- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Comware Based
- >
- Re: IPv6 and private vlans
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-10-2014 11:52 AM
02-10-2014 11:52 AM
IPv6 and private vlans
I have successfully setup an isolate-user-vlan (HP terminology for private vlan as it seems) to work with an IPv4 network.
That is vlan100 is the primary one (with IPv4 address set which the clients use as default gateway) followed by vlan101-148 as secondary vlans (where each secondary vlan is then mapped to its own physical interface on the access switch).
Now I want to reuse this setup for IPv6 with the added feature of one /64 per client (that is per secondary vlan).
The client will get this through SLAAC which gives that I wont have to perform any additional administration with IPv6 users (compared to IPv4 users who uses static assignment). Because each client will have its own /64 I can also setup good ACL's on the physical interfaces (so I know which prefix is used by which client in case of abuse).
So I thought I could just setup an IPv6 address on each secondary vlan but it seems that I was a bit too optimistic.
That is so the flow for v4 traffic would be:
client1 -> vlan101 (L2) -> vlan100 (L3) -> ISP
while for v6 it would become:
client1 -> vlan101 (L3) -> ISP
Am I missing something here or is it true that a secondary vlan will refuse to route traffic on its own?
And if so, any suggestions to fix this - could I for example combine this private vlan setup with a protocol-vlan configuration so v4 traffic goes in one vlan and v6 traffic in another (so that only the v4 vlans will have this isolate-user-vlan configuration)?
That is without involving DHCP6 and another drawback of just use a single /64 per switch is that it would be harder to setup ACL's to fulfill BCP38.
Here is the current configuration:
R1 = HP A5820-24XG-SFP+ Switch (JC102A)
SW1/2/3 = HP A5120-48G EI Switch with 2 Slots 10G (JE069A)
1) The physical setup is ISP <-> R1 <-> SW1/2/3
2) All routing is performed in the R1:
It has all the vlan defined and the pvlan configured, example:
interface Vlan-interface100
description SW1
ipv6 address 2001:DB8:1111:100::1/64
ip address 192.168.0.254 255.255.255.0
local-proxy-arp enable
#
interface Vlan-interface101
description SW1_01_LGHXX
undo ipv6 nd ra halt
ipv6 address 2001:DB8:1111:101::1/64
#
...
interface Vlan-interface148
description SW1_48_LGHXX
undo ipv6 nd ra halt
ipv6 address 2001:DB8:1111:148:1/64
#
isolate-user-vlan 100 secondary 101 to 148
Then I use static routing towards the ISP but also an additional /56 towards each customer incase the customer manually configure its IPv6-address to end with ::2:
ip route-static 0.0.0.0 0.0.0.0 Vlan-interfaceX 10.0.0.1
#
ipv6 route-static :: 0 Vlan-interfaceX 2001:DB8:1111:1::1
ipv6 route-static 2001:DB8:2222:01:: 56 Vlan-interface101 2001:DB8:1111:101::2
...
ipv6 route-static 2001:DB8:2222:48:: 56 Vlan-interface101 2001:DB8:1111:148::2
The VLANs are then trunked (802.1Q tagged) to each SW, example:
interface Ten-GigabitEthernet1/0/1
port link-mode bridge
description 1_SW1
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 100 to 148
#
3) SW receives the traffic and put each vlan on its own physical interface, example:
interface Vlan-interface100
description R1
ipv6 address 2001:DB8:1111:100::2/64
ip address 192.168.0.253 255.255.255.0
#
interface GigabitEthernet1/0/1
description 01_LGHXX
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 100 101 untagged
port hybrid pvid vlan 101
#
...
interface GigabitEthernet1/0/48
description 48_LGHXX
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 100 148 untagged
port hybrid pvid vlan 148
#
Then the SW has a default route setup (but this one is only used so the switch itself can reach NTP, SYSLOG etc):
ip route-static 0.0.0.0 0.0.0.0 Vlan-interface100 192.168.0.254
#
ipv6 route-static :: 0 Vlan-interface100 2001:DB8:1111:100::1
#
Example of a client1 sitting in vlan101 if that want to connect its own firewall or such:
WAN: 2001:DB8:1111:101::2/64
DEFGW: 2001:DB8:1111:101::1
LAN: 2001:DB8:2222:01::1/56
PREFIX: 2001:DB8:2222:01::/56
- Tags:
- IPv6
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-12-2014 10:04 PM
02-12-2014 10:04 PM
Re: IPv6 and private vlans
I finally managed to solve this, thanks to "protocol-vlan" :-)
Example:
ISP (L3) <-> R1 (L3) <-> SW1 (L2)
R1:
Create VLANs:
vlan 100
description SW1
#
vlan 101
description SW1_01_LGHXX
#
...
vlan 148
description SW1_48_LGHXX
#
Setup SVIs:
interface Vlan-interface100
description SW1
ip address 192.168.0.254 255.255.255.0
local-proxy-arp enable
#
interface Vlan-interface101
description SW1_01_LGHXX
undo ipv6 nd ra halt
ipv6 address 2001:DB8:1111:101::1/64
#
...
interface Vlan-interface148
description SW1_48_LGHXX
undo ipv6 nd ra halt
ipv6 address 2001:DB8:1111:148::1/64
#
Setup routing (each IPv6 customer has now its own /64 and an additional /56 is routed their way aswell if they manually configure their ip to ::2):
ip route-static 0.0.0.0 0.0.0.0 Vlan-interfaceX 10.0.0.1
#
ipv6 route-static :: 0 Vlan-interfaceX 2001:DB8:1111:1::1
ipv6 route-static 2001:DB8:2222:01:: 56 Vlan-interface101 2001:DB8:1111:101::2
...
ipv6 route-static 2001:DB8:2222:48:: 56 Vlan-interface148 2001:DB8:1111:148::2
The VLANs are then trunked (802.1Q tagged) to SW:
interface Ten-GigabitEthernet1/0/1
port link-mode bridge
description 1_SW1
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 100 to 148
#
SW1:
The switch receives the tagged frames and put them to the correct physical interface.
Create VLANs:
vlan 100
description R1
protocol-vlan 0 mode ethernetii etype 0806
protocol-vlan 4 ipv4
#
vlan 101
description 01_LGHXX
protocol-vlan 6 ipv6
#
...
vlan 148
description 48_LGHXX
protocol-vlan 6 ipv6
#
Configure interfaces:
interface GigabitEthernet1/0/1
description 01_LGHXX
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 100 101 untagged
port hybrid protocol-vlan vlan 100 0
port hybrid protocol-vlan vlan 100 4
port hybrid protocol-vlan vlan 101 6
port-isolate enable
#
...
interface GigabitEthernet1/0/48
description 48_LGHXX
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 100 148 untagged
port hybrid protocol-vlan vlan 100 0
port hybrid protocol-vlan vlan 100 4
port hybrid protocol-vlan vlan 148 6
port-isolate enable
#
This way if the client does IPv4 and ARP the traffic will be put into VLAN 100 and the "port-isolate enable" will make sure the client can only speak to uplink (thats why local-proxy-arp is needed on int vlan 100 at R1 so clients can communicate to each other at L3 level).
While if the client does IPv6 the traffic will be put into the VLAN 1xx which belongs to this physical interface the client is connected to which also means that each client has its own /64 and is separated from each other at L2 level.
Best of both worlds :-)