 |
| Logical Network Schema |
IPv6 Address
It is 128 bit number typically represented in hexadecimal format. 8 x 16 bit where each 16 bits are delimited by column (:).
- 0000:0000:0000:0000:0000:0000:0000:0000
- ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
When there are 16-bites zeroes within the IPv6 address, they can be reduced. So, the IP address 1111:2222:0000:0000:0000:6666:7777:888 is the same as 1111:2222::6666:7777:888
IPv6 Subnets
The smallest subnet we normally use in IPv6 is /64, so here are examples of IPv6 Subnets
- fd11:1111:1111:1111:0000:0000:0000:0000/64
- fd12:3456:789a:0000::/64
- fd12:3456:789a:1111::/64
Can I have such a huge number of devices in one VLAN (broadcast domain)?
No, you cannot practically have 2⁶⁴ devices in one VLAN, even though IPv6 technically allows that many addresses in a /64 and here's why:
- Ethernet and Switching Limits (MAC address tables in switches)
- ARP/ND Table Limits (Even operating systems and routers can't store neighbor cache entries for millions of hosts)
- Collision Domains (Ethernet is still fundamentally a shared medium; physically and logically, it doesn’t scale infinitely)
So What Is the Practical Limit?
Most networks keep a few hundred to a few thousand devices per VLAN, depending on:
- Switch/router hardware
- Security policy
- Performance needs
Even
10,000 devices per VLAN is considered very large and rare. Back in the
days, there was a best practice to limit the number of devices within
the single broadcast domain (VLAN) to 250 or 300 devices, but the final
decision is up to Infrastructure Architect who should take all limits
and constraints into account.
What If I Use a Smaller Subnet (e.g. /126 or /112)?
It's possible, but only in specific use cases, like:
- Point-to-point links (e.g. /127, /126)
- Routing-only environments
IPv6 Prefix size Use case
/64 Standard LAN subnet (use this unless you know better)
/126 or /127 Point-to-point links (e.g. router-router)
/128 Single host address
< /64 (e.g. /56, /48) Aggregated prefix blocks, not individual subnets
It is best practice to keep the smalest subnet at /64
Local-link Addresses
Link-local address is only accessible on the same link (L2 Segment). It is automatically generated. Devices generate these addresses automatically upon startup for all interfaces.
Link-local addresses are required for Neighbor Discovery Protocol (NDP) and Router Advertisements (RA). In IPv6, NDP is used for address resolution (like ARP in IPv4), neighbor discovery, and router discovery. NDP messages are exchanged using link-local addresses because they are required for communication on the local link. NDP uses ICMPv6 messages and link-local addresses for these operations.
Last address: febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Link-local address is composed from Prefix and Interface Identifier.
Prefix is always fe80:: (1111 1110 10 in binary format).
The interface identifier is the second part of the address, and it's the portion that identifies the specific network interface on the device. There are two common ways to generate this identifier:
- EUI-64 (Extended Unique Identifier): 64-bit number derived from the MAC address of the network interface (for example 1111:2222:3333:4444)
- Randomized Interface Identifier (Privacy Extension): A typical random interface identifier might look something like fcb0:2b5a:bbf0:1001
SLAAC
SLAAC (Stateless Address Autoconfiguration) is an automatic method that allows devices to configure their own IPv6 addresses based on network prefixes advertised by routers. Link-local addresses play a crucial role here.
Steps in SLAAC (Involving Link-Local Addresses):
- Router Advertisements (RAs)
- Routers send Router Advertisement messages to tell hosts about the network's IPv6 prefix and configuration options.
- SLAAC Address Generation
- Neighbor Solicitation for Duplicate Address Detection (DAD)
- The device sends a Neighbor Solicitation (NS) to check if the generated address is already in use on the local link.
SLAAC can provide DNS:
- RDNSS Option in Router Advertisements:
- Modern IPv6 routers can include the RDNSS option inside their RA messages. This option tells the client which DNS servers to use, so the client doesn’t need DHCPv6 just to get DNS info.
- Support depends on Router and Client OS:
- Both the router and the client must support RDNSS in RA for this to work. Most modern OSes (like recent Linux, Windows, and macOS versions) support it.
DHCPv6
First of all, why there is DHCPv6 when IPv6 addresses can be assigned by SLAAC?
While SLAAC automatically assigns IPv6 addresses, it does not provide:
- DNS server addresses: SLAAC can provide DNS, but there can still be some IPv6 routers without RDNSS Option and DHCPv6 is the only way how to dynamically get DNS addresses.
- Other configuration settings: Devices may need additional configuration (aka DHCP options) for things like host names, domain names, NTP servers, etc.
That's why DHCPv6 could make sense in some IPv6 deployments.
What are IA_NA and IA_PD in DHCPv6?
These are Identity Associations (IA) used in DHCPv6 (Dynamic Host Configuration Protocol for IPv6). They tell the DHCPv6 server what kind of information the client is asking for. IAs are essential. Every DHCPv6 client request must include at least one IA:
- IA_NA for requesting a normal address.
- IA_PD for requesting a prefix.
Without IAs, the DHCPv6 server won’t know what kind of configuration the client wants. IAs also include lifetime information (valid/preferred) for addresses or prefixes.
IA_NA = Identity Association for Normal (non-temporary) Addresses
- Purpose: Request a stable, public IPv6 address for the client.
- Typical use: Used by client devices to get a normal IPv6 address for an interface (like your laptop, server, or router WAN).
- Lifetime: Long-term, valid for as long as the lease allows.
- Analogy: Like getting a fixed IPv4 DHCP address.
IA_PD = Identity Association for Prefix Delegation
- Purpose: Ask for a whole IPv6 prefix (subnet) to use for downstream devices.
- Typical use: Used by routers or firewalls to get a /56, /60, or /64 prefix that can be split and assigned to LAN interfaces.
- Example: If your ISP delegates a /56, your router can assign /64 subnets to different internal networks.
- Lifetime: Long-term, like IA_NA.
The minimal dhcp6c.conf just to get IA-NA is this
interface vmx0 {
send ia-na 0; # Request a non-temporary address
};
The dhcp6c.conf to get IA-NA and IA_PD is this
interface vmx0 {
send ia-na 0; # Request a non-temporary address
send ia-pd 1; # Request a delegated prefix
send rapid-commit; # Optional: speed up the handshake
send domain-name-servers;# Ask for DNS info if ISP provides it
};
id-assoc na 0 {
# No additional settings needed unless you want to override lifetimes
};
id-assoc pd 1 {
prefix-interface vmx2 { # Interface to assign a subnet of the delegated
prefix
sla-id 0; # Subnet ID (e.g., /64 within a /56)
};
};
Unigue Local Addresses
A ULA prefix (Unique Local Address prefix) in IPv6 is a private, non-routable address block used within a site or organization, similar to IPv4's 10.0.0.0/8, 192.168.0.0/16, etc.
For IPv6 Unique Local Addresses (ULA), there is reserved range fc00::/7 reserved for private, non-routable addresses.
Range fc00::/7 is split into two /8 subnets:
- fc00::/8 — reserved for future use (currently unused)
- fd00::/8 — commonly used (locally generated)
So for private use, we should use subnets within fd00::/8 range.
These addresses:
- Are not routed on the public Internet
- Are safe to use in your LAN or data center
- Work well with SLAAC, DHCPv6, and static assignments
Documentation and Examples Addresses
There is another IPv6 prefix (2001:db8::/32) which is not globally routed.
It is reserved (RFC 3849) for documentation and example purposes. It should really be used just for examples, tutorials, and documentation. It is not routed on the public internet, and should not appear in real networks.
For local, non-routable subnets, a ULA prefix (fd00::/8) should be used.
IPv6 Public DNS Servers
If you need publicly available IPv6 DNS servers read blog post Public DNS Servers (Resolvers).
No comments:
Post a Comment