组网如下
有线终端---二层SW-----FW-----公网
有线终端的网关相当于在FW上
不涉及
FW上做DHCPV6服务器,无状态的
interface GigabitEthernet1/0/2
port link-mode route
ip address 192.168.2.1 255.255.255.0
ip last-hop hold
manage https inbound
manage https outbound
manage ping inbound
manage ping outbound
manage ssh inbound
manage ssh outbound
manage telnet inbound
manage telnet outbound
ipv6 address 2100::1/64
ipv6 address auto
ipv6 address auto link-local
undo ipv6 nd ra halt
ipv6 nd ra dns server 240E:14:6000::1 300 sequence 1
问题分析:
PCping不通外网的时候,PC可以ping通网关,ping不通外网的时候(以DNS为例240E:14:6000::1),FW debug acl ipv6 3900,没有任何输出,就好像报文不走FW一样
进一步查看IPV6默认路由,发现现场有两条默认路由,其中一条下一条为FW的IPV6链路本地地址
另外一条默认路由下一跳不知道是谁
进一步和现场确认,发现现场组网中还有其他设备开启了DHCPV6功能,和FW的DHCPV6相冲突
禁用其他设备的DHCPV6功能解决
解决方案:
保留组网中只有FW开启了DHCPV6功能,禁用除了FW之外的其他设备的DHCPV6功能
额外补充:FW DHCPV6有状态和无状态的配置分别如下:
无状态
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
ipv6 address 2100::1/64
ipv6 address auto
ipv6 address auto link-local
undo ipv6 nd ra halt
ipv6 nd ra dns server 240E:14:6000::1 300 sequence 1
ipv6 dhcp pool test
network 2100::/64 preferred-lifetime 86400 valid-lifetime 259200
dns-server 240E:14:6000::1
dns-server 240E:14:E000::1
domain-name aaa
有状态
interface GigabitEthernet1/0/8
port link mode route
combo enable copper
ipv6 address 3::1/64---ipv6 nd autoconfig managed address flag---undo ipv6 nd ra halt----
配置ipv6接口地址设置标志位为1取消RA消息的抑制
并
security zone name Trust
接口需要加入安全域,import interface GigabitEthernet1/0/3----不然获取不到
#
不参与分配的地址ipv6 dhcp server forbidden address 3::2 3::3-----
ipv6 dhcp pool ipv6 pool 1network 3::/64 preferred-lifetime 86400 valid-lifetime 259200----址浙dns server 3::2domain name ***.***
拄
interface GigabitEthernet1/0/3
ipv6 dhcp select server
接口下选择地址池
强调:DHCPV6服务器只能有一个,如果使用FW作为DHCPV6服务器,要禁用组网中任何其他的DHCPV6服务器
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作