1
24.1 Legacy Series / Re: Dynamic IPv6 Prefix Delegation to Layer 3 Switch
« on: March 06, 2024, 09:57:05 pm »
So is there no technology that can pass the entire /64 prefix a router receives to another router?
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
2
24.1 Legacy Series / Re: Dynamic IPv6 Prefix Delegation to Layer 3 Switch
« on: March 06, 2024, 02:04:25 pm »
The other network can be IPv4 only for the purposes of this example.
The bit I don’t know how to do is re-delegate my whole /64 PD from OPNSense to a subrouter.
The bit I don’t know how to do is re-delegate my whole /64 PD from OPNSense to a subrouter.
3
24.1 Legacy Series / Re: Dynamic IPv6 Prefix Delegation to Layer 3 Switch
« on: March 06, 2024, 01:21:08 pm »
To be clear. I don’t wish to subnet a /64 prefix. I am not looking to share a /64 between different networks. I want to give a /64 prefix to only one of my two networks (because I only have one) and do not know how to do this when a subrouter is involved
4
24.1 Legacy Series / Re: Dynamic IPv6 Prefix Delegation to Layer 3 Switch
« on: March 06, 2024, 11:31:00 am »
OK,
So I don’t give a ULA to the clients VLAN and only give devices and the SVI on the switch a GUA. Other VLANs can have ULAs or not, doesn’t really matter. Is there a way to “redelegate” the whole prefix to the switch for just ONE VLAN.
I assume no masquerading is needed as I’d set a default IPv6 route on the layer 3 switch and a route for the prefix to the layer switch on OPNSense
But I assume I’d have to have an interface on OPNSense with a GUA in the same prefix though? Can I not route GUA traffic over ULA links?
Let me simplify this for a moment to help me understand the concepts…
I have OPNSense as my firewall. It has LAN and WAN interfaces. WAN receives IPv4 with PPPoE and a single /64 PD via DHCPv6 over IPv4. WAN interface therefore has single IPv4 address and a LL address.
LAN has a static IPv4 address with a DHCP service running for clients. LAN is set to track interface for IPv6 and Router Advertisement is set to Unmanaged.
LAN is connected to layer 3 switch via a routed interface (this is what I meant when I said trunk port). Layer 3 switch has two VLANs with two corresponding SVIs on two subnets with ACLs. I assume with the appropriate routes this will just work but unless I filter RA somehow on the switch, both VLANs are on the same IPv6 subnet which would be an issue when writing ACLs?
So I don’t give a ULA to the clients VLAN and only give devices and the SVI on the switch a GUA. Other VLANs can have ULAs or not, doesn’t really matter. Is there a way to “redelegate” the whole prefix to the switch for just ONE VLAN.
I assume no masquerading is needed as I’d set a default IPv6 route on the layer 3 switch and a route for the prefix to the layer switch on OPNSense
But I assume I’d have to have an interface on OPNSense with a GUA in the same prefix though? Can I not route GUA traffic over ULA links?
Let me simplify this for a moment to help me understand the concepts…
I have OPNSense as my firewall. It has LAN and WAN interfaces. WAN receives IPv4 with PPPoE and a single /64 PD via DHCPv6 over IPv4. WAN interface therefore has single IPv4 address and a LL address.
LAN has a static IPv4 address with a DHCP service running for clients. LAN is set to track interface for IPv6 and Router Advertisement is set to Unmanaged.
LAN is connected to layer 3 switch via a routed interface (this is what I meant when I said trunk port). Layer 3 switch has two VLANs with two corresponding SVIs on two subnets with ACLs. I assume with the appropriate routes this will just work but unless I filter RA somehow on the switch, both VLANs are on the same IPv6 subnet which would be an issue when writing ACLs?
5
24.1 Legacy Series / Dynamic IPv6 Prefix Delegation to Layer 3 Switch
« on: March 06, 2024, 09:57:08 am »
I have an OPNSense firewall connected to an ICX 7250-C12P switch running layer 3 (router) firmware.
I have three VLANS - management, clients and IOT. Nothing on native VLAN. Currently I use ISC DHCP on OPNSense so have to have all three interfaces on the firewall connected via a tagged switch port. I will move to Kea and use a single trunk for firewall to switch with DHCP helper for IPv4 soon.
My ISP currently gives me only a single /64 IPv6 via DHCPv6 PD over IPv4 which is in theory dynamically assigned. It’s a new function for them and I’ve pointed them at the RIPE best practice guidance 😝
I want to give my clients VLAN the only prefix and allow them to use SLAAC. I don’t care if only this one subnet has a GUA prefix. How/which technology do I use to achieve this?
I’ve set the trunk giving each a ULA. I assume I want to do something with RA but I’m a little lost!
What I’m hoping to achieve is this…
1 - OPNSense retrieves PD from ISP over DHCPv6 via IPv4 PPPoE link - done although ISP does not give me a link IP so using LL to gateway
2 - Single ‘trunk’ (I think this is the right term) layer 3 connection to sub-router (layer 3 switch)
3 - Layer 3 switch has three VLANs. I want one of these VLANs to receive GUA IPv6 addresses from the single /64 prefix I have so they can use SLAAC.
I’m thinking the way to do this is to assign each VLAN’s SVI a /64 ULA prefix so every client can have an IPv6 address. But then somehow also let the clients VLAN SVI have a GUA address and prefix. I’m just unclear what I should be doing bearing in mind I don’t want to have to reconfigure my switch if my GUA prefix changes
I have three VLANS - management, clients and IOT. Nothing on native VLAN. Currently I use ISC DHCP on OPNSense so have to have all three interfaces on the firewall connected via a tagged switch port. I will move to Kea and use a single trunk for firewall to switch with DHCP helper for IPv4 soon.
My ISP currently gives me only a single /64 IPv6 via DHCPv6 PD over IPv4 which is in theory dynamically assigned. It’s a new function for them and I’ve pointed them at the RIPE best practice guidance 😝
I want to give my clients VLAN the only prefix and allow them to use SLAAC. I don’t care if only this one subnet has a GUA prefix. How/which technology do I use to achieve this?
I’ve set the trunk giving each a ULA. I assume I want to do something with RA but I’m a little lost!
What I’m hoping to achieve is this…
1 - OPNSense retrieves PD from ISP over DHCPv6 via IPv4 PPPoE link - done although ISP does not give me a link IP so using LL to gateway
2 - Single ‘trunk’ (I think this is the right term) layer 3 connection to sub-router (layer 3 switch)
3 - Layer 3 switch has three VLANs. I want one of these VLANs to receive GUA IPv6 addresses from the single /64 prefix I have so they can use SLAAC.
I’m thinking the way to do this is to assign each VLAN’s SVI a /64 ULA prefix so every client can have an IPv6 address. But then somehow also let the clients VLAN SVI have a GUA address and prefix. I’m just unclear what I should be doing bearing in mind I don’t want to have to reconfigure my switch if my GUA prefix changes
Pages: [1]