I need a small /124 network for routing topology so I can use my IPv6 assigned by my service provider. Since these are Global Unicast addresses, I want to assign them to my servers; however, I need a transient network that is connected to my edge router and the devices down stream, since my IPv6 network is not all Global Public addresses.
Due to the latter, does Fortigate distinguish differences (i know some vendors do) for routing between Link Local and unique Local?
Solved! Go to Solution.
yes you good to go, unique local or site local is what you should use for this. Nobody uses site-local in lew of ULA. If you want to prevent leakages of these, ensure you filter at the internet edge& if required.
Make sure to unique use global id for the ULA if you planning to encompass multiple sites. This will prevent later headaches with duplication of address or if you do the top-half assign the global-id part manually ( is what I do ) or use a generator to make the work easiler.
e.g
https://www.ultratools.com/tools/rangeGenerator
or
YMMV but ULA is what you want.
And in your drawging I would generate a ULA for site and waste a /64 on each link
link1
fd03:f9b7:256f:0::/64link2
fd03:f9b7:256f:1::/64
link3
fd03:f9b7:256f:2::/64
and so on, it's a waste of addresses to use /64, but who cares it ipv6 and ULAs ;)
Ken Felix
PCNSE
NSE
StrongSwan
I believe you can use unique-local fwiw.That is what it's was designed for.
I've never personally use them since we have plenty of ipv6 blocks or assignments. Keep in mind traceroute6 might show weird stuff and you can't leak this to the public ipv6 backbone.
So unless it states locally to your org, I say go aheadand use unique-local.
Ken Felix
PCNSE
NSE
StrongSwan
@emnoc
Hi....Thank you for your conversation on this matter.
From what I understand unique Local addresses can be routed within your network; however, Link Local cannot. Due tot he latter, would that not be the best, since I just need a point to point link - which would be a /30 in IPv4 speak?
emnoc wrote:That is OK because and not really worried about it since you see some ISP routing their traffic through RFC1918 blocks, which is doable if you do not NAT. To be honest, not sure if there is a mechanical in IPv6 that automatically stops routing Unique Local addresses externally. But Link Local would never be routed external or even through another hop for that matter. Due to the latter, this is why I was thinking about using it.
Keep in mind traceroute6 might show weird stuff and
yes you good to go, unique local or site local is what you should use for this. Nobody uses site-local in lew of ULA. If you want to prevent leakages of these, ensure you filter at the internet edge& if required.
Make sure to unique use global id for the ULA if you planning to encompass multiple sites. This will prevent later headaches with duplication of address or if you do the top-half assign the global-id part manually ( is what I do ) or use a generator to make the work easiler.
e.g
https://www.ultratools.com/tools/rangeGenerator
or
YMMV but ULA is what you want.
And in your drawging I would generate a ULA for site and waste a /64 on each link
link1
fd03:f9b7:256f:0::/64link2
fd03:f9b7:256f:1::/64
link3
fd03:f9b7:256f:2::/64
and so on, it's a waste of addresses to use /64, but who cares it ipv6 and ULAs ;)
Ken Felix
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1738 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.