We are being forced to go IPV6, we have a mix of Juniper and Cisco. I know our IPV6 address and have picked what I think is a good subnet break down. Most of the documentation we find on the internet contradicts itself or the commands don't match what is available.

Anyone have experience setting up IPV6?

We currently have two switches set up in a lab we use the link layer and interface for static routs. Switch 1 (2xxxx:xxxx:xxxx::1) can ping switch 2 (2xxxx:xxxx:xxxx::2) and Computer (2xxxx:xxxx:xxxx::3) can ping and ssh into them.

We know we will have to add new firewall rules and configure the IDS to inspect IPV6, plus configure the VPN to use IPV6 too. Our server team will need to configure all there servers for IPV6 and set the the DHCP server to assign addresses, plus set up McAfee to allow and not block IPV6.

Any suggestions from others that have switch to IPV6?

I have a 2xxx:xxx:xxx:/48 assigned for use.

With IPV4 we have our subnets broken down and use different VLANS, so my planed subnet break down for IPV6 would use the listed (Subnet ID) to be associated to our VLANs under IPV6.

Subnet ID   Subnet Address        Host Address Range                                        Notation
1           2xxxx:xxxx:xxxx::        2xxxx:xxxx:xxxx:: - 2xxxx:xxxx:xxxx:ff::        2xxxx:xxxx:xxxx::/56
2           2xxxx:xxxx:xxxx:0100::2xxxx:xxxx:xxxx:100:: - 2xxxx:xxxx:xxxx:1ff::2xxxx:xxxx:xxxx:100::/56
3           2xxxx:xxxx:xxxx:0200::2xxxx:xxxx:xxxx:200:: - 2xxxx:xxxx:xxxx:2ff::2xxxx:xxxx:xxxx:200::/56
4           2xxxx:xxxx:xxxx:0300::2xxxx:xxxx:xxxx:300:: - 2xxxx:xxxx:xxxx:3ff::2xxxx:xxxx:xxxx:300::/56
5           2xxxx:xxxx:xxxx:0400::2xxxx:xxxx:xxxx:400:: - 2xxxx:xxxx:xxxx:4ff::2xxxx:xxxx:xxxx:400::/56

I turned my house into a IPv6 lab back in 2012. I also studied some of the RFCs that were available at the time and learned some things. IPv6 is not an update of IPv4 with a larger address space. Some philosophies are fundamentally different.

I'll put what I learned below. Firmware support for v6 has no doubt come a long way since then, so people who have done this recently can feel free to (and should) publicly disagree with me.

1. Hosts Should Be on /64 Subnets

You can absolutely assign something smaller than a /64 to a host, but the protocol seems to have been built with /64 as the preferred size. This lets you use SLAAC (stateless auto-configuration).

I have come to prefer using SLAAC+DHCPv6. That is, anything that supports IPv6 can self-configure using SLAAC, and most hosts will be able to pull down more useful information via DHCPv6. This way, hosts can still have basic functionality if all they support is SLAAC, which was the case for earlier versions of Android.

2. Assign a ULA Subnet

Assign your network a ULA. These subnets start with FD__:.... and are /48 in length. Each IPv6 host on your network should then self-configure both a global prefix (2600:: or some such) in addition to the ULA. (EDIT: Servers can and probably should have statically-assigned ULA addresses.)

In this way, if you change ISPs, your ULA remains in-tact and host-to-host communication over IPv6 doesn't have to be impacted.

Randomly generate the ULA out to /48. Do not do something like fd00::/48. In this way, you can virtually guarantee that you can VPN your ULA with someone else's and the address spaces won't clash.

Unique Local IPv6 Generator

I'll be watching this thread for activity.

When I was leaving Charter, we were just starting to put V6 on everything.
I was able to do the Loopback, 10GE01-04, and then Scopes and Sub interfaces for Res Cable Modems, STBs, Voice/MTAs, Path Track Monitoring Nodes and a few other containers...

I know IP v4 very well, but one drawback from a Service provider was we often had to add scopes to the DHCP Server and interfaces to our CMTS to keep adding new CMs and CPES to handle new turn ups and growth.

Turning Up v6, would eventually mean, no more filling scopes...  
I mean, you could assign a block (large enough) to each interface that was a hundred times bigger than it could use without crashing, so you'd never have to add IPs to that device again....

So our lab now works, we fought a few days with everything working between switches, but were unable to get traffic to pass by the Firewall. It turned out we fat fingered the IPV6 address on the Firewall so it was not in the same subnet for management.

We are not going to be be able to do "SLAAC" or ULA's, everything has to be assigned within our IP space, due to external scanning requirements and compliance. So we will have to rely on access lists and firewall rules. I assume VLAN separation still works the same with IPV6, but need to test it, right now in our lab we are just using one VLAN and subnet for everything. As we move this out to the production network we will need to verify that VLAN traffic and firewall zones remain separated as they do now with IPV4.

Attached is a simple layout of what we have.

SW1, SW2, SW3 and the L3SW can all ping each other by the 2001:xxx:xxx::/56 addresses

L3SW can ping the FW via 2001:xxx:xxx:3300::2/126 address.

PR can ping the FW via 2001:xxx:xxx:3100::2/126 address.

FW can ping the PR via 2001:xxx:xxx:3200::2/126 address, but cannot ping the L3SW via 2001:xxx:xxx:3300::1/126 address.

Attached File

Still working somethings out, routing and firewall rules have been the biggest issues. I will work on a full write up when we get it all sorted so others can benefit.

Current thing we are trying out is on our virtual environment. It currently uses a mix of private address both in the 172 and 192 range for its connection to the switch. We want to continue to use private addresses, so looking at https://simpledns.plus/private-ipv6 would it be best use two different IPV6 private addresses or just use one it seems like you can't subnet the /64 down at least using any of the online calculators I tried? We had Dell set this up for us when we got it and they did a honorable job, we had to fix many things when they left, as the install guy said all he does is run a script on the provided hardware and could not troubleshoot it.

Does the 172 and 192 traffic ever need to go public?

No, they are only internal for the VMware storage.

EDIT
I was able to log into the switch this morning.

Port channels use a 192 subnet, as does Provision and vMotion. And one address for out of band management.

172 is used for vSAN Cluster and vrrp.

After doing more research it looks like i can have have multiple /64 private subnets like this.

fd9f:1813:fe9d::/64
fd9f:1813:fe9d:1::/64
fd9f:1813:fe9d:2::/64
fd9f:1813:fe9d:3::/64

I will probably separate them to match the VLAN ID's for easy reference, for example if I have VLAN ID of 223 and 556 I would use fd9f:1813:fe9d:0223::/64, fd9f:1813:fe9d:0556::/64

Yes, a ULA is a /48. You are free to subdivide it.

I don't have time to comment much.

Read this:

Attached File


https://www.oreilly.com/library/view/ipv6-address-planning/9781491908211/



Possibly also this:

Attached File


https://www.oreilly.com/library/view/ipv6-fundamentals-a/9780134670584/


You can also watch his course at: https://www.youtube.com/playlist?list=PLMLm7-g0V0kfGg8g8KutNFK7rS3laA9QQ



For extra credit, start working your way through this podcast: https://packetpushers.net/series/ipv6-buzz/