Re: IPv6 Configuration - COMCAST Multiple VLAN's

krisarmstrong1 · ‎06-24-2018

HI,

I am trying to get IPv6 to work across my VLAN's I have IPv4 working no problem but to be perfectly honest I'm a newbie to IPv6 and am very confused here as to what need sot take place.

Topology

Comcast Modem > Ubiquity EdgeMax Lite > Cisco 3560-X

VLAN 192 on the Cisco 3560 is the Internet uplink to the Ubiquity Edge Lite.

Cisco VLAN 192 Configuration

c3560x(config-if)#do sh run int vlan 192

Building configuration...
Current configuration : 155 bytes
!
interface Vlan192
description Internet VLAN
ip address 192.168.1.2 255.255.255.0
ipv6 address autoconfig default
ipv6 nd router-preference High
end
c3560x(config-if)#

The Ubiquity EdgeMax Configuration looks as follows

ubnt@gw01:~$ show configuration 
firewall {
    all-ping enable
    broadcast-ping disable
    group {
        network-group BOGONS {
            network 10.0.0.0/8
            network 100.64.0.0/10
            network 127.0.0.0/8
            network 169.254.0.0/16
            network 172.16.0.0/12
            network 192.0.0.0/24
            network 192.0.2.0/24
            network 192.168.0.0/16
            network 198.18.0.0/15
            network 198.51.100.0/24
            network 203.0.113.0/24
            network 224.0.0.0/4
            network 240.0.0.0/4
        }
    }
    ipv6-name WANv6_IN {
        default-action drop
        description "WAN inbound traffic forwarded to LAN"
        enable-default-log
        rule 10 {
            action accept
            description "Allow established/related sessions"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    ipv6-name WANv6_LOCAL {
        default-action drop
        description "WAN inbound traffic to the router"
        enable-default-log
        rule 10 {
            action accept
            description "Allow established/related sessions"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 30 {
            action accept
            description "Allow IPv6 icmp"
            protocol ipv6-icmp
        }
        rule 40 {
            action accept
            description "allow dhcpv6"
            destination {
                port 546
            }
            protocol udp
            source {
                port 547
            }
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name LAN_IN {
        default-action accept
        description "drop invlaid state"
        rule 1 {
            action drop
            log disable
            state {
                invalid enable
            }
        }
    }
    name WAN_IN {
        default-action drop
        description WAN-To-LAN
        rule 10 {
            action accept
            description "Allow established/related"
            log disable
            state {
                established enable
                related enable
            }
        }
        rule 30 {
            action drop
            description "Drop invalid state"
            log disable
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description WAN-to-Router-Interface
        rule 10 {
            action accept
            description "Allow established/related"
            log disable
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            log disable
            state {
                invalid enable
            }
        }
        rule 30 {
            action accept
            description "allow icmp"
            log disable
            protocol icmp
        }
        rule 40 {
            action drop
            description "drop bogon source"
            disable
            log enable
            source {
                group {
                    network-group BOGONS
                }
            }
        }
        rule 50 {
            action accept
            description "Allow external connections to OpenVPN"
            destination {
                port 1194
            }
            log disable
            protocol udp
        }
    }
    name WAN_OUT {
        default-action accept
        description "BLOCK OutBound Traffic"
        rule 1 {
            action drop
            description "NTP BLOCK PORT 123"
            destination {
                port 123
            }
            log enable
            protocol tcp_udp
            source {
                address 10.0.1.155
            }
            state {
                established enable
                invalid enable
                new enable
                related enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        dhcpv6-pd {
            pd 0 {
                interface eth1 {
                    host-address ::1
                    prefix-id :1
                    service slaac
                }
                interface eth2 {
                    host-address ::1
                    prefix-id :2
                    service slaac
                }
                prefix-length 60
            }
            rapid-commit enable
        }
        duplex auto
        firewall {
            in {
                ipv6-name WANv6_IN
                name WAN_IN
            }
            local {
                ipv6-name WANv6_LOCAL
                name WAN_LOCAL
            }
            out {
                name WAN_OUT
            }
        }
        speed auto
    }
    ethernet eth1 {
        address 192.168.1.1/24
        description Local
        duplex auto
        firewall {
            in {
                name LAN_IN
            }
        }
        speed auto
    }
    ethernet eth2 {
        address 192.168.2.1/24
        description "Local 2"
        disable
        duplex auto
        firewall {
            in {
                name LAN_IN
            }
        }
        speed auto
    }
  
ubnt@gw01:~$

Any help would be greatly appreciated.

Harold Ritter · ‎06-25-2018

Hi,

I see 2 possibilities to solve the issue.

1. Leave the C3560 as a L3 device and get prefix delegation from the Ubiquity EdgeMax Lite if it is supported.

2. Use the C3560 as L2 devices with the L3 termination on the Ubiquity EdgeMax Lite.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

krisarmstrong1 · ‎06-25-2018

So my preference is option 1 because I don't see any reason for traffic to traverse the Ubiquity Internet Link that is not destined for the internet. This allows me to keep local traffic off the Internet uplink.

I'm sure the ubiquity supports this because I have seen all kinds of examples of the ubiquity being used in scenario 2 that you mentioned. Where it has virtual interfaces for each VLAN.

I"m getting confused on what is needed on the Cisco VLAN's to pick up the IPv6 addresses on the 192 VLAN?

As odd as it sounds I wish the Ubiquity was a Cisco device this would probably be easier for me to figure out :-) So on the assumption that VLAN 192 is getting IPv6 address's how do I tell the other VLAN's to get IPv6 addresses from the 192 VLAN

krisarmstrong1 · ‎06-25-2018

So looks like I am getting IPv6 on the VLAN192 interface as it has a global address but VLAN 150 only has a link-local address.

[code]
c3560x#sh ipv6 interface
Vlan150 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::206:F6FF:FEC5:1047
No Virtual link-local address(es):
Description: Data
Stateless address autoconfig enabled
No global unicast address is configured
Joined group address(es):
FF02::1
FF02::2
FF02::1:FFC5:1047
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ICMP unreachables are sent
Output features: Check hwidb
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds (using 30000)
ND advertised reachable time is 0 (unspecified)
ND advertised retransmit interval is 0 (unspecified)
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
ND advertised default router preference is Medium
Hosts use stateless autoconfig for addresses.
Vlan192 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::206:F6FF:FEC5:1048
No Virtual link-local address(es):
Description: Internet VLAN
Stateless address autoconfig enabled
Global unicast address(es):
2601:281:C700:6E21:206:F6FF:FEC5:1048, subnet is 2601:281:C700:6E21::/64 [EUI/CAL/PRE]
valid lifetime 85881 preferred lifetime 13881
Joined group address(es):
FF02::1
FF02::2
FF02::1:FFC5:1048
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ICMP unreachables are sent
Output features: Check hwidb
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds (using 30000)
ND advertised reachable time is 0 (unspecified)
ND advertised retransmit interval is 0 (unspecified)
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
ND advertised default router preference is High
Hosts use stateless autoconfig for addresses.
[/code]

krisarmstrong1 · ‎06-27-2018

HI this is what I ended up doing its still not working quite yet but i believe i am closer. Any guidance?

c3560x#sh ipv6 dhcp pool ComcastPool
DHCPv6 pool: ComcastPool
  Prefix pool: comcast-ipv6
               preferred lifetime 604800, valid lifetime 2592000
  Domain name: minion.lab
  Active clients: 0
c3560x#sh run ipv6 dhcp pool ComcastPool
!
ipv6 dhcp pool ComcastPool
 prefix-delegation pool comcast-ipv6
 domain-name minion.lab
!
c3560x#sh run int vlan 192              
Building configuration...

Current configuration : 189 bytes
!
interface Vlan192
 description Internet VLAN
 ip address 192.168.1.2 255.255.255.0
 ipv6 address dhcp
 ipv6 address autoconfig default
 ipv6 enable
 ipv6 dhcp client pd comcast-ipv6
end

c3560x#sh run int vlan 150
Building configuration...

Current configuration : 209 bytes
!
interface Vlan150
 description Data
 ip address 10.0.150.1 255.255.255.0
 ipv6 address comcast-ipv6 ::1/64
 ipv6 address autoconfig
 ipv6 enable
 ipv6 nd other-config-flag
 ipv6 dhcp server ComcastPool
end

c3560x#

VLAN 150 is still not getting an IPv6 address nor are the clients on VLAN 150 any ideas?

Harold Ritter · ‎06-28-2018

You do not need the 3560 to be a DHCPv6 PD server, but rather just a client. This should work, as long as the Ubiquity Edge Lite supports the DHCPv6 PD server capability and that is it configured for it.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

krisarmstrong1 · ‎06-28-2018

I thought that IPv6 RA would not traverse VLAN’s? So, once the Ubiquity supports DHCPv6 PD server capabilities how would each VLAN get IP’s?

Maybe this would be easier to answer let say instead of the ubiquity I did a Cisco 2821 which I believe can handle a 1gbps internet circuit?? How would that config look like in this scenario?

Harold Ritter · ‎07-02-2018

In short, the Ubiquity would act as a DHCP PD client on the WAN side (towards ComcasT) and as a DHCP server on the LAN side (towards the C3560). The C3560 will act as a DHCP PD client, will receive the PD and will use it to configure the ipv6 prefix on its LAN side and use RA to advertise the ipv6 prefix to the hosts.

Regards,

Harold

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Phillip Remaker · ‎07-26-2018

In that Ubiquiti config, the Comcast delegated prefixes get assigned to the internal interfaces, and each interface speaks SLAAC, allowing an address on the managed prefix.

As long has vlan 192 is mapped to a switch port that connects to the Ubiquiti, this is just like any other SLAAC based address assignment; nothing special.

The trick is making sure the Ubiquiti is handing out SLAAC addresses at all.

Phillip Remaker · ‎07-26-2018

Is the Ubiquiti device getting the prefixes from Comcast? The Business Class lines use a /56 prefix delegation and if you set /60 it won't work.

Start by making sure the Ubiquiti has successfully received the prefixes by verifying that eth1 and eth2 each have IPv6 addresses on the specified prefix id.

If the prefixes have been successfully assigned the the Ubiquiti, the switch should just pick up an IPv6 address.