大峰山八経ヶ岳からの眺め


Date/Time: 2016:05:02 06:20:30
Camera: PENTAX
Model: PENTAX K-5 II s
Exporsure Time: 1/320
FNumber: 7.1
Aperture Value: 5.7
Focal Length: 21.0

Close

y2blog » NURO光のIPv6環境下でNWをセグメント分割してみる

10

17

2020

NURO光のIPv6環境下でNWをセグメント分割してみる

F660A配下のIX2215ルータでIPv6がまともに使えるように設定してみた


前回の記事で、Nuroから提供されるONU/ルータ(F660A)の機能が貧弱過ぎてまともなNW設定ができずに苦戦している事をお伝えしたが、試行錯誤の末、IX2215ルータ側でIPv6ネットワークをセグメント分割することができるようになった.


F660A側の設定


F660AにはLAN側にprefix delegationする機能が全く備わっていないようで、配下のIX221ルータ側で prefix を分けてしまえば、とりあえずIPV6ネットワークをVLANのトポロジに合致させることができる筈だ.IX2215のLAN側に設定したVLANインタフェース毎に手動でIPv6アドレスを設定して、WANおよびLAN間をIPv6ルーティングしてみることにする.


IX2215のWAN(GigaEthernet0.0) から、もう一つのWANポート(GigaEthernet1.0)へ “IPv6 ND Proxy” させる.直接LAN側のVLAN200ポート(GigaEthernet2:2.1) に”IPv6 ND Proxy”しても構わないが、VLAN200, VLAN202, VLAN206 とできれいに IPv6 prefixを割り振りたかったので、GigaEthernet1.0ポートをダミーとして利用している.


とりあえずこの方法で、VLAN200、VLAN202, VLAN206 に対して別々なIPv6 prefixを割り当てた状態で、IPv6のグローバル通信が可能となった.


まだ、検証途中の暫定的な構成なので、また別な機会にきちんと検証してみようと思う.


暫定的な設定ではあるが、現在の F660Aの設定とIX2215のコンフィグ情報を載せておく.


Nuro IPv6 Segmentation
今回の概略構成図

F660AのLAN側とIX2215のWAN側(GigabitEther0.0)をDMZ(VLAN99)セグメントを作成する.正体不明なF660A側のIPv6のファイアウォール設定は全てOFFにしておく.ファイアウォール機能はIX2215側で働かせることにする.


前回紹介した “ipv6 nd proxy” 機能を使って、LAN側の VLAN200セグメント(GigabitEther2:2.1)に F660AのLAN側から送出される RA, DHCPv6 を橋渡しする.これで VLAN200セグメントは、F660AのLAN側と同じIPv6 prefix が割り当てられるので、IPv6による外部との通信が可能となる.


F660Aの『スタティックプレフィクス』割り当て機能を使うと、DMZ(VLAN99)セグメントに特定のprefixを割り当てられるので、DMZセグメントでIPv6のサービスを提供する場合は特定のprefixを割り当てた方が良いが、今回はF660Aのデフォルトの設定のまま使う.



F660A Prefix Settings
今回はStatic Prefixは設定せずに、デフォルトのRA/DHCPv6設定でLAN側を設定する

F660A Firewall Settings
F660AのFirewall機能は完全にOFFに設定する


IPv4での2重NAPT(IPマスカレード)を避けるため、F660A側でDMZ設定(NAT設定)を行い、IX2215のWAN(GigaEther0.0) [192.168.99.254/24] へフォワーディングさせる.


F660A IPv4 DMZ Forwarding
F660AのDMZ設定項目で、IX2215(192.168.99.254)へingressトラフィックをフォワーディングする

F660A IPv4 DHCP Binding
予めMACアドレスをIPアドレスと紐付けておく

F660A IPv4 DHCP Settings
IPv4のDHCP設定



ip ufs-cache max-entries 20000
ip ufs-cache enable
ip route default 192.168.99.1
ip dhcp enable
ip dhcp-relay enable
ip access-list reject-all deny ip src any dest any
ip access-list tcp-ack permit tcp established src any sport any dest any dport any
ip access-list dynamic returns-all access allow-all
!
ipv6 ufs-cache max-entries 10000
ipv6 ufs-cache enable
ipv6 dhcp enable
ipv6 access-list allow-all6 permit ip src any dest any
ipv6 access-list allow-outboud permit ip src any dest any
ipv6 access-list dhcpv6-list permit udp src any sport any dest any dport eq 546
ipv6 access-list dhcpv6-list permit udp src any sport any dest any dport eq 547
ipv6 access-list icmp6-all permit icmp src any dest any
ipv6 access-list icmp6-nd permit icmp neighbor-solicitation src any dest any
ipv6 access-list icmp6-nd permit icmp neighbor-advertisement src any dest any
ipv6 access-list icmp6-nd permit icmp redirect src any dest any
ipv6 access-list icmp6-nd permit icmp echo-reply src any dest any
ipv6 access-list icmp6-nd permit icmp echo src any dest any
ipv6 access-list icmp6-nd-pass permit icmp neighbor-solicitation src any dest any
ipv6 access-list icmp6-nd-pass permit icmp neighbor-advertisement src any dest any
ipv6 access-list ip-tunnel-allow permit 4 src any dest any
ipv6 access-list nurov6-acl permit ip src 240d:xxxx:yyyy:zz00::/56 dest any
ipv6 access-list reject-all deny ip src any dest any
ipv6 access-list tcp6-ack permit tcp established src any sport any dest any dport any
ipv6 access-list vl200-acl permit ip src 240d:xxxx:yyyy:zzc8::/64 dest any
ipv6 access-list vl202-acl permit ip src 240d:xxxx:yyyy:zzca::/64 dest any
ipv6 access-list vl206-acl permit ip src 240d:xxxx:yyyy:zzce::/64 dest any
ipv6 access-list dynamic cache 65535
ipv6 access-list dynamic dyn-outbound access allow-outboud
ipv6 access-list dynamic returns-all access allow-all6

 ...

ip dhcp profile vlan200profile
  assignable-range 192.168.200.101 192.168.200.199
  subnet-mask 255.255.255.0
  default-gateway 192.168.200.254
  dns-server 192.168.200.7 192.168.100.20
  domain-name vl200.home.yoko
  lease-time 86400
!
ip dhcp profile vlan202profile
  assignable-range 192.168.202.101 192.168.202.199
  subnet-mask 255.255.255.0
  default-gateway 192.168.202.254
  dns-server 192.168.200.7 192.168.100.20
  domain-name vl202.home.yoko
  lease-time 86400
!
 ...

ipv6 dhcp server-profile dhcpv6pd-sv200
  dns-server 2606:4700:4700::1111     <=== APNICの公開IPv6 DNSサーバ
  dns-server 240d:10:4:5::33        <=== so-netのIPv6 DNSサーバ
!
ipv6 dhcp server-profile dhcpv6pd-sv202
  dns-server 2606:4700:4700::1111
  dns-server 240d:10:4:5::33
!
ipv6 dhcp server-profile dhcpv6pd-sv206
  dns-server 2606:4700:4700::1111
  dns-server 240d:10:4:5::33
!
device GigaEthernet0
!
device GigaEthernet1
!
device GigaEthernet2
  vlan-group 1 port 1 2
  vlan-group 2 port 3 4
  vlan-group 3 port 5 6
  vlan-group 4 port 7 8
!
  ...

interface GigaEthernet0.0
  description Nuro-DMZ
  ip address dhcp
  ip napt enable
  ipv6 enable
  ipv6 interface-identifier 00:00:00:00:00:00:63:fe
  ipv6 nd ra enable
  ipv6 nd ra other-config-flag
  ipv6 nd proxy GigaEthernet1.0
  ipv6 filter dhcpv6-list 1 in
  ipv6 filter icmp6-all 2 in
  ipv6 filter icmp6-nd 4 in
  ipv6 filter ip-tunnel-allow 5 in
  ipv6 filter reject-all 100 in
  ipv6 filter dhcpv6-list 1 out
  ipv6 filter icmp6-all 2 out
  ipv6 filter ip-tunnel-allow 5 out
  ipv6 filter dyn-outbound 100 out
  no shutdown
!
interface GigaEthernet1.0
  description IPv6-NDProxy-Client
  no ip address
  ipv6 enable
  ipv6 interface-identifier 00:00:00:00:00:00:10:fe
  ipv6 nd ra enable
  ipv6 nd ra other-config-flag
  no shutdown
!
interface GigaEthernet2.0
  no ip address
  shutdown
!
 ...

interface GigaEthernet2:2.1
  description VLAN200-Nuro-Dual
  encapsulation dot1q 200 tpid 8100
  auto-connect
  ip address 192.168.200.254/24
  ip dhcp binding vlan200profile
  ipv6 enable
  ipv6 interface-identifier 00:00:00:00:00:00:c8:fe
  ipv6 address 240d:xxxx:yyyy:zzc8::c8fe/64
  ipv6 dhcp server dhcpv6pd-sv200
  ipv6 nd ra enable
  ipv6 nd ra other-config-flag
  no shutdown
!
interface GigaEthernet2:2.2
  description VLAN202-Nuro-IPv4-USGW
  encapsulation dot1q 202 tpid 8100
  auto-connect
  ip address 192.168.202.254/24
  ip dhcp binding vlan202profile
  ipv6 enable
  ipv6 interface-identifier 00:00:00:00:00:00:ca:fe
  ipv6 address 240d:xxxx:yyyy:zzca::cafe/64
  ipv6 dhcp server dhcpv6pd-sv202
  ipv6 nd ra enable
  ipv6 nd ra other-config-flag
  no shutdown
!
interface GigaEthernet2:2.3
  description VLAN204-Nuro-IPv4
  encapsulation dot1q 204 tpid 8100
  auto-connect
  ip address 192.168.204.254/24
  ip dhcp binding vlan204profile
  no shutdown
!
interface GigaEthernet2:2.4
  description VLAN206-Nuro-IPv6
  encapsulation dot1q 206 tpid 8100
  auto-connect
  no ip address
  ipv6 enable
  ipv6 interface-identifier 00:00:00:00:00:00:ce:fe
  ipv6 address 240d:xxxx:yyyy:zzce::cefe/64
  ipv6 dhcp server dhcpv6pd-sv206
  ipv6 nd ra enable
  ipv6 nd ra other-config-flag
  no shutdown
!




ix2215-02(config)# show ipv6 addr
Interface GigaEthernet0.0 is up, line protocol is up
  Link-local address(es):
    fe80::63fe prefixlen 64
    fe80:: prefixlen 64 anycast
  Multicast address(es):
    ff02::1
    ff02::2
    ff02::1:ff00:0
    ff02::1:ff00:63fe
Interface GigaEthernet1.0 is down, line protocol is down
Interface GigaEthernet2:2.1 is up, line protocol is up
  Global address(es):
    240d:xxxx:yyyy:zzc8::c8fe prefixlen 64
    240d:xxxx:yyyy:zzc8:: prefixlen 64 anycast
  Link-local address(es):
    fe80::c8fe prefixlen 64
    fe80:: prefixlen 64 anycast
  Multicast address(es):
    ff02::1
    ff02::2
    ff02::1:2
    ff02::1:ff00:0
    ff02::1:ff00:c8fe
Interface GigaEthernet2:2.2 is up, line protocol is up
  Global address(es):
    240d:xxxx:yyyy:zzca::cafe prefixlen 64
    240d:xxxx:yyyy:zzca:: prefixlen 64 anycast
  Link-local address(es):
    fe80::cafe prefixlen 64
    fe80:: prefixlen 64 anycast
  Multicast address(es):
    ff02::1
    ff02::2
    ff02::1:2
    ff02::1:ff00:0
    ff02::1:ff00:cafe
Interface GigaEthernet2:2.4 is up, line protocol is up
  Global address(es):
    240d:xxxx:yyyy:zzce::cefe prefixlen 64
    240d:xxxx:yyyy:zzce:: prefixlen 64 anycast
  Link-local address(es):
    fe80::cefe prefixlen 64
    fe80:: prefixlen 64 anycast
  Multicast address(es):
    ff02::1
    ff02::2
    ff02::1:2
    ff02::1:ff00:0
    ff02::1:ff00:cefe
Interface Loopback0.0 is up, line protocol is up
  Orphan address(es):
    ::1 prefixlen 128
Interface Loopback1.0 is up, line protocol is up
Interface Null0.0 is up, line protocol is up
Interface Null1.0 is up, line protocol is up
ix2215-02(config)# 

ix2215-02(config)# show ipv6 route
IPv6 Routing Table - 10 entries, unlimited
Codes: C - Connected, L - Local, S - Static
       R - RIPng, O - OSPF, IA - OSPF inter area
       E1 - OSPF external type 1, E2 - OSPF external type 2, B - BGP
       s - Summary
Timers: Uptime/Age
S      ::/0 orphan [100/1]
         via fe80::1, GigaEthernet0.0, 1:49:49/0:00:00
C      240d:xxxx:yyyy:zzc8::/64 global [0/1]
         via ::, GigaEthernet2:2.1, 3:28:39/0:00:00
L      240d:xxxx:yyyy:zzc8::/128 global [0/1]
         via ::, GigaEthernet2:2.1, 3:28:40/0:00:00
L      240d:xxxx:yyyy:zzc8::c8fe/128 global [0/1]
         via ::, GigaEthernet2:2.1, 3:28:39/0:00:00
C      240d:xxxx:yyyy:zzca::/64 global [0/1]
         via ::, GigaEthernet2:2.2, 3:27:32/0:00:00
L      240d:xxxx:yyyy:zzca::/128 global [0/1]
         via ::, GigaEthernet2:2.2, 3:27:33/0:00:00
L      240d:xxxx:yyyy:zzca::cafe/128 global [0/1]
         via ::, GigaEthernet2:2.2, 3:27:32/0:00:00
C      240d:xxxx:yyyy:zzce::/64 global [0/1]
         via ::, GigaEthernet2:2.4, 3:26:51/0:00:00
L      240d:xxxx:yyyy:zzce::/128 global [0/1]
         via ::, GigaEthernet2:2.4, 3:26:52/0:00:00
L      240d:xxxx:yyyy:zzce::cefe/128 global [0/1]
         via ::, GigaEthernet2:2.4, 3:26:51/0:00:00
ix2215-02(config)# 

ix2215-02(config)# show ipv6  neighbors 
Neighbor cache - 11 dynamic, 1013 free, 0 static
Interface GigaEthernet0.0 is up, line protocol is up
  Neighbor 240d:xxxx:yyyy:zz00:6ed2:baff:fe1a:3bd6          <===  F660AのLANポート
    STALE, linklayer 6c:d2:ba:1a:3b:d6, uptime 0:04:07, age 0:04:07
  Neighbor fe80::1 (router)
    REACHABLE, linklayer 6c:d2:ba:1a:3b:d6, uptime 0:00:17, age 1:51:13
  Neighbor fe80::6b3e:c97e:861b:dba
    REACHABLE, linklayer 00:0c:29:c7:8f:02, uptime 0:00:06, age 1:50:48
Interface GigaEthernet2:2.1 is up, line protocol is up
  Neighbor 240d:xxxx:yyyy:zzc8:5054:ff:fe0e:6399
    STALE, linklayer 52:54:00:0e:63:99, uptime 0:00:31, age 3:29:06
  Neighbor 240d:xxxx:yyyy:zzc8:90eb:5b03:cf0c:fbc4
    REACHABLE, linklayer a8:20:66:50:0b:b9, uptime 0:00:17, age 3:23:41
  Neighbor fe80::49e:cf63:aa9a:a875
    STALE, linklayer 1c:91:48:63:eb:97, uptime 0:01:32, age 0:02:08
  Neighbor fe80::1c89:8d6a:2258:937c
    REACHABLE, linklayer a8:20:66:50:0b:b9, uptime 0:00:12, age 3:23:59
  Neighbor fe80::1cbe:b2c7:97a:8bb3
    STALE, linklayer d4:a3:3d:6a:51:8e, uptime 0:02:05, age 0:02:41
  Neighbor fe80::5054:ff:fe0e:6399
    STALE, linklayer 52:54:00:0e:63:99, uptime 0:00:26, age 3:30:07
  Neighbor fe80::926c:acff:fe55:6455 (router)
    STALE, linklayer 90:6c:ac:55:64:55, uptime 0:00:49, age 3:29:48
Interface GigaEthernet2:2.2 is up, line protocol is up
  Neighbor fe80::926c:acff:fe55:6455 (router)
    REACHABLE, linklayer 90:6c:ac:55:64:55, uptime 0:00:07, age 3:51:52
ix2215-02(config)# 


Check-IPv6-VL200-Access
VLAN200からIPv6 Testサイトへアクセス

Check IPv6 VL202 Access
VLAN202からIPv6 Testサイトへアクセス