Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Bronze

IPv6 internet routing question. To NAT or to Route

Hello!

I've gotten 2 /56 block of IPv6 addresses from our ISP. We're in the process of rolling out a new website and along with that I'm pushing that we create our IPv6 presence at the same time. 

My Question is in regards to Routing vs NAT-ing... in my "Internet" environment, the space between my ISP routers and my firewalls, I have configured one of my 256 /64 networks 2001:XXXX:YY:100::1/64. That would mean My firewall could be 2001:XXXX:YY:100::B/64. My web servers sit in a DMZ off my firewall.

Should I:

A. Provision a random IPv6 subnet in the DMZ and use the firewall to NAT to an IP in the 2001:XXXX:YY:100::/64 range. I thought one of the points of IPv6 was to do away with NAT.

B. Provision 2001:XXXX:YY:101::/64 network in DMZ and ROUTE to the DMZ server. I am thinking this is the solution, but what Protocol to use? Im guessing I advertise my /56 via BGP to ISP, and use what? OSPFv3 between internet routers and firewalls? Use Static Routes? Is there anything that's considered 'best practice' for this type of situation?

 

To Route or to NAT?

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Hi, if I understand correctly

Hi,

 

if I understand correctly you have /64 on the external interface of your firewall facing your isp.

 

you should not use stateless auto config SLAAC on your Dmz. Setup your servers statically.

also there is not nat in ipv6, just ensure your stateful firewall handles ipv6 ok, taking special care for icmpv6.

That means you should use a /64 from your /56 for your Dmz. No nat.

whether you setup a static route towards your firewall to reach your Dmz from outside the firewall depends on your network design. 

Whether you use bgp with your isp depends on what you agreed with your isp. Has your isp setup a static route of your /56 on their router to you, or are they expecting you to use bgp ?

 

hope this helps

 

 

mark

2 REPLIES
New Member

Hi, if I understand correctly

Hi,

 

if I understand correctly you have /64 on the external interface of your firewall facing your isp.

 

you should not use stateless auto config SLAAC on your Dmz. Setup your servers statically.

also there is not nat in ipv6, just ensure your stateful firewall handles ipv6 ok, taking special care for icmpv6.

That means you should use a /64 from your /56 for your Dmz. No nat.

whether you setup a static route towards your firewall to reach your Dmz from outside the firewall depends on your network design. 

Whether you use bgp with your isp depends on what you agreed with your isp. Has your isp setup a static route of your /56 on their router to you, or are they expecting you to use bgp ?

 

hope this helps

 

 

mark

Bronze

Thanks for the insight Mark

Thanks for the insight Mark.

Right now my ISP is static routing to my internet router. I think for now i'll just use static routes in this environment and go from there. 

169
Views
0
Helpful
2
Replies