Thanks so much for replying. I'll post my configs below...I'm a total amateur, so expect some nonsense. I haven't touched a router / switch from Cisco since 2003.

My router config:

Current configuration : 3212 bytes
!
! Last configuration change at 20:10:30 UTC Mon Sep 30 2019
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname Cerberus
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
enable password xxxxx
!
no aaa new-model
!
!
!
!
!
!
!
!
!

no ip domain lookup

no ip dhcp conflict logging
ip dhcp excluded-address 10.0.0.1
!
!
!
ipv6 unicast-routing
!
subscriber templating
multilink bundle-name authenticated
!
!
!
!
license udi pid ISR4331/K9 sn FDO19321C50
spanning-tree extend system-id
!
!
redundancy
mode none
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface Loopback1
ip address 192.59.31.1 255.255.255.0
!
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ipv6 address 2001:472:1F0C:BF::2/64
ipv6 enable
tunnel source 216.115.150.175
tunnel mode ipv6ip
tunnel destination 208.51.163.34
!
interface GigabitEthernet0/0/0
ip address 216.115.150.175 255.255.255.192
ip nat outside
negotiation auto
ipv6 enable
!
interface GigabitEthernet0/0/0.1
encapsulation dot1Q 2
ip address 216.115.150.34 255.255.255.192
ip nat outside
!
interface GigabitEthernet0/0/1
ip address 10.0.0.1 255.255.255.0
ip nat inside
negotiation auto
ipv6 address 2602:fec2::1/35
ipv6 enable
ipv6 traffic-filter fromswitch in
ipv6 traffic-filter fromswitch out
!
interface GigabitEthernet0/0/1.2
encapsulation dot1Q 2
ipv6 address 2602:fec2:2000::1/35
ipv6 enable
!
interface GigabitEthernet0/0/2
ip address 142.176.184.242 255.255.255.252
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Vlan1
no ip address
!
router bgp 397759
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 2001:472:1F0C:BF::1 remote-as 6939
neighbor 2001:472:1F0C:BF::1 update-source Tunnel0
!
address-family ipv4
exit-address-family
!
address-family ipv6
network 2602:fec2::/32
neighbor 2001:472:1F0C:BF::1 activate
exit-address-family
!
ip default-gateway 216.115.150.129
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip nat inside source static 10.0.0.24 216.115.150.34
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 216.115.150.129
!
!
ip access-list extended BaseACL
permit icmp any any
ip access-list extended Manage-SSH
ip access-list extended NOSPOOF
permit icmp any any
permit ip any any
ip access-list extended test
!
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 1 permit 10.0.0.0 0.0.255.255
access-list 1 permit any
ipv6 route 2602:fec2::/32 Tunnel0
ipv6 route ::/0 Tunnel0
!
snmp-server community public RO
!
!
ipv6 access-list fromswitch
permit ipv6 any any
!
control-plane
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
access-class 1 in
password virtew438fsa8AQ
login
line vty 5 15
access-class 1 in
login
!
!
end

My switch config:

Current configuration : 4700 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Cerberus
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx/
enable password xxxxxxxxxxxx
!
!
!
no aaa new-model
system mtu routing 1500
ip routing
ip dhcp excluded-address 10.0.0.1
!
ip dhcp pool LanPool
network 10.0.0.0 255.255.252.0
default-router 10.0.0.1
domain-name Cerberus.Local
dns-server 8.8.8.8 8.8.4.4
!
ip dhcp pool PROXYSERVER
host 10.0.0.24 255.255.255.0
hardware-address e03f.49b1.a71e
!
!
no ip domain-lookup
ipv6 unicast-routing
!
!
!
!

spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
interface FastEthernet0
no ip address
no ip route-cache cef
no ip route-cache
no ip mroute-cache
shutdown
!
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-8
switchport mode trunk
!
interface GigabitEthernet0/2
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
!
interface GigabitEthernet0/5
!
interface GigabitEthernet0/6
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-8
switchport mode trunk
spanning-tree portfast trunk
!
interface GigabitEthernet0/7
!
interface GigabitEthernet0/8
!
interface GigabitEthernet0/9
!
interface GigabitEthernet0/10
!
interface GigabitEthernet0/11
!
interface GigabitEthernet0/12
!
interface GigabitEthernet0/13
!
interface GigabitEthernet0/14
!
interface GigabitEthernet0/15
!
interface GigabitEthernet0/16
!
interface GigabitEthernet0/17
!
interface GigabitEthernet0/18
!
interface GigabitEthernet0/19
!
interface GigabitEthernet0/20
!
interface GigabitEthernet0/21
!
interface GigabitEthernet0/22
!
interface GigabitEthernet0/23
!
interface GigabitEthernet0/24
!
interface GigabitEthernet0/25
!
interface GigabitEthernet0/26
!
interface GigabitEthernet0/27
!
interface GigabitEthernet0/28
!
interface TenGigabitEthernet0/1
!
interface TenGigabitEthernet0/2
!
interface Vlan1
ip address 10.0.0.11 255.255.255.248
ipv6 address 2602:fec2::2/35
ipv6 enable
!
interface Vlan2
no ip address
ipv6 address 2602:fec2:2000::2/35
ipv6 enable
no ipv6 nd nud igp
!
interface Vlan3
no ip address
ipv6 address 2602:fec2:4000::2/35
ipv6 enable
!
interface Vlan4
no ip address
ipv6 address 2602:fec2:6000::2/35
ipv6 enable
!
interface Vlan5
no ip address
ipv6 address 2602:fec2:8000::2/35
ipv6 enable
!
interface Vlan6
no ip address
ipv6 address 2602:fec2:A000::2/35
ipv6 enable
!
interface Vlan7
no ip address
ipv6 address 2602:fec2:C000::2/35
ipv6 enable
!
interface Vlan8
no ip address
ipv6 address 2602:fec2:E000::2/35
ipv6 enable
!
ip default-gateway 10.0.0.1
ip classless
ip default-network 10.0.0.0
ip route 10.0.0.0 255.0.0.0 10.0.0.1
!
ip http server
ip http secure-server
!
!
!
!
vstack
!
line con 0
exec-timeout 0 0
line vty 0 4
password virtew438fsa8AQ
login
line vty 5 15
password virtew438fsa8AQ
login
!
end

I've changed some of the public ip addresses to protect my poorly configured equipment a bit. So, the /35 configured on the main interface on the router has connectivity from my host out to the net. None of my vlan subnets can hit the net though.

Thanks again for the help. 

Hi Jason,

I would highly recommend you change the /35 on the user subnets by /64.

Do you statically configure the IPv6 address and the gateway on the host?

Why did you configure a static route for the /32 pointing to the tunnel interface?

Can you please post a "show ipv6 route" from the router?

Regards,

I can remove that route to the tunnel. It's not needed.

editing to answer a question I missed. Yes, I statically configure the gateway and address on the host. 

On my first interface (vlan1) I use the following, and it works:

iface enp5s0 inet6 static
address 2602:fec2::3
netmask 64
gateway 2602:fec2::1

on vlan 2 I use this:

iface enp5s0.2 inet6 static
address 2602:fec2:2000::3
netmask 64
gateway 2602:fec2:2000::1
vlan-raw-device enp5s0

and it never gets past the router.

I did a sh ipv6 route local to exclude the tunnel interface. With bgp going on there are thousands of entries. If you have a different command that would exclude them and give you more detail I'll run it.

IPv6 Routing Table - default - 74145 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, R - RIP, I1 - ISIS L1, I2 - ISIS L2
IA - ISIS interarea, IS - ISIS summary, D - EIGRP, EX - EIGRP external
ND - ND Default, NDp - ND Prefix, DCE - Destination, NDr - Redirect
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2, a - Application
L 2001:472:1F0C:BF::2/128 [0/0]
via Tunnel0, receive
L 2602:fec2::1/128 [0/0]
via GigabitEthernet0/0/1, receive
L 2602:fec2:2000::1/128 [0/0]
via GigabitEthernet0/0/1.2, receive
L FF00::/8 [0/0]
via Null0, receive

The output of show ipv6 route connected as well:

#sh ipv6 route connected
IPv6 Routing Table - default - 74134 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, R - RIP, I1 - ISIS L1, I2 - ISIS L2
IA - ISIS interarea, IS - ISIS summary, D - EIGRP, EX - EIGRP external
ND - ND Default, NDp - ND Prefix, DCE - Destination, NDr - Redirect
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2, a - Application
C 2001:472:1F0C:BF::/64 [0/0]
via Tunnel0, directly connected
C 2602:fec2::/35 [0/0]
via GigabitEthernet0/0/1, directly connected
C 2602:fec2:2000::/35 [0/0]
via GigabitEthernet0/0/1.2, directly connected

That's the output of sh ipv6 route local and connected. I'm new to ipv6. My intention was to have the /35 of addresses on the switch so that any host connected to that vlan can use any address in that 35 block. From the switch I'd like the traffic for each vlan (/35) to flow out through the routers subinterfaces and off to the Tunnel. Is that possible if I switch them over to /64?

I responded with the following previously and it was reported as spam by someone? If I'm doing something wrong by posting the following could you let me know?

I can remove that route to the tunnel. It's not needed.

editing to answer a question I missed. Yes, I statically configure the gateway and address on the host. 

On my first interface (vlan1) I use the following, and it works:

iface enp5s0 inet6 static
address 2602:fec2::3
netmask 64
gateway 2602:fec2::1

on vlan 2 I use this:

iface enp5s0.2 inet6 static
address 2602:fec2:2000::3
netmask 64
gateway 2602:fec2:2000::1
vlan-raw-device enp5s0

and it never gets past the router.

I did a sh ipv6 route local to exclude the tunnel interface. With bgp going on there are thousands of entries. If you have a different command that would exclude them and give you more detail I'll run it.

IPv6 Routing Table - default - 74145 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, R - RIP, I1 - ISIS L1, I2 - ISIS L2
IA - ISIS interarea, IS - ISIS summary, D - EIGRP, EX - EIGRP external
ND - ND Default, NDp - ND Prefix, DCE - Destination, NDr - Redirect
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2, a - Application
L 2001:472:1F0C:BF::2/128 [0/0]
via Tunnel0, receive
L 2602:fec2::1/128 [0/0]
via GigabitEthernet0/0/1, receive
L 2602:fec2:2000::1/128 [0/0]
via GigabitEthernet0/0/1.2, receive
L FF00::/8 [0/0]
via Null0, receive

The output of show ipv6 route connected as well:

#sh ipv6 route connected
IPv6 Routing Table - default - 74134 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, R - RIP, I1 - ISIS L1, I2 - ISIS L2
IA - ISIS interarea, IS - ISIS summary, D - EIGRP, EX - EIGRP external
ND - ND Default, NDp - ND Prefix, DCE - Destination, NDr - Redirect
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2, a - Application
C 2001:472:1F0C:BF::/64 [0/0]
via Tunnel0, directly connected
C 2602:fec2::/35 [0/0]
via GigabitEthernet0/0/1, directly connected
C 2602:fec2:2000::/35 [0/0]
via GigabitEthernet0/0/1.2, directly connected

That's the output of sh ipv6 route local and connected. I'm new to ipv6. My intention was to have the /35 of addresses on the switch so that any host connected to that vlan can use any address in that 35 block. From the switch I'd like the traffic for each vlan (/35) to flow out through the routers subinterfaces and off to the Tunnel. Is that possible if I switch them over to /64?

Hi Jason,

I am not sure what happen, but I also saw your message had dissapeared.

I would strongly recommend to keep the prefix length the same on the server and on the router side. Otherwise, this could lead to various issues.

Can you please post the output from a "netstat -rn" from the server and the output from a "show vlan" from the switch.

Regards,

Show Vlan Output from the switch:

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi0/2, Gi0/3, Gi0/4, Gi0/5
Gi0/7, Gi0/8, Gi0/9, Gi0/10
Gi0/11, Gi0/12, Gi0/13, Gi0/14
Gi0/15, Gi0/16, Gi0/17, Gi0/18
Gi0/19, Gi0/20, Gi0/21, Gi0/22
Gi0/23, Gi0/24, Te0/1, Te0/2
2 VLAN0002 active
3 VLAN0003 active
1001 VLAN1001 active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
2 enet 100002 1500 - - - - - 0 0
3 enet 100003 1500 - - - - - 0 0
1001 enet 101001 1500 - - - - - 0 0

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi0/2, Gi0/3, Gi0/4, Gi0/5
Gi0/7, Gi0/8, Gi0/9, Gi0/10
Gi0/11, Gi0/12, Gi0/13, Gi0/14
Gi0/15, Gi0/16, Gi0/17, Gi0/18
Gi0/19, Gi0/20, Gi0/21, Gi0/22
Gi0/23, Gi0/24, Te0/1, Te0/2
2 VLAN0002 active
3 VLAN0003 active
1001 VLAN1001 active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
2 enet 100002 1500 - - - - - 0 0
3 enet 100003 1500 - - - - - 0 0
1001 enet 101001 1500 - - - - - 0 0

Netstat -rn output:

netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.0.0.1 0.0.0.0 UG 0 0 0 enp5s0
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 enp5s0

I'm going to put the output of netstat -6 -rn as well:

Kernel IPv6 routing table
Destination Next Hop Flag Met Ref Use If
2602:fec2::/64 :: UA 256 0 1 enp5s0
2602:fec2::/35 :: UAe 256 0 0 enp5s0
2602:fec2:2000::/64 :: U 256 0 1 enp5s0.2
2602:fec2:4000::/64 :: U 256 0 1 enp5s0.3
fe80::/64 :: U 256 0 0 enp5s0
fe80::/64 :: U 256 0 0 enp5s0.2
fe80::/64 :: U 256 0 0 enp5s0.3
::/0 fe80::eebd:1dff:feb6:fce1 UGDAe 1024 2 4 enp5s0
::/0 fe80::224:98ff:feed:78c0 UGDAe 1024 0 0 enp5s0
::/0 :: !n -1 1 8 lo
::1/128 :: Un 0 5 26 lo
2602:fec2::3/128 :: Un 0 2 4 lo
2602:fec2::e23f:49ff:feb1:a81e/128 :: Un 0 1 0 lo
2602:fec2:2000::3/128 :: Un 0 1 0 lo
2602:fec2:4000::3/128 :: Un 0 1 0 lo
fe80::e23f:49ff:feb1:a81e/128 :: Un 0 1 0 lo
fe80::e23f:49ff:feb1:a81e/128 :: Un 0 1 0 lo
fe80::e23f:49ff:feb1:a81e/128 :: Un 0 1 0 lo
ff00::/8 :: U 256 1 2 enp5s0
ff00::/8 :: U 256 2 2 enp5s0.2
ff00::/8 :: U 256 1 1 enp5s0.3
::/0 :: !n -1 1 8 lo

That's everything. Thanks again for the help.

You should disable the "ipv6 unicast-routing" on the switch. The switch is currently configured as a router and is therefore sending router advertisement to the host and that is causing traffic to be blackholed. Can you do a "no ipv6 unicast-routing" on the switch and then try pinging a destination on the Internet again.

Regards,

I've disabled ipv6 unicast on the switch. I can ping destinations on the internet from my primary interface, but vlan 2 is still a no go. Just shows as network unreachable. I'm not an expert but is it possible I need separate routing tables for each vlan on the host?

Seems the major issue is the default-gateway on the host is 2602:fec2::1 and no traffic from 2602:fec2:2000::3 will ever flow through there...or I'm mistaken. I know that in ipv4 multiple gateways could be specified but ipv6 doesn't seem to have that ability on my host.

I have another server that was setup in a similar fashion by an outside company. I haven't got access to their configs but everything seems to flow out over one gateway on that system. Just grasping at straws here.

Hi Jason,

> I've disabled ipv6 unicast on the switch. I can ping destinations on the internet from my primary interface,

I am glad this part works.

> Seems the major issue is the default-gateway on the host is 2602:fec2::1 and no traffic from 2602:fec2:2000::3 will ever flow through there...or I'm mistaken. I know that in ipv4 multiple gateways could be specified but ipv6 doesn't seem to have that ability on my host.

Could you please explain what it is exactly that you are trying to achieve with the various interfaces and the various subnets on the same server?

And could you please post the new output of a "netstat -rn" from the server.

Regards,

Sure,

I have a /32 ipv6 block. I want a it broken into 8 /35 subnets. I want each /35 subnet assigned to a vlan. Vlans 1-8.

On this single server, I'd like to be able to access all 8 Vlans and have each vlan able to route out to the internet, via the tunnel on the router. So far, only Vlan 1, the native vlan, behaves the way I want. 

I have other servers that will eventually be accessing them as well but for testing purposes I'd like them all accessible on the one server. 

netstat -6 -rn:

Kernel IPv6 routing table
Destination Next Hop Flag Met Ref Use If
2602:fec2::/64 :: U 256 0 1 enp5s0
2602:fec2:2000::/64 :: U 256 0 1 enp5s0.2
2602:fec2:4000::/64 :: U 256 0 1 enp5s0.3
fe80::/64 :: U 256 0 0 enp5s0
fe80::/64 :: U 256 0 0 enp5s0.2
fe80::/64 :: U 256 0 0 enp5s0.3
::/0 2602:fec2::1 UG 1024 2 4 enp5s0
::/0 :: !n -1 1 8 lo
::1/128 :: Un 0 5 22 lo
2602:fec2::3/128 :: Un 0 2 2 lo
2602:fec2:2000::3/128 :: Un 0 1 0 lo
2602:fec2:4000::3/128 :: Un 0 1 0 lo
fe80::e23f:49ff:feb1:a81e/128 :: Un 0 2 5 lo
fe80::e23f:49ff:feb1:a81e/128 :: Un 0 1 0 lo
fe80::e23f:49ff:feb1:a81e/128 :: Un 0 1 0 lo
ff00::/8 :: U 256 0 0 enp5s0
ff00::/8 :: U 256 1 1 enp5s0.2
ff00::/8 :: U 256 0 0 enp5s0.3
::/0 :: !n -1 1 8 lo

Netstat -rn 

Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.0.0.1 0.0.0.0 UG 0 0 0 enp5s0
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 enp5s0

Thanks again for all the help. I know it's a weird one but I had a similar setup on a previous server. I'm trying to get back to a similar setup on this network and the requirements I've outlined match up to what was on the previous network. Strange as it was.

It looks indeed like only one default gateway gets installed. Not sure if more than one could be installed on the server. 

Could you please try adding the additional route manually using the following command:

/sbin/ip -family inet6 route add default via 2602:fec2:2000::1 dev enp5s0.2

> I'm not an expert but is it possible I need separate routing tables for each vlan on the host?

Otherwise, it is certainly possible to implement one routing table per subinterface on the server. This might be the only option if it is not possible to install more than one gateway.

Regards,

I gave it a go. Running the command produced "No route to host"  So I tried adding the route as a non-default and then adding it again as the default and got "file exists". So it looks like separate routing tables per vlan. Not sure how to go about that either. Do you have any idea what the routing table for interface vlan2 would look like? for in and out?