Solved: Re: Prefix delegation on LAN side of second router

jbrown129 · ‎09-13-2022

Hey people, wondering if you can help a homelabber..

So my ISP gives me a /56 and I want to split this up on my LAN side of my second router (rt1). I currently have two routers:

Cisco C1117-4P (cisco.rt2 connects via VDSL WAN to ISP)
OPNsense (opnsense.rt1 connects to GigabitEthernet0/1/0 of cisco.rt2)

I was investigating whether I could bridge Ethernet0/2/0 and GigabitEthernet0/1/0. I am still not sure how, or if i can do that on this Cisco model using BDI. In the mean time I have set up a routed option with NAT to get me started.

For IPv6 I thankfully don't have to worry about NAT, however I'm having trouble with splitting up my IPv6 network downstream on the router facing my LAN. Presently IPv6 outgoing is working on the OPNSense machine, however I think I might need to make some changes on the Cisco router to allow the OPNSense router to "split up my /56 into smaller /64s", the idea is to use a different /64 per VLAN.

The routing table on my Cisco router looks like so:

cisco-rt2#sh ipv6 route
IPv6 Routing Table - default - 8 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, R - RIP, H - NHRP, I1 - ISIS L1
I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP
EX - EIGRP external, ND - ND Default, NDp - ND Prefix, DCE - Destination
NDr - Redirect, O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1
OE2 - OSPF ext 2, ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
a - Application, m - OMP
ND ::/0 [2/0]
via FE80::CA2:FF:FE05:10, Ethernet0/2/0
LC 2001:db8:5d00:200:1::1/128 [0/0]
via Ethernet0/2/0, receive
S 2001:db8:5d02:100::/56 [1/0]
via Null0, directly connected
C 2001:db8:5d02:100::/64 [0/0]
via Ethernet0/2/0, directly connected
L 2001:db8:5d02:100::1/128 [0/0]
via Ethernet0/2/0, receive
C 2001:db8:5d02:101::/64 [0/0]
via Vlan1, directly connected
L 2001:db8:5d02:101::1/128 [0/0]
via Vlan1, receive
L FF00::/8 [0/0]
via Null0, receive

So from my understanding the network which is 2001:db8:5d02:100::/56 has been broken up and a /64 was created for the GigabitEthernet0/1/0 port and the OPNSense box. IPV6 connectivity is working on the OPNsense machine. The routing table on the OPNSense box:

Internet6:
Destination Gateway Flags Netif Expire
default fe80::xxx:xxx:xxx:xxx%igb3 UG igb3
::1 link#7 UHS lo0
2001:db8:5d02:101::/64 link#4 U igb3
2001:db8:5d02:101:xxxx:xxxx:xxxx:xxxx link#4 UHS lo0
fe80::%igb3/64 link#4 U igb3
fe80::xxxx:xxxx:xxxx:xxxx%igb3 link#4 UHS lo0
fe80::%lo0/64 link#7 U lo0
fe80::1%lo0 link#7 UHS lo0

As you can see the IP address on the WAN side of my OPNSense box there 2001:db8:5d02:101:xxxx:xxxx:xxxx:xxxx which connects to the Cisco C1117. Currently this is set to DHCPv6.

On the LAN side of my router I am pretty sure I want a "Track interface" (PFsense has a slight bit more written about it than OPNSense though they mention a bit about it here. With those you can specify a "prefix id" which makes a portion of the new network subnet as far as I understand it.

The problem is I'm not sure how to configure the Cisco router to allow for me to split up that /56 further down the stream. I think what's happened is I've allocated a /64 to my OPNSense WAN, meaning it can't be split up any smaller?

The WAN interface on my C1117 is:

cisco-rt2#sh run int Ethernet0/2/0
Building configuration...

Current configuration : 381 bytes
!
interface Ethernet0/2/0
 description Internet Interface
 ip dhcp client request classless-static-route
 ip address dhcp
 no ip redirects
 no ip proxy-arp
 ip nat outside
 ip access-group WAN4_IN in
 no negotiation auto
 ipv6 address dhcp
 ipv6 address pd-ipv6 ::1/64
 ipv6 address autoconfig default
 ipv6 enable
 ipv6 dhcp client pd pd-ipv6
 ipv6 traffic-filter WAN6_IN in
end

and Vlan1 (which is assigned to the switchport GigabitEthernet0/1/0

cisco.rt2#sh run int Vlan1
Building configuration...

Current configuration : 181 bytes
!
interface Vlan1
 description Local Area Network
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ipv6 address pd-ipv6 ::1:0:0:0:1/64
 ipv6 enable
 ip virtual-reassembly
end

The complete config is:

!
! Last configuration change at 18:18:54 UTC Tue Sep 13 2022 by admin
!
version 17.6
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 50000
!
hostname cisco.rt2
!
boot-start-marker
boot system bootflash:c1100-universalk9.17.06.03a.SPA.bin
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
!
!
!
!
!
aaa session-id common
ip options drop
!
!
!
!
!
!
!
ip name-server {{ censored }}
ip domain name home.arpa
ip dhcp excluded-address 192.168.1.0 192.168.1.4
!
ip dhcp pool dhcp-1
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.1
!
ip dhcp pool opnsense
host 192.168.1.2 255.255.255.0
hardware-address {{ censored }}
dns-server {{ censored }}
default-router 192.168.1.1
!
!
!
login on-success log
ipv6 icmp error-interval 50 20
ipv6 unicast-routing
!
!
!
!
!
!
!
subscriber templating
multilink bundle-name authenticated
!
!
!
license udi pid C1117-4P sn {{ censored }}
memory free low-watermark processor 70173
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username admin privilege 15 secret 9 {{ censored }}
!
redundancy
mode none
!
controller VDSL 0/2/0
operating mode vdsl2
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface GigabitEthernet0/0/0
description Management port
ip address 192.168.2.1 255.255.255.0
negotiation auto
no cdp enable
!
interface GigabitEthernet0/1/0
no cdp enable
!
interface GigabitEthernet0/1/1
no cdp enable
!
interface GigabitEthernet0/1/2
no cdp enable
!
interface GigabitEthernet0/1/3
no cdp enable
!
interface ATM0/2/0
no ip address
atm oversubscribe factor 2
!
interface ATM0/2/0.1 point-to-point
!
interface Ethernet0/2/0
description Internet Interface
ip dhcp client request classless-static-route
ip address dhcp
no ip redirects
no ip proxy-arp
ip nat outside
ip access-group WAN4_IN in
no negotiation auto
ipv6 address dhcp
ipv6 address pd-ipv6 ::1/64
ipv6 address autoconfig default
ipv6 enable
ipv6 dhcp client pd pd-ipv6
ipv6 traffic-filter WAN6_IN in
!
interface Vlan1
description Local Area Network
ip address 192.168.1.1 255.255.255.0
ip nat inside
ipv6 address pd-ipv6 ::1:0:0:0:1/64
ipv6 enable
ip virtual-reassembly
!
no ip http server
no ip http secure-server
ip forward-protocol nd
ip nat inside source list NATACL interface Ethernet0/2/0 overload
ip route 192.168.2.0 255.255.255.0 192.168.2.2
ip route 192.168.30.0 255.255.255.0 192.168.2.2 2
ip route 192.168.31.0 255.255.255.0 192.168.2.2 2
ip ssh version 2
ip scp server enable
!
!
ip access-list standard NATACL
10 permit 192.168.1.0 0.0.0.255
ip access-list standard SNMPACL
10 permit 192.168.50.253
20 permit 192.168.50.252
30 deny any
ip access-list standard WAN4_IN
!
ip access-list extended SSH_ACL
10 permit tcp 192.168.30.0 0.0.0.255 any eq 22
20 permit tcp 192.168.31.0 0.0.0.255 any eq 22
30 permit tcp 192.168.2.0 0.0.0.255 any eq 22
40 deny tcp any any eq 22
!
!
snmp-server community public RO SNMPACL
!
!
!
!
control-plane
!
!
line con 0
transport input none
stopbits 1
line vty 0 4
access-class SSH_ACL in
privilege level 15
transport input ssh
line vty 5 14
access-class SSH_ACL in
privilege level 15
transport input ssh
!
!
!
!
!
!
end

Harold Ritter · ‎09-14-2022

@jbrown129 ,

The prefix delegation received from the service provider by the IOS device can't be further delegated to an L3 device behind it. The IOS device needs to be in charge of the routing if it receives the prefix delegation.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

View solution in original post

Georg Pauwen · ‎09-14-2022

Hello,

can you post a diagram of your topology, showing how everything is connected ?

jbrown129 · ‎09-14-2022

So looks like this. The Cisco C1117 sits at the head of the network. It's switched port GigabitEthernet0/1/0 is connected to igb3 on the OPNSense box.

VLAN2 is a separate management VLAN where I used the routed port GigabitEthernet 0/0/0 to ssh into the Cisco C1117. I hope the diagram is okay.

Seems the Cisco forums make it go all blurry, so I uploaded the image to imgur

The interfaces I want to be able to delegate on are "admin" and "guest" VLANs.

I think the problem with my current configuration might be that The C1117 has created a /64 given it to the WAN side of the OPNSense box, and it cannot be made any smaller, when what I really want is to be splitting up my whole /56.

I'm not sure if my understanding is wrong, though, or what adjustments I should make to the C1117 to make that work.

Harold Ritter · ‎09-14-2022

@jbrown129 ,

The prefix delegation received from the service provider by the IOS device can't be further delegated to an L3 device behind it. The IOS device needs to be in charge of the routing if it receives the prefix delegation.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

jbrown129 · ‎09-14-2022

Okay well, that answers that then.

The only way to do that proposed set up then would be to bridge Ethernet0/2/0 with GigabitEthernet0/1/0 on the C1117 and do DHCP on igb3 which is connected to that port.

I'm a bit unsure though as to what the what that would look like though. I did have a look at the document suggested by @balaji.bandi in the other thread, and is it even possible to bridge those interfaces? I saw this comment that indicated it was not, however it's not technically the ATM link, it's "Ethernet", a virtual kind of interface of some sort.