address autoconfig

• Windows Hosts:
  • The temporary addresses are created using the following command:
    netsh interface ipv6 set privacy state=enabled store=active
netsh interface ipv6 set privacy state=enabled store=persistent

  • Creation of temporary addresses can be disabled by using the disabled keyword.

    On Windows hosts, to enable the use of the randomized identifier:

    netsh interface ipv6 set global randomizeidentifiers=enabled store=active
netsh interface ipv6 set global randomizeidentifiers=enabled store=persistent

  • To disable the use of the random interface ID i.e., enable EUI-64:
    netsh interface ipv6 set global randomizeidentifiers=disabled store=active
netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent

Linux and MacOS: The use of privacy extensions with Linux and MacOS varies with OS version. Generally, the most common command is:

• Linux: sysctl net.ip6.conf.if.use_tempaddr=2
• MacOS: sysctl net.inet6.ip6.use_tempaddr=1

SLAAC Address Lifecycle

SLAAC addresses transition through various states: tentative, preferred, deprecated and invalid.

• Tentative Address:
  • The uniqueness of the address is in the process of being verified.
  • Address is not considered to be assigned to an interface
  • An interface discards received packets addressed to a tentative address but accepts Neighbor Discovery packets related to Duplicate Address Detection for the tentative address.
• Valid address:
  • The address is a preferred or deprecated address
  • Can be the source or destination address of a packet
  • The amount of time remains in the valid and preferred states is in the RA message.
  • The RA message valid lifetime, by default, is 2,592,000(30 days).
  • The valid address remains usable for the duration of the valid lifetime.
  • The valid lifetime must be greater than or equal to the preferred lifetime.
  • When the valid lifetime expires, the address becomes invalid.
• Preferred address:
  • The interface address has been verified as unique.
  • Address can be considered as a state of the valid address.
  • The device can send and receive traffic using this address
  • New connections can be initiated using a preferred address as the source address.
  • The period of time that an address can remain in the preferred state is included in the RA message. By default, this is 604,800 seconds or 7 days.
  • The preferred lifetime is the length of time a valid address is preferred until it becomes deprecated.
  • When the preferred lifetime expires, the address becomes deprecated.
• Deprecated address:
  • The address assigned to an interface is still valid, but implementation is discouraged (typically applies to temporary addresses not public addresses).
  • Any new connections are discouraged because an address is being assigned to this interface. This may partially explain why multiple temporary addresses may be present.

Verification

show ipv6 interface <inteface-id>

R7#show ipv6 interface g0/0

GigabitEthernet0/0 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::C807:6FF:FE8D:8
  No Virtual link-local address(es):
  Stateless address autoconfig enabled
  Global unicast address(es):
    2001:DB8:CAFE:1:C807:6FF:FE8D:8, subnet is 2001:DB8:CAFE:1::/64 [EUI/CAL/PRE]
      valid lifetime 2591941 preferred lifetime 604741
  Joined group address(es):
    FF02::1
    FF02::1:FF8D:8
  MTU is 1500 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ICMP unreachables are sent
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds (using 30000)
  ND NS retransmit interval is 1000 milliseconds
  Default router is FE80::C801:5FF:FECA:8 on GigabitEthernet0/0


On the router, the command show ipv6 interface g0/0 shows that:

• RA advertisements are sent every 200 seconds
• Joined multicast groups: ff02::1, ff02::2 etc
• RA advertisements live for 1800 seconds.
  • The router RA lifetime is 1800 seconds(default).
  • Informs the host that the router should be used as the default gateway for this duration.
  • This is usually renewed/refreshed when the host receives the next RA.
  • The link local address of the router is used as the default gateway by the host.
  • If this value is zero(0), it indicates that the router is not a default gateway.
  • This duration only applies to the router's function as a default gateway and not to other network configuration information in the RA message such as prefix.
• Advertised router preference:
  • multiple routers may be present on a link. The default router preference(DRP) is used to set the preference of the default router from the list of available routers.
  • The default value sent to medium. Valid values include high, medium, low.
  • Hosts can dynamically fill their default router list using the IPv6 addresses from the RA messages of the various routers on the link.

  • Client devices maintain a list of default routers. When a client receives an RA, id adds the link-local source address of the packet as one of the routers it can use as a default gateway. Each entry has a timer, Router Lifetime, extracted from the RA. This entry gets deleted when the Router Lifetime expires. The Router Lifetime value is refreshed every 200 seconds when the RA advertisements are received.

• Hosts use stateless autoconfig for addresses:
  • indicates that the RA message sent on this interface is suggesting that hosts obtain their dynamic IPv6 using SLAAC as a result of the A flag being set to 1 and O and M flags being set to 0.

RA messages can be viewed in realtime using the command debug ipv6 nd. In this output, included is the:

• Link MTU: as IPv6 does not support fragmentation, the hosts will use this value to fragment packets before transmission.
• Valid lifetime and preferred lifetime values are given. These values are in seconds.
• LA (L-flag(On-link) and A-flag(address autoconfiguration flag)): both are set to 1.
  • When the L-flag is set to 1, the prefix sent in the RA is on this link or subnet.
  • A-flag indicates to devices that the prefix can be used to create an address with SLAAC.
  • Packets that are sent to addresses that are not on-link are sent to the default gateway.
  • The L-flag and A-flag are used by the client to determine if a destination network is on the link(on-link) or remote. On-link implies that a packet can be sent directly to the destination without being forwarded through a router.

    On Windows computers, this can be verified using the command netsh interface ipv6 show siteprefixes.

    The client adds this prefix to the prefix list which is a list of on-link prefixes. Any of the client's addresses that use this prefix will be considered on-link to this prefix on this subnet regardless of how the prefix was generated i.e., whether SLAAC, DHCPv6 generated or manually configured.

    A device is considered to be on-link if:

    • A neighbor discovery(ND) message is received from this device.
    • An RA includes a prefix with the L-flag set to 1
    • A local router sends a redirect message to the source of a packet. This redirect message triggered when a router forwards a packet out the same interface that the packet was received through. It notifies the source that the destination is on-link.

SLAAC with DHCPv6 (Stateless DHCPv6)

RA messages provide IPv6 configuration information to hosts such as prefix, prefix length but inform them to contact a stateless DHCPv6 server for additional configuration information. Hosts use their RA information to create their own unique GUA and get additional information from a DHCPv6 server. Note: The DHCPv6 server only provides configuration parameters for clients and does not maintain a list of IPv6 address bindings.

Part of the network configuration parameters are received from the RA and the rest from the DHCPv6 server.

SLAAC enables hosts to create their own unique IPv6 GUA without the services of a DHCPv6 server. SLAAC is a stateless service which means that there is no server that maintains network address information to know which IPv6 addresses are being used and which ones are available. SLAAC sends periodic ICMPv6 ND RA messages every 200 seconds providing addressing and other configuration information for hosts to autoconfigure their IPv6 address based on the information in the RA. The RA advertisements live for 1800 seconds.

RA messages have the following flags set:

• A=1: informs the client to use the IPv6 GUA prefix in the RA and dynamically create its own interface ID.
• O=1 and M=0: informs the client to use the additional information in the RA message i.e., DNS server, interface MTU, and default gateway information.

The default gateway address is the link-local address of the router interface.

A router sends RA messages every 200ms or when it receives an RS message from a host. IPv6 enabled hosts wishing to obtain IPv6 addressing information send an RS message to the IPv6 all-routers multicast message of FF02::2.

Stateless DHCPv6 RA Message

The RA message sent by a router acting as a stateless DHCPv6 server contains the following information:

• Destination IPv6 address: FF02::1 (All IPv6 devices multicast address)
• Source IPv6 address: link-local address
• Prefix: prefix
• Prefix-length: /64
• Address autoconfig flag: 1
• Other config flag: 1

Because the address autoconfig flag(A-flag) is set to 1, the device creates its own Interface ID using EUI-64 or randomly generated.

Host Process to Generate Interface ID

Using SLAAC, a host acquires its 64-bit IPv6 subnet information from the router RA and must generate the remainder 64-bit interface identifier using either:

Randomly generated: the 64-bit interface identifier is randomly generated by the client operating system(usually used by Windows 10).
• EUI-64: the host creates an interface ID using its 48-bit MAC address and inserts the hex value of FFFE in the middle of the address. Some operating systems default to randomly generated interface ID instead of the EUI-64 method due to privacy concerns. This is because the Ethernet MAC address of the host is used by EUI-64 to create the interface ID.

Windows, Linux, and Mac OS allow for the user to modify the generation of the interface ID to be either randomly generated or to use EUI-64.

Duplicate Address Detection(DAD)

A SLAAC host may use the following DAD process to ensure that the IPv6 GUA is unique.

• The host sends an ICMPv6 neighbor solicitation(NS) message with a specially constructed solicited-node multicast address containing the last 24-bits of IPv6 address of the host.
• If no other devices respond with a Neighbor Advertisement(NA) message, then the address is virtually guaranteed to be unique and can be used by the host.
• If an NA is received by the host, then the address is not unique, and the the host must generate a new interface ID to use.

Note: DAD is not really required because a 64-bit interface ID provides infinite possibilites of an address. IETF recommends the use of DAD. Due to this, most host oerating systems perform DAD on all IPv6 unicast addresses, regardless of how the address is configured.

Interface should join the all IPv6 multicast group: FF02::1. Verify with show ipv6 interface g0/1 | section Joined.

The RA received by hosts contains the following message:

• The IPv6 GUA network prefix and prefix length
• A flag set to 1 informing the host to use SLAAC
• O flag set to 1 informing the host to seek that additional configuration information from a DHCPv6 server.
• M flag set to the default value of 0.

PC sends a DHCPv6 SOLICIT message seeking additional information from a stateless DHCPv6 server.

Configuration

Server

Stateless DHCPv6 server option requires that the router advertise the IPv6 network addressing information in RA messages. Stateless DHCPv6 is enabled using the ipv6 nd other-config-flag interface configuration command setting the O flag to 1.

This configuration can be verified using the command show ipv6 interface xxx. The output confirms the RA will tell hosts to use stateless autoconfigure (A flag = 1) and contact DHCPv6 server to obtain another configuration information (O flag = 1). To disable the O flag, use the command no ipv6 nd other-config-flag.

There are five steps to configure and verify a router as a stateless DHCPv6 server:

1. Enable IPv6 routing: using ipv6 unicast-routing.
2. Define a DHCPv6 pool name: using the ipv6 dhcp pool <pool-name> global config command.
   R1(config)#ipv6 dhcp pool POOL_2001:DB8:CAFE:2

3. Configure the DHCPv6 pool with options: common options include DNS servers, domain name:
   R1(config-dhcpv6)#dns-server 2001:db8:cafe:a:1::1
R1(config-dhcpv6)#domain-name emmanueltoko.blogspot.com

4. Bind the interface to the pool: using the ipv6 dhcp server <pool-name> interface config command.
   R1(config)#interface g2/0
R1(config-if)#ipv6 address 2001:db8:cafe:2::1/64
R1(config-if)#ipv6 dhcp server POOL_2001:DB8:CAFE:2

   Manually change the O flag from 0 to 1 using the ipv6 nd other-config-flag interface command. RA messages sent to this interface indicate that

   R1(config-if)#ipv6 nd other-config-flag

Client

A router can also be a DHCPv6 client and receiev IPv6 network configuration parameters from a DHCPv6 server:

1. Enable IPv6 routing: using ipv6 unicast-routing.
2. Configure the client router to create a link-local address: an IPv6 link-local address is created on a router interface when a global unicast address is configured, or without a GUA using the IPv6 enable interface configuration command. Cisco IOS uses EUI-64 to create the interface ID.
3. Configure the client router to use SLAAC: using ipv6 address autoconfig command.
   R5(config)#interface g0/0
R5(config-if)#ipv6 address autoconfig

4. Verify that the client is assigned a GUA: using show ipv6 interface <interface-id> command.
   R5#show ipv6 interface g0/0
GigabitEthernet0/0 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::C805:6FF:FE6F:8
  No Virtual link-local address(es):
  Stateless address autoconfig enabled
  Global unicast address(es):
    2001:DB8:CAFE:2:C805:6FF:FE6F:8, subnet is 2001:DB8:CAFE:2::/64 [EUI/CAL/PRE]
      valid lifetime 2591984 preferred lifetime 604784
  Joined group address(es):
    FF02::1
    FF02::1:FF6F:8
  MTU is 1500 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ICMP unreachables are sent
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds (using 30000)
  ND NS retransmit interval is 1000 milliseconds
  Default router is FE80::C801:5FF:FECA:38 on GigabitEthernet0/0


5. Verify that the client router received other necessary DHCPv6 information: The show ipv6 dhcp interface g0/0 confirms DHCP option information, such as DNS server and domain name have been received by the client.
   R5#show ipv6 dhcp interface g0/0
GigabitEthernet0/0 is in client mode
  Prefix State is IDLE (1)
  Information refresh timer expires in 23:44:04
  Address State is IDLE
  List of known servers:
    Reachable via address: FE80::C801:5FF:FECA:38
    DUID: 00030001CA0105CA0006
    Preference: 0
    Configuration parameters:
      DNS server: 2001:DB8:CAFE:A:1::1
      Domain name: emmanueltoko.blogspot.com
      Information refresh time: 0
  Prefix Rapid-Commit: disabled
  Address Rapid-Commit: disabled


Address Allocation

There are two modes of address allocation:

• Two-message exchange: The DHCPv6 client requests for an address and other network configuration parameters from the server. The server allocates an address and other network configuration parameters to the client. This mode applies to a network with only one DHCPv6 server.
• Four-message exchange: When there are multiple IPv6 DHCPv6 servers, all of them can allocate addresses and other configuration parameters to requesting clients. The client may waste address space. In this case the four-message exchange is used to allocate addresses.
  1. The DHCP client requests for an address and other network configuration parameters.
  2. The server notifies the client of the IPv6 address other network configuration parameters that can be allocated.
  3. If the client receives multiple messages from multiple servers, it selects messages from the server with the highest priority and sends multicast messages to all the servers.
  4. The server responds with a message that contains the allocated IPv6 address and network configuration parameters.

DHCPv6 Relay Agent

If the DHCPv6 server is located on a different network from the client, then the IPv6 router can be configured as a DHCPv6 relay agent. The realy agent creates a unicast RELAY-FORWARD message containing the original DHCPv6 message from the client and forwards the message to a server. The configuration of a DHCPv6 relay agent is similar to the configuration of an IPv4 router as a DHCPv4 relay. This command is configured on the interface facing the DHCPv6 clients and specifies the DHCPv6 server address and egress interface to reach the server. The egress interface is only required when the next-hop address is an LLA. ipv6 dhcp relay destination 2001:01010 <egress-interface>.

The relay address can be unicast or multicast. With a multicast address, multiple DHCPv6 servers be be available. If a link-local unicast address is configured, then the egress interface must be specified.

Verification

Verify that the DHCPv6 relay agent is operational with the show ipv6 dhcp interface and show ipv6 dhcp binding.

Prefix Delegation

IPv6 Prefix Delegation(PD) mechanism allows a downstream device to request for an address prefix from an upstream device and allows the upstream device to allocate the appropriate prefix to the downstream device. The downstream device automatically divides the obtained address prefix into subnet segments with 64-bit prefixes and sends RA messages carrying the subnet segments on the link that IPv6 hosts directly connect to. This allows IPv6 hosts to automatically configure IPv6 addresses implementing hierarchical address deployment.

Security

DHCPv6 snooping. An intermediate device such as a switch maintains a DHCPv6 snooping binding table that records information between a DHCPv6 client and server. It intercepts DHCPv6 messages between the server and the client. This table contains user information such as MAC address, IPv6 address lease, VLAN ID, and interface information. Based on this table, the device analyzes and processes messages as well as filters out attack messages providing security services for DHCPv6

Verification

show ipv6 dhcp

View the device's DHCPv6 unique identifier(DUID).

show ipv6 dhcp pool

Command verifies the name of the DHCPv6 pool and its parameters. The coomand also identifies the number of active clients.

show ipv6 dhcp binding

To display the IPv6 link-local address of the client and the global unicast address assigned by the server. This information is maintained by a stateful DHCPv6 server. A stateless DHCPv6 server would not maintain this information.

show ipv6 dhcp interface <interface-ID>

View settings such as state of rapid-commit.