Comware Based
cancel
Showing results for 
Search instead for 
Did you mean: 

IPv6 and private vlans

Apachez-
Trusted Contributor

IPv6 and private vlans

I have successfully setup an isolate-user-vlan (HP terminology for private vlan as it seems) to work with an IPv4 network.

 

That is vlan100 is the primary one (with IPv4 address set which the clients use as default gateway) followed by vlan101-148 as secondary vlans (where each secondary vlan is then mapped to its own physical interface on the access switch).

 

Now I want to reuse this setup for IPv6 with the added feature of one /64 per client (that is per secondary vlan).

 

The client will get this through SLAAC which gives that I wont have to perform any additional administration with IPv6 users (compared to IPv4 users who uses static assignment). Because each client will have its own /64 I can also setup good ACL's on the physical interfaces (so I know which prefix is used by which client in case of abuse).

 

So I thought I could just setup an IPv6 address on each secondary vlan but it seems that I was a bit too optimistic.

 

That is so the flow for v4 traffic would be:

 

client1 -> vlan101 (L2) -> vlan100 (L3) -> ISP

 

while for v6 it would become:

 

client1 -> vlan101 (L3) -> ISP

 

Am I missing something here or is it true that a secondary vlan will refuse to route traffic on its own?

 

And if so, any suggestions to fix this - could I for example combine this private vlan setup with a protocol-vlan configuration so v4 traffic goes in one vlan and v6 traffic in another (so that only the v4 vlans will have this isolate-user-vlan configuration)?

 

That is without involving DHCP6 and another drawback of just use a single /64 per switch is that it would be harder to setup ACL's to fulfill BCP38.

 

 

 

Here is the current configuration:

 

R1 = HP A5820-24XG-SFP+ Switch (JC102A)

 

SW1/2/3 = HP A5120-48G EI Switch with 2 Slots 10G (JE069A)

 

1) The physical setup is ISP <-> R1 <-> SW1/2/3

2) All routing is performed in the R1:

It has all the vlan defined and the pvlan configured, example:

 

interface Vlan-interface100
description SW1
ipv6 address 2001:DB8:1111:100::1/64
ip address 192.168.0.254 255.255.255.0
local-proxy-arp enable
#
interface Vlan-interface101
description SW1_01_LGHXX
undo ipv6 nd ra halt
ipv6 address 2001:DB8:1111:101::1/64
#

...

interface Vlan-interface148
description SW1_48_LGHXX
undo ipv6 nd ra halt
ipv6 address 2001:DB8:1111:148:1/64
#

isolate-user-vlan 100 secondary 101 to 148

Then I use static routing towards the ISP but also an additional /56 towards each customer incase the customer manually configure its IPv6-address to end with ::2:

 

ip route-static 0.0.0.0 0.0.0.0 Vlan-interfaceX 10.0.0.1
#
ipv6 route-static :: 0 Vlan-interfaceX 2001:DB8:1111:1::1
ipv6 route-static 2001:DB8:2222:01:: 56 Vlan-interface101 2001:DB8:1111:101::2
...
ipv6 route-static 2001:DB8:2222:48:: 56 Vlan-interface101 2001:DB8:1111:148::2

The VLANs are then trunked (802.1Q tagged) to each SW, example:

 

interface Ten-GigabitEthernet1/0/1
port link-mode bridge
description 1_SW1
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 100 to 148
#

3) SW receives the traffic and put each vlan on its own physical interface, example:


interface Vlan-interface100
description R1
ipv6 address 2001:DB8:1111:100::2/64
ip address 192.168.0.253 255.255.255.0
#
interface GigabitEthernet1/0/1
description 01_LGHXX
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 100 101 untagged
port hybrid pvid vlan 101
#

...

interface GigabitEthernet1/0/48
description 48_LGHXX
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 100 148 untagged
port hybrid pvid vlan 148
#

Then the SW has a default route setup (but this one is only used so the switch itself can reach NTP, SYSLOG etc):

 

ip route-static 0.0.0.0 0.0.0.0 Vlan-interface100 192.168.0.254
#
ipv6 route-static :: 0 Vlan-interface100 2001:DB8:1111:100::1
#

 

 

Example of a client1 sitting in vlan101 if that want to connect its own firewall or such:


WAN: 2001:DB8:1111:101::2/64
DEFGW: 2001:DB8:1111:101::1

LAN: 2001:DB8:2222:01::1/56
PREFIX: 2001:DB8:2222:01::/56

1 REPLY
Apachez-
Trusted Contributor

Re: IPv6 and private vlans

I finally managed to solve this, thanks to "protocol-vlan" :-)

Example:

ISP (L3) <-> R1 (L3) <-> SW1 (L2)


R1:

Create VLANs:

vlan 100
 description SW1
#
vlan 101
 description SW1_01_LGHXX
#

...

vlan 148
 description SW1_48_LGHXX
#

Setup SVIs:

interface Vlan-interface100
 description SW1
 ip address 192.168.0.254 255.255.255.0
 local-proxy-arp enable
#
interface Vlan-interface101
 description SW1_01_LGHXX
 undo ipv6 nd ra halt
 ipv6 address 2001:DB8:1111:101::1/64
#

...

interface Vlan-interface148
 description SW1_48_LGHXX
 undo ipv6 nd ra halt
 ipv6 address 2001:DB8:1111:148::1/64
#

Setup routing (each IPv6 customer has now its own /64 and an additional /56 is routed their way aswell if they manually configure their ip to ::2):

ip route-static 0.0.0.0 0.0.0.0 Vlan-interfaceX 10.0.0.1
#
ipv6 route-static :: 0 Vlan-interfaceX 2001:DB8:1111:1::1
ipv6 route-static 2001:DB8:2222:01:: 56 Vlan-interface101 2001:DB8:1111:101::2
...
ipv6 route-static 2001:DB8:2222:48:: 56 Vlan-interface148 2001:DB8:1111:148::2

The VLANs are then trunked (802.1Q tagged) to SW:

interface Ten-GigabitEthernet1/0/1
port link-mode bridge
description 1_SW1
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 100 to 148
#


SW1:

The switch receives the tagged frames and put them to the correct physical interface.

Create VLANs:

vlan 100
 description R1
 protocol-vlan 0 mode ethernetii etype 0806
 protocol-vlan 4 ipv4
#
vlan 101
 description 01_LGHXX
 protocol-vlan 6 ipv6
#

...

vlan 148
 description 48_LGHXX
 protocol-vlan 6 ipv6
#

Configure interfaces:

interface GigabitEthernet1/0/1
description 01_LGHXX
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 100 101 untagged
port hybrid protocol-vlan vlan 100 0
port hybrid protocol-vlan vlan 100 4
port hybrid protocol-vlan vlan 101 6
port-isolate enable
#

...

interface GigabitEthernet1/0/48
description 48_LGHXX
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 100 148 untagged
port hybrid protocol-vlan vlan 100 0
port hybrid protocol-vlan vlan 100 4
port hybrid protocol-vlan vlan 148 6
port-isolate enable
#


This way if the client does IPv4 and ARP the traffic will be put into VLAN 100 and the "port-isolate enable" will make sure the client can only speak to uplink (thats why local-proxy-arp is needed on int vlan 100 at R1 so clients can communicate to each other at L3 level).

While if the client does IPv6 the traffic will be put into the VLAN 1xx which belongs to this physical interface the client is connected to which also means that each client has its own /64 and is separated from each other at L2 level.

Best of both worlds :-)