The ACLs/Security policy can actually be fairly generic or automated, so I don’t see that as an issue. The DHCP forwarder configuration is usually global, so the helper address statement demonstrates your lack of IPv6 understanding. The /64 is pretty much nothing, but yeah, so what? Owen
On Sep 9, 2015, at 10:16 , Josh Moore <jmoore@atcnetworks.net> wrote:
It's not just the tag though... You have the /64 that has to be provisioned, the helper addresses for DHCP, ACLs/security policy, etc.
Thanks,
Joshua Moore Network Engineer ATC Broadband 912.632.3161
On Sep 9, 2015, at 1:14 PM, Owen DeLong <owen@delong.com> wrote:
VLAN tags aren’t global and 4096 is only a limitation on ethernet.
VPI/VCI is many more.
Yes, if you need more than 4096 customers on a single switch, you’ve got an issue, but there are many potential issues in that scenario beyond VLAN tagging (like customers choosing not to use routers and filling up your MAC tables).
Owen
On Sep 8, 2015, at 12:40 , Josh Moore <jmoore@atcnetworks.net> wrote:
The question becomes manageability. Unique VLAN per customer is not always scalable. For example, only ~4000 VLAN tags. What happens when you have more than that many customers? Also, provisioning. Who is going to provision thousands of unique prefixes and VLANs, trunk them through relevant equipment and ensure they are secured as well?
We are talking very, very, small customers here. SOHO to say the most. /64 should be more than sufficient for their CPE router.
Joshua Moore Network Engineer ATC Broadband 912.632.3161 - O | 912.218.3720 - M
-----Original Message----- From: Owen DeLong [mailto:owen@delong.com] Sent: Tuesday, September 08, 2015 3:31 PM To: Josh Moore Cc: Valdis.Kletnieks@vt.edu; nanog@nanog.org Subject: Re: IPv6 Subscriber Access Deployments
Short answer to that is “DHCPv6-PD”
Longer answer:
Customer’s router should get an address on the external interface through one of SLAAC, DHCP-PD, Static Assignment, depending on how the ISP prefers to do this.
If the ISPs equipment supports IPv6 on shared VLANs with DHCP snooping and other security, you can implement it with a single /64 giving each router a unique address within that segment, but it’s not really ideal. This was mainly done in IPv4 to conserve addresses. Separate point to point VLANs are a cleaner solution and since there are enough addresses in IPv6 to do this, that is how most providers implement. I prefer using /64s (or at least assigning /64s) to these VLANs, but there are those who argue for /127, some equipment is broken and requires a /126, and yet others argue for other nonsensical prefixes.
Once the router has an external address communicating point to point with the ISP router, it should then send an DHCPv6-PD request asking for a prefix that it can manage. The ISPs DHCP server should then send back a /48 (or if you want to be silly, a /56 or a /60, and if you want to be insane, a /64).
The reality is that if you send a smaller prefix back, you risk having difficulty with your future ARIN applications as your Provider Allocation Unit is based on the smallest prefix you delegate to end-users. So if you, for example, assign /48 to business customers and /60 to residential customers, you’re going to have to justify why each of your business customers needed 4096 /60s when you claim that you need more IPv6 space.
OTOH, if you simply issue /48s to everyone, you can just go back and say “Each end site got a /48 and there are N end-sites” and you’re good, no questions asked about the size of any of those end-sites.
Owen
On Sep 8, 2015, at 12:12 , Josh Moore <jmoore@atcnetworks.net> wrote:
We are talking a purely bridged environment. However, I have been wondering how in the world end-to-end IPv6 connectivity is supposed to work if a customer hooks up their own router. That is one of the points of IPv6...
Joshua Moore Network Engineer ATC Broadband 912.632.3161 - O | 912.218.3720 - M
-----Original Message----- From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu] Sent: Tuesday, September 08, 2015 3:08 PM To: Josh Moore Cc: nanog@nanog.org Subject: Re: IPv6 Subscriber Access Deployments
On Tue, 08 Sep 2015 19:04:06 -0000, Josh Moore said:
I'm reading that the recommended method for assigning IPv6 addresses to end-users is to do this via a dedicated VLAN and /64.
Important question - are you talking about the IPv6 address supplied to the CPE router itself, or a /48 or /56 delegated to the CPE router to allocate to subnets and devices behind it?