Solved: Re: IPv6 LAN deployment: Global Unicast or NAT with Unique Local

romanroma · ‎10-01-2021

What is the current trend of IPv6 with engineers and deployment on the LAN side when it comes to IPv6? Are folks using Global Unicast when they can or still sticking to Unique Local (NAT)?

Doesn't some aspects of IPv6 break with Unique Local or is that just blocks smaller then /64?

Thank you

Harold Ritter · ‎10-05-2021

Hi @romanroma ,

It should be as easy as configuring the global prefix on the interface and then the "ipv6 dhcp relay". As I also mentioned before, you probably want to negate the advertisement of the global prefix in the router advertisement to make sure the workstation connected to this subnet won't use SLAAC. You will need the following command for that purpose:

int gi0/0

ipv6 nd prefix default no-advertise

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

View solution in original post

Harold Ritter · ‎10-01-2021

Hi @romanroma ,

> What is the current trend of IPv6 with engineers and deployment on the LAN side when it comes to IPv6? Are folks using Global Unicast when they can or still

> sticking to Unique Local (NAT)?

The current recommendation is to use global addresses (GUA). The use of unique local addresses combined with NAT is not recommended.

> Doesn't some aspects of IPv6 break with Unique Local or is that just blocks smaller then /64?

The /64 restriction equally applies to GUA and LUA.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

romanroma · ‎10-04-2021

@Harold Ritter

If Global Unicast is used for LAN segment, and if someone uses SLAAC with EUI-64 and then uses the Private Extensions how does one keep track of the end users IP address? Is DNS dynamically updated from the router that is handing out SLACC/EUI-64 with Private Extensions? I know this is covered in RFC 4941; however, this is over my head and how this works in real world scenarios.

Harold Ritter · ‎10-04-2021

Hi @romanroma

The best approach is to only allow workstations to get IPv6 address information from DHCPv6 and not allowing SLAAC to take place. This can be done by configuring the router not to send the local prefix in the router advertisement message. It makes it a lot easier to track the assigned IPv6 address exclusively via DHCPv6.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

romanroma · ‎10-04-2021

@Harold Ritter

How do I implement Private Extension in the DHCPv6 pool? Is this system the server/dhcp admin will have to configure?

Harold Ritter · ‎10-04-2021

Hi @romanroma ,

Privacy Extension only applies to SLAAC, not to DHCPv6.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

romanroma · ‎10-04-2021

@Harold Ritter

ok thank you. I guess the dynamic assignment from DHCP will be good enough for security if the Global Unicast is pushed/used down at the LAN level for workstations?

Harold Ritter · ‎10-04-2021

Hi @romanroma ,

Yes, it is fine, as the DHCPv6 addresses are assigned randomly.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

romanroma · ‎10-05-2021

Is 'IPv6 dhcp relay' is all that is required in this case, or do I need to pay special attention to any Link-Local or multicast traffic for dhcp requests?

Harold Ritter · ‎10-05-2021

Hi @romanroma ,

It should be as easy as configuring the global prefix on the interface and then the "ipv6 dhcp relay". As I also mentioned before, you probably want to negate the advertisement of the global prefix in the router advertisement to make sure the workstation connected to this subnet won't use SLAAC. You will need the following command for that purpose:

int gi0/0

ipv6 nd prefix default no-advertise

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

romanroma · ‎10-06-2021

@Harold Ritter

Would it be best practice or a good idea to on routers to also:

no ipv6 nd autoconfig prefix

Just to make sure that the route does not receive any RA from other devices?

Harold Ritter · ‎10-06-2021

HI @romanroma

The command that you are referring to, would be used when a router acts as a SLAAC client. "ipv6 nd prefix default no-advertise" is what you need to exclude the prefixes from the RA on the router side.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

romanroma · ‎10-13-2021

@Harold Ritter

One last question - with IPv6 DHCP, how often would you change the IP address? If the address does not age out fast enough - then it would also enable the machine to be tracked to some extent. What ways or methods around this?