The ACLs/Security policy can actually be fairly generic or automated, so I don’t see that as an issue.
The DHCP forwarder configuration is usually global, so the helper address statement demonstrates your lack of IPv6 understanding. The /64 is pretty much nothing, but yeah, so what? Owen > On Sep 9, 2015, at 10:16 , Josh Moore <[email protected]> wrote: > > It's not just the tag though... You have the /64 that has to be provisioned, > the helper addresses for DHCP, ACLs/security policy, etc. > > > > > Thanks, > > Joshua Moore > Network Engineer > ATC Broadband > 912.632.3161 > >> On Sep 9, 2015, at 1:14 PM, Owen DeLong <[email protected]> wrote: >> >> VLAN tags aren’t global and 4096 is only a limitation on ethernet. >> >> VPI/VCI is many more. >> >> Yes, if you need more than 4096 customers on a single switch, you’ve got an >> issue, but there are many potential issues in that scenario beyond VLAN >> tagging (like customers choosing not to use routers and filling up your MAC >> tables). >> >> Owen >> >>> On Sep 8, 2015, at 12:40 , Josh Moore <[email protected]> wrote: >>> >>> The question becomes manageability. Unique VLAN per customer is not always >>> scalable. For example, only ~4000 VLAN tags. What happens when you have >>> more than that many customers? Also, provisioning. Who is going to >>> provision thousands of unique prefixes and VLANs, trunk them through >>> relevant equipment and ensure they are secured as well? >>> >>> We are talking very, very, small customers here. SOHO to say the most. /64 >>> should be more than sufficient for their CPE router. >>> >>> >>> >>> >>> Joshua Moore >>> Network Engineer >>> ATC Broadband >>> 912.632.3161 - O | 912.218.3720 - M >>> >>> >>> >>> -----Original Message----- >>> From: Owen DeLong [mailto:[email protected]] >>> Sent: Tuesday, September 08, 2015 3:31 PM >>> To: Josh Moore >>> Cc: [email protected]; [email protected] >>> Subject: Re: IPv6 Subscriber Access Deployments >>> >>> Short answer to that is “DHCPv6-PD” >>> >>> Longer answer: >>> >>> Customer’s router should get an address on the external interface through >>> one of SLAAC, DHCP-PD, Static Assignment, depending on how the ISP prefers >>> to do this. >>> >>> If the ISPs equipment supports IPv6 on shared VLANs with DHCP snooping and >>> other security, you can implement it with a single /64 giving each router a >>> unique address within that segment, but it’s not really ideal. This was >>> mainly done in IPv4 to conserve addresses. Separate point to point VLANs >>> are a cleaner solution and since there are enough addresses in IPv6 to do >>> this, that is how most providers implement. I prefer using /64s (or at >>> least assigning /64s) to these VLANs, but there are those who argue for >>> /127, some equipment is broken and requires a /126, and yet others argue >>> for other nonsensical prefixes. >>> >>> Once the router has an external address communicating point to point with >>> the ISP router, it should then send an DHCPv6-PD request asking for a >>> prefix that it can manage. The ISPs DHCP server should then send back a /48 >>> (or if you want to be silly, a /56 or a /60, and if you want to be insane, >>> a /64). >>> >>> The reality is that if you send a smaller prefix back, you risk having >>> difficulty with your future ARIN applications as your Provider Allocation >>> Unit is based on the smallest prefix you delegate to end-users. So if you, >>> for example, assign /48 to business customers and /60 to residential >>> customers, you’re going to have to justify why each of your business >>> customers needed 4096 /60s when you claim that you need more IPv6 space. >>> >>> OTOH, if you simply issue /48s to everyone, you can just go back and say >>> “Each end site got a /48 and there are N end-sites” and you’re good, no >>> questions asked about the size of any of those end-sites. >>> >>> Owen >>> >>>> On Sep 8, 2015, at 12:12 , Josh Moore <[email protected]> wrote: >>>> >>>> We are talking a purely bridged environment. However, I have been >>>> wondering how in the world end-to-end IPv6 connectivity is supposed to >>>> work if a customer hooks up their own router. That is one of the points of >>>> IPv6... >>>> >>>> >>>> >>>> >>>> Joshua Moore >>>> Network Engineer >>>> ATC Broadband >>>> 912.632.3161 - O | 912.218.3720 - M >>>> >>>> >>>> -----Original Message----- >>>> From: [email protected] [mailto:[email protected]] >>>> Sent: Tuesday, September 08, 2015 3:08 PM >>>> To: Josh Moore >>>> Cc: [email protected] >>>> Subject: Re: IPv6 Subscriber Access Deployments >>>> >>>> On Tue, 08 Sep 2015 19:04:06 -0000, Josh Moore said: >>>>> I'm reading that the recommended method for assigning IPv6 addresses to >>>>> end-users is to do this via a dedicated VLAN and /64. >>>> >>>> Important question - are you talking about the IPv6 address supplied to >>>> the CPE router itself, or a /48 or /56 delegated to the CPE router to >>>> allocate to subnets and devices behind it? >>> >>
