Optimizing IPv6 VLAN Subnetting for Multi-Segment Networks: Practical Implementation with RADIUS Assignment


4 views

When implementing IPv6 in complex network architectures, VLAN segmentation presents unique challenges compared to IPv4. The fundamental difference lies in IPv6's design philosophy where a /64 is considered the smallest usable subnet - primarily because:

  • Stateless Address Autoconfiguration (SLAAC) requires 64-bit interface identifiers
  • Neighbor Discovery Protocol (NDP) operates within this boundary
  • Router advertisements assume /64 prefix length

Many network engineers try to implement IPv6 VLANs by dividing a single /64 across multiple VLANs, which breaks several IPv6 protocols. Consider this problematic configuration:


# BAD PRACTICE: Dividing /64 across VLANs
VLAN 10: 2001:db8:1::/68
VLAN 20: 2001:db8:1:1000::/68

This approach fails because:

  • SLAAC cannot function properly with prefixes longer than /64
  • NDP neighbor cache might behave unpredictably
  • Router advertisements become inconsistent

The correct implementation assigns each VLAN its own /64 prefix while maintaining routing separation:


# Correct VLAN IPv6 addressing
VLAN 10 (Servers): 2001:db8:1::/64
VLAN 20 (VPN): 2001:db8:2::/64
VLAN 30 (DMZ): 2001:db8:3::/64

For dynamic VLAN assignment while maintaining consistent addressing, combine these technologies:


# Sample FreeRADIUS configuration for VLAN assignment
DEFAULT Service-Type == Framed-User
    Tunnel-Type = VLAN,
    Tunnel-Medium-Type = IEEE-802,
    Tunnel-Private-Group-ID = 10,
    Framed-IPv6-Prefix = "2001:db8:1::/64"

Control inter-VLAN communication using IPv6 ACLs on your L3 switch/router:


# Cisco IOS example for selective VLAN routing
ipv6 access-list VLAN-ACL
    permit ipv6 2001:db8:1::/64 2001:db8:3::/64
    deny ipv6 any any
interface Vlan10
    ipv6 traffic-filter VLAN-ACL in

For flexible client addressing within VLANs, consider these options:

  • DHCPv6 with Prefix Delegation for stateful assignment
  • SLAAC with RDNSS for stateless configuration
  • Hybrid Approach using both for different device types

Here's a complete configuration snippet for a Juniper switch implementing our solution:


set vlans SERVERS vlan-id 10
set vlans SERVERS l3-interface irb.10
set interfaces irb unit 10 family inet6 address 2001:db8:1::1/64
set protocols router-advertisement interface irb.10 prefix 2001:db8:1::/64
set access radius-server 192.0.2.1 accounting-port 1813
set access radius-server 192.0.2.1 authentication-port 1812
set access profile RADIUS_VLAN_CLASSIFIER authentication-order radius

To prevent asymmetric routing in distributed environments:

  1. Implement consistent routing policies across all L3 devices
  2. Use route tagging for path identification
  3. Enable uRPF (Unicast Reverse Path Forwarding)

# Linux uRPF example
sysctl -w net.ipv6.conf.all.accept_ra_rtr_pref=1
sysctl -w net.ipv6.conf.all.forwarding=1
sysctl -w net.ipv6.conf.all.rp_filter=1

When transitioning existing IPv4 VLANs to IPv6:

  • Maintain parallel numbering schemes where possible (VLAN 10 = 2001:db8:10::/64)
  • Use dual-stack during transition period
  • Gradually shift services to IPv6 while monitoring performance

When working with IPv6 in a multi-VLAN environment, the traditional /64 boundary presents unique challenges. Unlike IPv4 where we routinely subnet into smaller blocks, IPv6's design assumes each broadcast domain (VLAN) should get its own /64 prefix. But what if you need to maintain a single /64 prefix across multiple VLANs?

The /64 prefix length is fundamental in IPv6 for several reasons:

1. SLAAC (Stateless Address Autoconfiguration) requires /64
2. EUI-64 interface identifiers use 64 bits
3. Many IPv6 features break with smaller prefixes

This creates tension when you want VLAN separation while maintaining address consistency.

Here are three viable approaches I've tested in production environments:

Option 1: Multiple /64 Prefixes (Recommended)

Request a larger prefix (like /56) from your provider and assign /64 per VLAN:

# Example prefix delegation
2001:db8:1234:1000::/56
  - VLAN 10: 2001:db8:1234:1001::/64
  - VLAN 20: 2001:db8:1234:1002::/64
  - VLAN 30: 2001:db8:1234:1003::/64

This maintains proper IPv6 functionality while giving you VLAN separation.

Option 2: Single /64 with VLAN-based Suffixes

If you must use a single /64, you can encode VLAN ID in the interface identifier:

# RADIUS attribute for VLAN 10
Tunnel-Private-Group-ID = "10"
Framed-IPv6-Prefix = 2001:db8:1234:5678::/64
# Client gets address like:
2001:db8:1234:5678::a:xxxx:xxxx:xxxx

Where 'a' represents VLAN 10 in hex. This requires custom DHCPv6 configuration.

Option 3: NPTv6 (Network Prefix Translation)

For external-facing VLANs, consider NPTv6 to map internal /64 to different external prefixes:

# Cisco NPTv6 example
interface Vlan10
  ipv6 nat prefix 2001:db8:1234:1001::/64 2001:db8:5678:1001::/64

Here's a sample FreeRADIUS configuration for VLAN assignment:

# /etc/freeradius/users
DEFAULT
    Tunnel-Type = VLAN,
    Tunnel-Medium-Type = IEEE-802,
    Tunnel-Private-Group-ID = 10,
    Framed-IPv6-Prefix = "2001:db8:1234:1001::/64",
    Service-Type = Framed-User

For inter-VLAN routing while maintaining separation:

# Linux policy routing example
ip -6 rule add from 2001:db8:1234:1001::/64 lookup 100
ip -6 route add default via 2001:db8:1234:1001::1 dev vlan10 table 100

For wireless clients roaming between APs but staying in the same VLAN:

# Hostapd configuration
interface=wlan0
bridge=br-vlan10
ieee8021x=1
auth_server_addr=127.0.0.1
auth_server_port=1812
auth_server_shared_secret=your_secret

Key commands for monitoring IPv6 VLAN traffic:

# Show IPv6 neighbors per VLAN
ip -6 neigh show dev vlan10
# VLAN-specific traffic stats
ip -6 -s link show vlan10
# Check multicast groups
netstat -gn -6