ASA:DHCPv6中繼配置示例和故障排除
目錄
簡介
本文檔介紹如何將思科自適應安全裝置(ASA)配置為DHCPv6中繼代理,並介紹一些基本故障排除。在ASA代碼版本9.0及更高版本中,ASA支援
必要條件
需求
思科建議您瞭解以下主題:
- IPv6基本概念
- IPv6編址機制
- DHCPv6資料包流
- DHCP中繼概念
採用元件
本文檔中的資訊基於ASA 5500版本9.1.2。
本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路正在作用,請確保您已瞭解任何指令可能造成的影響。
有狀態和無狀態DHCPv6
如果您瞭解IPv6中的不同地址分配方法,它將幫助您瞭解DHCPv6中繼功能在ASA上的工作方式。有關無狀態地址自動配置(SLAAC)和DHCPv6的簡介,請參閱使用SLAAC和DHCP在IPv6中分配動態地址。
網路圖表
此示例配置說明如何將ASA配置為DHCPv6中繼代理。在此配置中,CLIENT是連線IPv6客戶端的介面。SERVER是通過DHCPv6伺服器2001:db8:200:2/64進行訪問的介面。
DHCPv6與DHCPv4消息型別
無狀態DHCPv6中繼
組態
以下是ASA上無狀態DHCPv6中繼配置的基本配置:
interface GigabitEthernet0/1
nameif CLIENT
security-level 100
ipv6 address 2001:db8:100::1/64
ipv6 enable
ipv6 nd other-config-flag
!
interface GigabitEthernet0/0
nameif SERVER
security-level 0
ipv6 address 2001:db8:200:1/64
ipv6 enable
!
ipv6 dhcprelay server 2001:db8:200:2 inside
ipv6 dhcprelay enable outside
封包流量
使用無狀態DHCPv6時,下面是來自客戶端的資料包流:
ASA會攔截這些資料包並將其封裝為DHCP中繼格式:
驗證
調試
如果啟用debug ipv6 dhcprelay和debug ipv6 dhcp,則相關輸出將列印到螢幕。此輸出來自一個工作場景:
IPv6 DHCP: Received INFORMATION-REQUEST from fe80::c671:feff:fe93:b51a on CLIENT
IPv6 DHCP: detailed packet contents
src fe80::c671:feff:fe93:b51a (CLIENT)
dst ff02::1:2
type INFORMATION-REQUEST(11), xid 1588088
option ELAPSED-TIME(8), len 2
elapsed-time 0
option CLIENTID(1), len 10
00030001c471fe93b516
option ORO(6), len 6
DNS-SERVERS,DOMAIN-LIST,UNKNOWN
IPv6 DHCP_RELAY: Relaying INFORMATION-REQUEST from fe80::c671:feff:fe93:b51a on CLIENT
IPv6 DHCP_RELAY: Creating relay binding for fe80::c671:feff:fe93:b51a at interface CLIENT
IPv6 DHCP_RELAY: to 2001:db8:200::2 via 2001:db8:200::2 using SERVER
IPv6 DHCP: Sending RELAY-FORWARD to 2001:db8:200::2 on SERVER
IPv6 DHCP: detailed packet contents
src 2001:db8:200::1
dst 2001:db8:200::2 (SERVER)
type RELAY-FORWARD(12), hop 0
link 2001:db8:100::1
peer fe80::c671:feff:fe93:b51a
option RELAY-MSG(9), len 34
type INFORMATION-REQUEST(11), xid 1588088
option ELAPSED-TIME(8), len 2
elapsed-time 0
option CLIENTID(1), len 10
00030001c471fe93b516
option ORO(6), len 6
DNS-SERVERS,DOMAIN-LIST,UNKNOWN
option INTERFACE-ID(18), len 4
0x00000015
IPv6 DHCP: Received RELAY-REPLY from 2001:db8:200::2 on SERVER
IPv6 DHCP: detailed packet contents
src 2001:db8:200::2 (SERVER)
dst 2001:db8:200::1
type RELAY-REPLY(13), hop 0
link 2001:db8:100::1
peer fe80::c671:feff:fe93:b51a
option RELAY-MSG(9), len 67
type REPLY(7), xid 1588088
option SERVERID(2), len 10
00030001002414a33c94
option CLIENTID(1), len 10
00030001c471fe93b516
option DNS-SERVERS(23), len 16
2001:db8:1000::1
option DOMAIN-LIST(24), len 11
cisco.com
option INTERFACE-ID(18), len 4
0x00000015
IPv6 DHCP_RELAY: Relaying RELAY-REPLY from 2001:db8:200::2 on SERVER
IPv6 DHCP_RELAY: relayed msg: REPLY
IPv6 DHCP_RELAY: to fe80::c671:feff:fe93:b51a
IPv6 DHCP: Sending REPLY to fe80::c671:feff:fe93:b51a on CLIENT
IPv6 DHCP: detailed packet contents
src fe80::219:7ff:fe24:2e44
dst fe80::c671:feff:fe93:b51a (CLIENT)
type REPLY(7), xid 1588088
option SERVERID(2), len 10
00030001002414a33c94
option CLIENTID(1), len 10
00030001c471fe93b516
option DNS-SERVERS(23), len 16
2001:db8:1000::1
option DOMAIN-LIST(24), len 11
cisco.com
在INFORMATION-REQUEST請求資料包中,客戶端僅請求DNS-Server和Domain,這是預期的,因為客戶端配置為無狀態DHCPv6。
Wireshark快照
DHCP使用者端請求
ASA中繼的DHCP請求
來自伺服器的DHCP回覆
回覆已轉發到客戶端
有狀態DHCPv6
組態
以下是ASA上的有狀態DHCPv6中繼配置的基本配置:
interface GigabitEthernet0/1
nameif CLIENT
security-level 100
ipv6 address 2001:db8:100::1/64
ipv6 enable
!
interface GigabitEthernet0/0
nameif SERVER
security-level 0
ipv6 address 2001:db8:200:1/64
ipv6 enable
!
ipv6 dhcprelay server 2001:db8:200:2 inside
ipv6 dhcprelay enable outside
封包流量
使用有狀態DHCPv6時,下面是來自客戶端的資料包流:
ASA會攔截這些資料包並將其封裝為DHCP中繼格式:
驗證
調試
IPv6 DHCP: Received SOLICIT from fe80::c671:feff:fe93:b51a on CLIENT
IPv6 DHCP: detailed packet contents
src fe80::c671:feff:fe93:b51a (CLIENT)
dst ff02::1:2
type SOLICIT(1), xid 2490681
option ELAPSED-TIME(8), len 2
elapsed-time 0
option CLIENTID(1), len 10
00030001c471fe93b516
option ORO(6), len 4
DNS-SERVERS,DOMAIN-LIST
option IA-NA(3), len 12
IAID 0x00040001, T1 0, T2 0
IPv6 DHCP_RELAY: Relaying SOLICIT from fe80::c671:feff:fe93:b51a on CLIENT
IPv6 DHCP_RELAY: Creating relay binding for fe80::c671:feff:fe93:b51a at interface CLIENT
IPv6 DHCP_RELAY: to 2001:db8:200::2 via 2001:db8:200::2 using SERVER
IPv6 DHCP: Sending RELAY-FORWARD to 2001:db8:200::2 on SERVER
IPv6 DHCP: detailed packet contents
src 2001:db8:200::1
dst 2001:db8:200::2 (SERVER)
type RELAY-FORWARD(12), hop 0
link 2001:db8:100::1
peer fe80::c671:feff:fe93:b51a
option RELAY-MSG(9), len 48
type SOLICIT(1), xid 2490681
option ELAPSED-TIME(8), len 2
elapsed-time 0
option CLIENTID(1), len 10
00030001c471fe93b516
option ORO(6), len 4
DNS-SERVERS,DOMAIN-LIST
option IA-NA(3), len 12
IAID 0x00040001, T1 0, T2 0
option INTERFACE-ID(18), len 4
0x00000015
IPv6 DHCP: Received RELAY-REPLY from 2001:db8:200::2 on SERVER
IPv6 DHCP: detailed packet contents
src 2001:db8:200::2 (SERVER)
dst 2001:db8:200::1
type RELAY-REPLY(13), hop 0
link 2001:db8:100::1
peer fe80::c671:feff:fe93:b51a
option RELAY-MSG(9), len 111
type ADVERTISE(2), xid 2490681
option SERVERID(2), len 10
00030001002414a33c94
option CLIENTID(1), len 10
00030001c471fe93b516
option IA-NA(3), len 40
IAID 0x00040001, T1 43200, T2 69120
option IAADDR(5), len 24
IPv6 address 2001:db8:300:0:48ae:5f5d:8290:e926
preferred INFINITY, valid INFINITY
option DNS-SERVERS(23), len 16
2001:db8:1000::1
option DOMAIN-LIST(24), len 11
cisco.com
option INTERFACE-ID(18), len 4
0x00000015
IPv6 DHCP_RELAY: Relaying RELAY-REPLY from 2001:db8:200::2 on SERVER
IPv6 DHCP_RELAY: relayed msg: ADVERTISE
IPv6 DHCP_RELAY: to fe80::c671:feff:fe93:b51a
IPv6 DHCP: Sending ADVERTISE to fe80::c671:feff:fe93:b51a on CLIENT
IPv6 DHCP: detailed packet contents
src fe80::219:7ff:fe24:2e44
dst fe80::c671:feff:fe93:b51a (CLIENT)
type ADVERTISE(2), xid 2490681
option SERVERID(2), len 10
00030001002414a33c94
option CLIENTID(1), len 10
00030001c471fe93b516
option IA-NA(3), len 40
IAID 0x00040001, T1 43200, T2 69120
option IAADDR(5), len 24
IPv6 address 2001:db8:300:0:48ae:5f5d:8290:e926
preferred INFINITY, valid INFINITY
option DNS-SERVERS(23), len 16
2001:db8:1000::1
option DOMAIN-LIST(24), len 11
cisco.com
IPv6 DHCP: Received REQUEST from fe80::c671:feff:fe93:b51a on CLIENT
IPv6 DHCP: detailed packet contents
src fe80::c671:feff:fe93:b51a (CLIENT)
dst ff02::1:2
type REQUEST(3), xid 2492842
option ELAPSED-TIME(8), len 2
elapsed-time 0
option CLIENTID(1), len 10
00030001c471fe93b516
option ORO(6), len 4
DNS-SERVERS,DOMAIN-LIST
option SERVERID(2), len 10
00030001002414a33c94
option IA-NA(3), len 40
IAID 0x00040001, T1 0, T2 0
option IAADDR(5), len 24
IPv6 address 2001:db8:300:0:48ae:5f5d:8290:e926
preferred INFINITY, valid INFINITY
IPv6 DHCP_RELAY: Relaying REQUEST from fe80::c671:feff:fe93:b51a on CLIENT
IPv6 DHCP_RELAY: to 2001:db8:200::2 via 2001:db8:200::2 using SERVER
IPv6 DHCP: Sending RELAY-FORWARD to 2001:db8:200::2 on SERVER
IPv6 DHCP: detailed packet contents
src 2001:db8:200::1
dst 2001:db8:200::2 (SERVER)
type RELAY-FORWARD(12), hop 0
link 2001:db8:100::1
peer fe80::c671:feff:fe93:b51a
option RELAY-MSG(9), len 90
type REQUEST(3), xid 2492842
option ELAPSED-TIME(8), len 2
elapsed-time 0
option CLIENTID(1), len 10
00030001c471fe93b516
option ORO(6), len 4
DNS-SERVERS,DOMAIN-LIST
option SERVERID(2), len 10
00030001002414a33c94
option IA-NA(3), len 40
IAID 0x00040001, T1 0, T2 0
option IAADDR(5), len 24
IPv6 address 2001:db8:300:0:48ae:5f5d:8290:e926
preferred INFINITY, valid INFINITY
option INTERFACE-ID(18), len 4
0x00000015
IPv6 DHCP: Received RELAY-REPLY from 2001:db8:200::2 on SERVER
IPv6 DHCP: detailed packet contents
src 2001:db8:200::2 (SERVER)
dst 2001:db8:200::1
type RELAY-REPLY(13), hop 0
link 2001:db8:100::1
peer fe80::c671:feff:fe93:b51a
option RELAY-MSG(9), len 111
type REPLY(7), xid 2492842
option SERVERID(2), len 10
00030001002414a33c94
option CLIENTID(1), len 10
00030001c471fe93b516
option IA-NA(3), len 40
IAID 0x00040001, T1 43200, T2 69120
option IAADDR(5), len 24
IPv6 address 2001:db8:300:0:48ae:5f5d:8290:e926
preferred INFINITY, valid INFINITY
option DNS-SERVERS(23), len 16
2001:db8:1000::1
option DOMAIN-LIST(24), len 11
cisco.com
option INTERFACE-ID(18), len 4
0x00000015
IPv6 DHCP_RELAY: Relaying RELAY-REPLY from 2001:db8:200::2 on SERVER
IPv6 DHCP_RELAY: relayed msg: REPLY
IPv6 DHCP_RELAY: to fe80::c671:feff:fe93:b51a
IPv6 DHCP: Sending REPLY to fe80::c671:feff:fe93:b51a on CLIENT
IPv6 DHCP: detailed packet contents
src fe80::219:7ff:fe24:2e44
dst fe80::c671:feff:fe93:b51a (CLIENT)
type REPLY(7), xid 2492842
option SERVERID(2), len 10
00030001002414a33c94
option CLIENTID(1), len 10
00030001c471fe93b516
option IA-NA(3), len 40
IAID 0x00040001, T1 43200, T2 69120
option IAADDR(5), len 24
IPv6 address 2001:db8:300:0:48ae:5f5d:8290:e926
preferred INFINITY, valid INFINITY
option DNS-SERVERS(23), len 16
2001:db8:1000::1
option DOMAIN-LIST(24), len 11
cisco.com
Wireshark快照
SOLICIT(1)
DHCPv6客戶端傳送Solicit消息以查詢DHCPv6伺服器。
ASA中繼請求消息。
廣告(2)
響應於從客戶端接收到的Solicit消息,伺服器傳送Advertise消息以指示其可用於DHCP服務。
請求(3)
客戶端傳送請求消息以請求來自特定伺服器的配置引數,包括IP地址或授權字首。
答覆(7)
伺服器傳送包含已分配地址和配置引數的回覆消息,以響應從客戶端接收的Solicit、Request、Renew或Rebind消息。伺服器傳送包含配置引數的回覆消息以響應資訊請求消息。伺服器傳送回覆消息以響應確認或拒絕分配給客戶機的地址與客戶機所連線的鏈路相符的確認消息。伺服器傳送回覆消息以確認收到釋放或拒絕消息。
疑難排解
確認與DHCPv6伺服器的連線。
ciscoasa# show ipv6 neighbor
IPv6 Address Age Link-layer Addr State Interface
2001:db8:200::2 0 0024.14a3.3c98 REACH SERVER
確認在客戶端請求IPv6地址時收到來自該客戶端的資料包。客戶端傳送的資料包將取決於地址分配設定(即有狀態和無狀態)。
當客戶端開始DHCPv6進程時,它會傳送Router Solicit消息以發現鏈路上存在IPv6路由器。它傳送組播路由器請求消息以提示IPv6路由器響應。在Router Solicitation消息的乙太網報頭中,將顯示以下欄位:
- Source Address欄位是請求IPv6地址的主機的MAC地址。
- Destination Address欄位設定為33-33-00-00-00-02。
在路由器請求消息的IPv6報頭中,將顯示以下欄位。
- Source Address欄位設定為分配給傳送介面的本地鏈路IPv6地址或IPv6未指定的地址(::)。
- Destination Address欄位設定為本地鏈路範圍所有路由器組播地址(FF02::2)。
- Hop Limit欄位設定為255。
作為響應,IPv6路由器傳送未經請求的路由器通告消息Router Advertisement消息包含主機確定鏈路字首、鏈路最大傳輸單元(MTU)和特定路由所需的資訊。
ciscoasa(config)# show capture capin detail
fe80::c671:feff:fe93:b51a.546 > ff02::1:2.547: [udp sum ok] udp 42
[hlim 255] (len 100)---->Request from client
fe80::219:7ff:fe24:2e44.547 > fe80::c671:feff:fe93:b51a.546: [udp sum ok]
udp 75 [class 0xe0] (len 133, hlim 255)
ciscoasa(config)# show capture capout detail
2 packets captured
1: 12:06:52.700799 2001:db8:200:1.547 > 2001:db8:200:2.547: udp 88
[class 0xe0]---->ASA forwards request to DHCPv6 router
2: 12:06:53.289047 2001:db8:200:2.547 > 2001:db8:200:1.547: udp 121
[class 0xe0]----> Reply from DHCPV6 server.
DHCP中繼輸出
ciscoasa# show ipv6 dhcprelay binding
1 in use, 1 most used
Client: fe80::c671:feff:fe93:b51a (CLIENT)
DUID: 00030001c471fe93b516, Timeout in 56 seconds
IPv6 DHCP_RELAY: Deleting binding for fe80::c671:feff:fe93:b51a at interface CLIENT
ciscoasa# show ipv6 dhcprelay statistics
Relay Messages:
SOLICIT 2
ADVERTISE 2
REQUEST 2
CONFIRM 0
RENEW 0
REBIND 0
REPLY 9
RELEASE 1
DECLINE 0
RECONFIGURE 0
INFORMATION-REQUEST 6
RELAY-FORWARD 11
RELAY-REPLY 11
Relay Errors:
Malformed message: 0
Block allocation/duplication failure: 0
Hop count limit exceeded: 0
Forward binding creation failure: 0
Reply binding lookup failure: 0
No output route: 0
Conflict relay server route: 0
Failed to add server input rule: 0
Unit or context is not active: 0
Total Relay Bindings Created: 8
發行地址
客戶端可以在完成之後釋放其DHCPv6分配的地址用於網路。下一部分顯示與有狀態DHCPv6中的地址釋放相關的調試輸出。
調試
IPv6 DHCP: Received RELEASE from fe80::c671:feff:fe93:b51a on CLIENT
IPv6 DHCP: detailed packet contents
src fe80::c671:feff:fe93:b51a (CLIENT)
dst ff02::1:2
type RELEASE(8), xid 3180815
option ELAPSED-TIME(8), len 2
elapsed-time 0
option CLIENTID(1), len 10
00030001c471fe93b516
option SERVERID(2), len 10
00030001002414a33c94
option IA-NA(3), len 40
IAID 0x00040001, T1 0, T2 0
option IAADDR(5), len 24
IPv6 address 2001:db8:300:0:48ae:5f5d:8290:e926
preferred INFINITY, valid INFINITY
IPv6 DHCP_RELAY: Relaying RELEASE from fe80::c671:feff:fe93:b51a on CLIENT
IPv6 DHCP_RELAY: Creating relay binding for fe80::c671:feff:fe93:b51a at interface CLIENT
IPv6 DHCP_RELAY: to 2001:db8:200::2 via 2001:db8:200::2 using SERVER
IPv6 DHCP: Sending RELAY-FORWARD to 2001:db8:200::2 on SERVER
IPv6 DHCP: detailed packet contents
src 2001:db8:200::1
dst 2001:db8:200::2 (SERVER)
type RELAY-FORWARD(12), hop 0
link 2001:db8:100::1
peer fe80::c671:feff:fe93:b51a
option RELAY-MSG(9), len 82
type RELEASE(8), xid 3180815
option ELAPSED-TIME(8), len 2
elapsed-time 0
option CLIENTID(1), len 10
00030001c471fe93b516
option SERVERID(2), len 10
00030001002414a33c94
option IA-NA(3), len 40
IAID 0x00040001, T1 0, T2 0
option IAADDR(5), len 24
IPv6 address 2001:db8:300:0:48ae:5f5d:8290:e926
preferred INFINITY, valid INFINITY
option INTERFACE-ID(18), len 4
0x00000015
IPv6 DHCP: Received RELAY-REPLY from 2001:db8:200::2 on SERVER
IPv6 DHCP: detailed packet contents
src 2001:db8:200::2 (SERVER)
dst 2001:db8:200::1
type RELAY-REPLY(13), hop 0
link 2001:db8:100::1
peer fe80::c671:feff:fe93:b51a
option RELAY-MSG(9), len 45
type REPLY(7), xid 3180815
option SERVERID(2), len 10
00030001002414a33c94
option CLIENTID(1), len 10
00030001c471fe93b516
option STATUS-CODE(13), len 9
status code SUCCESS(0)
status message: SUCCESS
option INTERFACE-ID(18), len 4
0x00000015
IPv6 DHCP_RELAY: Relaying RELAY-REPLY from 2001:db8:200::2 on SERVER
IPv6 DHCP_RELAY: relayed msg: REPLY
IPv6 DHCP_RELAY: to fe80::c671:feff:fe93:b51a
IPv6 DHCP: Sending REPLY to fe80::c671:feff:fe93:b51a on CLIENT
IPv6 DHCP: detailed packet contents
src fe80::219:7ff:fe24:2e44
dst fe80::c671:feff:fe93:b51a (CLIENT)
type REPLY(7), xid 3180815
option SERVERID(2), len 10
00030001002414a33c94
option CLIENTID(1), len 10
00030001c471fe93b516
option STATUS-CODE(13), len 9
status code SUCCESS(0)
status message: SUCCESS
意見