Palo Alto Networks Knowledgebase: PAN-OS 8.0 IPV6 Router Advertisement for DNS Configuration

PAN-OS 8.0 IPV6 Router Advertisement for DNS Configuration

5782
Created On 09/25/18 18:59 PM - Last Updated 07/18/19 20:12 PM
8.0 PAN-OS
Resolution

This article highlights a new capability or feature introduced in PAN-OS 8.0. If you’d like to learn more about this topic or PAN-OS 8.0 in-general, you’ll also want to check out our world-class Technical Documentation.

 

RDNSS (Recursive DNS Server) and DNSSl (DNS Search List) options are now included as part of the ND Router Advertisement messages as per RFC 6106 and RFC 5006. This provides a full configuration of “basic networking”, and eliminates the necessity of a separate DHCPv6 Server.

 

Devices can now directly 'plug and play' with all the basic networking configuration now being provided by the firewalls. NDP Monitoring capabilities per interface have also been added as part of SLAAC reporting, to identify IPv6 endpoints on the link local network.

 

Configuration

 

Click the checkbox for 'Include DNS Information in Router Advertisement' to configure the RDNSS(s) and DNSSL(s). Unchecking the box greys out the configuration.

  • DNS Server addresses:
    ‒128 bit IPv6 Addresses.
    ‒ 1-8 IPv6 addresses are supported.
  • DNS Server lifetime:
    ‒Max time in secs that addresses can be used for name resolution.
    ‒Setting the lifetime to 0: address can no longer be used.
    ‒The lifetime value :MaxRtrAdvInterval <= Lifetime <= 2*MaxRtrAdvInterval
    ‒Default: 1200 secs.
  • DNS Suffix:
    ‒1-8 Domain Names supported.
    ‒Domain name restricted to 255 octets or less.
    ‒Double bytes domain name supported.
  • DNS Suffix Lifetime:
    ‒Max time in secs that the address can be used for name resolution.
    ‒Setting the lifetime to 0: the suffix can no longer be used.
    ‒Lifetime value: MaxRtrAdvInterval <= Lifetime <=2*MaxRtrAdvInterval.
    ‒Default: 1200 secs.

include DNS information in router advertisement.png

 

Enabling NDP monitoring:

  • Disabled by default.
  • Pre PAN-OS 8.0, NDP table did not include User-ID information.
  • This feature integrates the use of existing neighbor table and queries for the ip_user_mapping from the user_id_agent.

NDP monitoring.png

 

 

CLI commands

 

show interface <ifname>

> show interface ethernet1/3

--------------------------------------------------------------------------------
...continued...

NDP Monitoring: enabled
Router Advertisement: enabled
  Advertised IPv6 prefix:
    2001:600d:f00d::1001/64
DNS Support: enabled
  DNS Server(s):
    2001:600d:f00d::1005
    2001:600d:f00d::1006
    2001:600d:f00d::1007
  DNS Suffix(es):
    v6.server1.example.com
    v6.server2.example.com
    v6.server3.example.com

 

show neighbour interface <ifname>

>> show neighbor interface ethernet1/3

maximum of entries supported :      3000
default base reachable time:        30 seconds
total neighbor entries in table :   54
total neighbor entries shown :      54
interface         ip address                                   hw address          port    status
--------------------------------------------------------------------------------------------
ethernet1/3       2001:600d:f00d:0:124:5f93:a1e3:87d8          00:50:56:8c:ed:0e           STATIC
ethernet1/3       2001:600d:f00d:0:162:3877:e3a4:b9a5          00:50:56:8c:92:39           STATIC
ethernet1/3       2001:600d:f00d:0:18fa:5b3a:24e4:d0b0         00:50:56:8c:d4:2c           STATIC
ethernet1/3       2001:600d:f00d:0:19ec:8145:13d:c6d8          00:50:56:8c:ed:0e           STATIC
ethernet1/3       2001:600d:f00d:0:2da4:1066:3af:f84a          00:50:56:8c:f3:d8           STATIC
ethernet1/3       2001:600d:f00d:0:d6f4:beff:fe46:1912         d4:f4:be:46:19:12          REACHABLE
ethernet1/3       2001:600d:f00d:0:d800:c56c:5a09:6e81         00:50:56:8c:d4:2c           STATIC
ethernet1/3       2001:600d:f00d:0:e4a0:b0b7:fdf0:8e07         00:50:56:8c:5c:56           STALE
ethernet1/3       2001:600d:f00d:0:ec43:c004:f687:fae8         00:50:56:8c:25:00           STATIC
ethernet1/3       2001:600d:f00d:0:f51f:3dcc:a4:2bec           00:50:56:8c:07:f0           STATIC
ethernet1/3       2001:600d:f00d:0:fcd9:7b85:b22d:617e         00:50:56:8c:92:39           STATIC
ethernet1/3       fe80::21b:17ff:feaa:5d12                     00:1b:17:aa:5d:12           STALE
ethernet1/3       fe80::21b:17ff:feaa:5d15                     00:1b:17:aa:5d:15           STALE
ethernet1/3       fe80::250:56ff:fe8c:78a4                     00:50:56:8c:78:a4           STALE
ethernet1/3       fe80::c11:4490:bc8e:72fd                     00:50:56:8c:0b:c1           STALE
ethernet1/3       fe80::18fa:5b3a:24e4:d0b0                    00:50:56:8c:d4:2c           STALE

 

show neighbour ndp-monitor <ifname>

> show neighbor ndp-monitor ethernet1/3

maximum of entries supported :      3000
total ndp entries in table :        54
total ndp entries shown :           54
ndp entries startat:                1

interface      ipv6 address                            mac                user id  status    last reported
----------------------------------------------------------------------------------------------------------------
ethernet1/3    2001:600d:f00d:0:124:5f93:a1e3:87d8     00:50:56:8c:ed:0e  unknown  STATIC    2016/09/06 18:05:52
ethernet1/3    2001:600d:f00d:0:162:3877:e3a4:b9a5     00:50:56:8c:92:39  unknown  STATIC    2016/09/08 02:38:47
ethernet1/3    2001:600d:f00d:0:1d4:9bae:120:bbff      00:50:56:8c:db:1d  unknown  STATIC    2016/09/07 17:59:06
ethernet1/3    2001:600d:f00d:0:20c:29ff:fea9:e0d7     00:0c:29:a9:e0:d7  unknown  STATIC    2016/09/06 18:05:52
ethernet1/3    2001:600d:f00d:0:21b:17ff:feaa:5d12     00:1b:17:aa:5d:12  unknown  STALE     2016/09/18 04:34:11
ethernet1/3    2001:600d:f00d:0:9d4:6ebb:fce1:429d     00:50:56:8c:92:39  unknown  STATIC    2016/09/06 18:05:52
ethernet1/3    2001:600d:f00d:0:18fa:5b3a:24e4:d0b0    00:50:56:8c:d4:2c  unknown  STATIC    2016/09/06 18:05:52
ethernet1/3    2001:600d:f00d:0:19ec:8145:13d:c6d8     00:50:56:8c:ed:0e  unknown  STATIC    2016/09/06 18:05:52
ethernet1/3    2001:600d:f00d:0:2da4:1066:3af:f84a     00:50:56:8c:f3:d8  unknown  STATIC    2016/09/06 18:05:52
ethernet1/3    2001:600d:f00d:0:308e:cbf0:a02d:610     68:a3:c4:f4:61:a5  unknown  STATIC    2016/09/07 02:43:11
ethernet1/3    2001:600d:f00d:0:31a1:e92c:2c6e:9621    00:0c:29:a9:e0:d7  unknown  STATIC    2016/09/06 18:05:52
ethernet1/3    2001:600d:f00d:0:3430:ba8b:3fb0:d49a    00:50:56:8c:f3:d8  unknown  STATIC    2016/09/06 18:05:52
ethernet1/3    2001:600d:f00d:0:3463:17d1:4d8c:486f    00:50:56:8c:5e:49  unknown  STATIC    2016/09/06 18:05:52
ethernet1/3    2001:600d:f00d:0:3484:9ae7:5718:52cc    00:50:56:8c:16:cc  unknown  STALE     2016/09/06 19:45:46

 

NDP monitoring summary is also available from the GUI

ndp information GUI.png

 

 Administrators have the option to clear all or selected NDP Entries

clear ndp entries.png



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSWCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language