1

We are currently having perfectly working IPv4 network with a typical layout - internal network with all servers splitted to VLANs in 10.0.0.0/8 (each vlan is /24) and external network with public ip addresses. IPv4 addresses are NATed to the internal network via 2 redundant linux boxes.

We got /48 IPv6 range and gateway (nothing more) from our ISP. I am able to configure static IPv6 on my firewall to test IPv6 connectivity, which works. However, I would like to split that /48 IPv6 range to smaller groups and advertise them further. I can imagine that I end up with configuration where each VLAN will have:

  • 1x /24 IPv4 internal IP range within 10.0.0.0/8
  • 1x /64 IPv6 external IP range within our public IP range

With IPv6, I would like to stop using IPv4, stop using internal IPv4 network and keep IPv4 addresses only on services that need to keep the compatibility. I want to avoid of NAT in the future.

The question is, what is the best practice to do this on linux?

Updated question

Is there any way, I can tell my provider next hop to pass the /64 ranges through? Does IPv6 support this? Or I need to ask him to set up a static route to my gateways?

Yarik Dot
  • 1,583
  • 12
  • 26
  • 3
    Your idea seems fine. What is the problem you are having? – Michael Hampton Oct 19 '14 at 16:00
  • yeah, i think using a /64 on every /24 is a pretty common way to go, as it essentially doesn't change the subnet layout, just makes them bigger. I've not deployed ipv6 yet but i think you'll also want a /64 on every ipv4 subnet that's >24 && < 30. For point to point links people seem to suggest a /126 (or /127 on recent gear) – Sirex Oct 19 '14 at 19:42
  • @Sirex You would use a /64 on every _subnet_ no matter how much or little IPv4 space was given to it. (Or the special case for point to point links.) – Michael Hampton Oct 19 '14 at 20:17
  • I don't think your ISP has any control over your _internal_ network, nor should they. You get to decide for yourself what gets which subnets. – Michael Hampton Oct 19 '14 at 20:18
  • @MichaelHampton ah ok. i thought i heard somewhere it was a security consideration, rather than an address usage one. /64 across the board does make things simpler. – Sirex Oct 19 '14 at 21:29
  • @Sirex The point to point case is the one with security considerations. See [How does IPv6 subnetting work and how does it differ from IPv4 subnetting?](http://serverfault.com/q/426183/126632) – Michael Hampton Oct 19 '14 at 21:30

1 Answers1

2

For original question: Yes, 1x /24 IPv4 and 1x /64 IPv6 for each VLAN is just fine. You'll be creating typical dual-stack setup. If you set IPv6 as preferred in /etc/gai.conf, then your computers will use IPv6 where available (throughout your intranet, and on Internet where available), and fall back to IPv4 NAT for hosts/services which are not yet IPv6 enabled (most of the Internet at the moment, unfortunately, although if your users are spending most of the time on youtube and facebook they might not notice :).

Once you no longer need to connect to any IPv4 sites/services, you can turn off IPv4 and NAT (it won't be for some time yet though - if you plan on allowing general Internet access).

For updated question: There is no need to bother your provider with your /64s. They have given you /48, and will happily route all your networks included in that range (up to 65536 of them if sized /64!) you may have without any need to ask them anything. All you need is default route to them, and specific /64 routes for each of your VLANs on your router.

Matija Nalis
  • 2,478
  • 24
  • 37