Hurricane Electric's IPv6 Tunnel Broker Forums

General IPv6 Topics => IPv6 Basics & Questions & General Chatter => Topic started by: Tunnelling1234 on August 27, 2011, 09:01:59 PM

Title: vlan tag and HE tunnel
Post by: Tunnelling1234 on August 27, 2011, 09:01:59 PM
An untagged interface exposed to the net works great for an HE tunnel!  No complaints there!

(insert employer/ISP upgrade here)

Now, my HE tunnel just doesn't work at all on a tagged interface. Yet ipv4 is ok, the interface has an accessible public address. I can't spot any filtering of services that I bring up on that interface. I poke around at the problem a while, then in addition to the work requirements I setup an untagged interface with a public address going through the same network upgrade (as a regular customer would) and HE tunnel and IPV6 is back and working!

Employer/ISP says great you got it working and we understand your quest towards IPV6 cert, but keep all your traffic tagged on these particular vlans as soon as possible...   

Ideally, I have an IPV6 tunnel and a happy employer, perhaps one willing to embrace IPV6 in the near future.

Before I crank up tcpdump, anybody else run into a similar problem with an HE tunnel and tags?

Am I Doing It Wrong™ ?

Title: Re: vlan tag and HE tunnel
Post by: snarked on August 28, 2011, 12:45:44 AM
Why should it work?  Vlan tagging is a level 2 network service.  IP routing is a level 3 service.  These things occur at different levels in the standard OSI 7 level network model.
Title: Re: vlan tag and HE tunnel
Post by: Tunnelling1234 on August 28, 2011, 06:01:49 AM
Ah, it appears I have mistaken the seven layer model for bean dip...  :)
Title: Re: vlan tag and HE tunnel
Post by: Tunnelling1234 on August 28, 2011, 12:53:37 PM
Bear with me, I'm learning you see.

With the tag, tcpdump shows IPV6 leaving the henet interface bound for HE, but nothing is received.

When untagged frames leave my equipment, the next piece of equipment tags them immediately anyway! The addition and subsequent stripping of the tag by various managed switches between here and there - doesn't break the HE tunnel at all.  

So just to be clear - the henet interface should work regardless of what layer 2 does? (assuming layer 2 is setup correctly)

Maybe it's protocol 41 being dropped somewhere along the way on that particular route?
Title: Re: vlan tag and HE tunnel
Post by: Tunnelling1234 on September 01, 2011, 06:41:06 PM
Good old RFC4554 says:

2.1.  IPv6 Routing over VLANs

   In a typical scenario where connectivity is to be offered to a number
   of existing IPv6 internal subnets, one IPv6 router could be deployed,
   with both an external interface and one or more internal interfaces.
   The external interface connects to the wider IPv6 internet, and may
   be dual-stack if some tunnel mechanism is used for external
   connectivity, or IPv6-only if a native external connection is

   The internal interface(s) can be connected directly to a VLAN-capable
   switch.  It is then possible to write VLAN tags on the packets sent
   from the internal router interface based on the target IPv6 link
   prefix.  The VLAN-tagged traffic is then transported across the
   internal VLAN-capable site infrastructure to the target IPv6 links
   (which may be dispersed widely across the site network).

   Where the IPv6 router is unable to VLAN-tag the packets, a protocol-
   based VLAN can be created on the VLAN-capable device connected to the
   IPv6 router, causing IPv6 traffic to be tagged and then redistributed
   on (congruent) IPv4 subnet links that lie in the same VLAN.

...thus answering my (uneducated) question. Now, the fun part - figuring out what's being filtered where. I have plenty to learn.