1
24.1 Production Series / Dynamic IPv6 Prefix Delegation to Layer 3 Switch
« on: March 06, 2024, 09:57:08 am »
I have an OPNSense firewall connected to an ICX 7250-C12P switch running layer 3 (router) firmware.
I have three VLANS - management, clients and IOT. Nothing on native VLAN. Currently I use ISC DHCP on OPNSense so have to have all three interfaces on the firewall connected via a tagged switch port. I will move to Kea and use a single trunk for firewall to switch with DHCP helper for IPv4 soon.
My ISP currently gives me only a single /64 IPv6 via DHCPv6 PD over IPv4 which is in theory dynamically assigned. It’s a new function for them and I’ve pointed them at the RIPE best practice guidance 😝
I want to give my clients VLAN the only prefix and allow them to use SLAAC. I don’t care if only this one subnet has a GUA prefix. How/which technology do I use to achieve this?
I’ve set the trunk giving each a ULA. I assume I want to do something with RA but I’m a little lost!
What I’m hoping to achieve is this…
1 - OPNSense retrieves PD from ISP over DHCPv6 via IPv4 PPPoE link - done although ISP does not give me a link IP so using LL to gateway
2 - Single ‘trunk’ (I think this is the right term) layer 3 connection to sub-router (layer 3 switch)
3 - Layer 3 switch has three VLANs. I want one of these VLANs to receive GUA IPv6 addresses from the single /64 prefix I have so they can use SLAAC.
I’m thinking the way to do this is to assign each VLAN’s SVI a /64 ULA prefix so every client can have an IPv6 address. But then somehow also let the clients VLAN SVI have a GUA address and prefix. I’m just unclear what I should be doing bearing in mind I don’t want to have to reconfigure my switch if my GUA prefix changes
I have three VLANS - management, clients and IOT. Nothing on native VLAN. Currently I use ISC DHCP on OPNSense so have to have all three interfaces on the firewall connected via a tagged switch port. I will move to Kea and use a single trunk for firewall to switch with DHCP helper for IPv4 soon.
My ISP currently gives me only a single /64 IPv6 via DHCPv6 PD over IPv4 which is in theory dynamically assigned. It’s a new function for them and I’ve pointed them at the RIPE best practice guidance 😝
I want to give my clients VLAN the only prefix and allow them to use SLAAC. I don’t care if only this one subnet has a GUA prefix. How/which technology do I use to achieve this?
I’ve set the trunk giving each a ULA. I assume I want to do something with RA but I’m a little lost!
What I’m hoping to achieve is this…
1 - OPNSense retrieves PD from ISP over DHCPv6 via IPv4 PPPoE link - done although ISP does not give me a link IP so using LL to gateway
2 - Single ‘trunk’ (I think this is the right term) layer 3 connection to sub-router (layer 3 switch)
3 - Layer 3 switch has three VLANs. I want one of these VLANs to receive GUA IPv6 addresses from the single /64 prefix I have so they can use SLAAC.
I’m thinking the way to do this is to assign each VLAN’s SVI a /64 ULA prefix so every client can have an IPv6 address. But then somehow also let the clients VLAN SVI have a GUA address and prefix. I’m just unclear what I should be doing bearing in mind I don’t want to have to reconfigure my switch if my GUA prefix changes