cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2890
Views
11
Helpful
9
Replies

/64 or smaller per VLAN

etamminga
Spotlight
Spotlight

Hi,

A while back the general advise was to assign a /64 for each and every VLAN. I still believe this to be true and a correct advise for all VLANs that connect end-users (because of auto address features and temporary addresses).

But is this still true, best practice, for networks that do not serve end-users, like transit networks between routers, server networks or even networks for ip-phones?

What protocols cannot handle networks with masks larger (more bits in mask) /64?

Any other reasons that should stop me from assigning, let's say /120's ?

(reason for this question is that we see providers assigning /56 PA addressblocks and these only leave room for 256 VLAN's, when only using /64's)

Regards,

Erik

Sent from Cisco Technical Support iPad App

9 Replies 9

Leo Laohoo
Hall of Fame
Hall of Fame
A while back the general advise was to assign a /64 for each and every VLAN

/64????  /256???? 

What year is it today?  Where am I?   Did I wake up in the twilight zone?

please have a look at the text on your personal avatar!

If you are saying you sent me a PM then I don't see it.

Anyway, there no such thing as a /56, /64, /120.  You are probably meaning a /26 subnet mask.  But there is no subnet mask for "/56" or "/120".

well, this is ipv6 we're talking about. It supports 128 bits. Welcome to the wonderfull world of ipv6!

There is no reason why can’t use /120 or /112 or /126 or /127 ( p2p router to router link).

As far as I know, all Cisco and juniper routers supports any of above mask including /127 ( I prefer to use this on p2p WAN link when I know there are only two devices/routers connected to each other).

Regards,

Chintan

One important recommendation to use smaller networks than /64 comes from the security side:

The table exhaustion attack is a way to overflow of an ipv6 router's neighbor table by sending packets from every possible address in the subnet in rapid sucession. With a /120 subnet, (the ipv6 version of a /24) this is not possible because the router can easily store 254 entries. At least for public networks it makes sense to not use /64 for this reason.

The workaround for not being able to use SLAAC will eventually be the more widespread use of dhcp in ipv6 networks; this can be used with every mask you can think of.

regards,

Leo

Hi Leo,

Thanks for the answer. Security wasn't one of the aspects I thought about being a pro for smaller subnets. The other way around if more often thought (hard to guess addresses, temporary addresses).

What about PIM, I understood it had some limitations when not using /64's? Is this still true?

Regards,

Erik

Sent from Cisco Technical Support iPad App

well, this is ipv6 we're talking about. It supports 128 bits. Welcome to the wonderfull world of ipv6!

COOL!

fb_webuser
Level 6
Level 6

RFC 3177 caused a lot of noise in the community. Check out RFC 6177 which addresses this to a certain degree. Also, check out RFC 6164 which examines and advocates the use of /127 prefixes on P2P links. The VLAN to IPv6 logic makes sense as long as you have a 1:1 VLAN/Subnet relationship, that could change. And that scheme wouldn't work for WAN P2P links as they don't usually have a VLAN ID. If you are dual stacking, you could embed the IPv4 address inside the IPv6 address space to make it a bit easier to read. My advice would be to subnet and use DHCPv6 if you need more subnets, but don't try to make a "system" that correlates with other technologies, it won't scale and it probably won't last. So, my choice would be better management and network automation, so I wouldn't have to remember any kind of mappings between switch numbers, IP addresses or VLAN numbers. Remember that the mobility trend (LISP, etc) will render all those kind of systems useless In the end, what makes sense to me is to have a decent IPAM solution and a proper naming scheme instead of obsessing with address formatting. After all, your network consists of several thousand MAC-addresses without any corporate-based naming scheme, still we are able to manage these HTH

---

Posted by WebUser Atle Ørn Hardarson

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: