10-16-2014 12:40 PM - last edited on 03-25-2019 02:30 PM by ciscomoderator
I'm trying to draft an IPv6-based version of our location's current routing configuration in anticipation of when our ISP will finally roll it out, and address management has been giving me the biggest headache - ironic, considering IPv6 was supposed to simplify address allocation.
My first config draft was made assuming that I would be getting a static /56 or /60 prefix from the ISP, and I was just going to insert the prefix into my DHCP pools and there would be no issues. That was before reading around and discovering that some ISPs are considering prefix delegation (PD) for both residential and business accounts instead of static blocks. Now I have questions about how to stick as close to the current IPv4 configuration as possible.
For the PD scenario, what I am looking at now are two addresses ranges for each network - a ULA /120 space that I want to control using stateful DHCPv6, and the global space which can be /64 and auto-configured. That way there will be a "private" address space for internal routing in the event of a prefix change or an extended outage. But I'm not sure how the config should look for such a scenario. What I have drafted so far is this:
ipv6 dhcp pool DHCP6_INTERNAL
address prefix FDAB::1:0/120
domain-name whatever.net
dns-server FDAB::1:1
!
ipv6 dhcp pool DHCP6_DMZ-WIFI
address prefix FDAB::2:0/120
domain-name guest.whatever.net
dns-server FDAB::2:1
!
interface GigabitEthernet0
description WAN-LINK
ipv6 enable
ipv6 address dhcp
no ipv6 unreachables
no ipv6 redirects
ipv6 flow ingress
ipv6 flow egress
ipv6 virtual-reassembly in
ipv6 nd autoconfig default-route
ipv6 dhcp client pd hint ::/56
ipv6 dhcp client pd ISP-PREFIX
zone-member security OUTSIDE
speed auto
duplex auto
no cdp enable
!
interface FastEthernet8.1
description VLAN_1-INTERNAL
encapsulation dot1Q 1 native
ipv6 enable
ipv6 address FDAB::1:1/120
ipv6 address ISP-PREFIX ::1:0:0:0:1/64
ipv6 flow ingress
ipv6 flow egress
ipv6 virtual-reassembly in
zone-member security INSIDE
ip tcp adjust-mss 1300
ipv6 dhcp server DHCP6_INTERNAL
ipv6 nd managed-config-flag
ipv6 nd other-config-flag
!
interface FastEthernet8.2
description VLAN_2-DMZ-WIFI
encapsulation dot1Q 2
ipv6 enable
ipv6 address FDAB::2:1/120
ipv6 address ISP-PREFIX ::2:0:0:0:1/64
ipv6 flow ingress
ipv6 flow egress
ipv6 virtual-reassembly in
zone-member security DMZ
ip tcp adjust-mss 1300
ipv6 dhcp server DHCP6_DMZ-WIFI
ipv6 nd managed-config-flag
ipv6 nd other-config-flag
!
Will this config work? By which I mean: will the DHCPv6 servers provide ULA addresses, and will SLAAC work for global address allocation? If not, what needs to be changed?
Also, another question. I found a few references to a prefix name (the "ISP-PREFIX") which can be used as part of a static IPv6 address on an interface, which is a good idea in case the prefix changes. But that brings up another concern - if the prefix changes, that will invalidate ACLs referencing the global addresses using the previous prefix. Is there anything similar to the prefix name string that can be used in ACLs to keep this from occurring?