• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

vlan tag and HE tunnel

Started by Tunnelling1234, August 27, 2011, 09:01:59 PM

Previous topic - Next topic

Tunnelling1234

An untagged interface exposed to the net works great for an HE tunnel!  No complaints there!

(insert employer/ISP upgrade here)

Now, my HE tunnel just doesn't work at all on a tagged interface. Yet ipv4 is ok, the interface has an accessible public address. I can't spot any filtering of services that I bring up on that interface. I poke around at the problem a while, then in addition to the work requirements I setup an untagged interface with a public address going through the same network upgrade (as a regular customer would) and HE tunnel and IPV6 is back and working!

Employer/ISP says great you got it working and we understand your quest towards IPV6 cert, but keep all your traffic tagged on these particular vlans as soon as possible...   

Ideally, I have an IPV6 tunnel and a happy employer, perhaps one willing to embrace IPV6 in the near future.

Before I crank up tcpdump, anybody else run into a similar problem with an HE tunnel and tags?

Am I Doing It Wrong™ ?



snarked

Why should it work?  Vlan tagging is a level 2 network service.  IP routing is a level 3 service.  These things occur at different levels in the standard OSI 7 level network model.

Tunnelling1234

Ah, it appears I have mistaken the seven layer model for bean dip...  :)

Tunnelling1234

#3
Bear with me, I'm learning you see.

With the tag, tcpdump shows IPV6 leaving the henet interface bound for HE, but nothing is received.

When untagged frames leave my equipment, the next piece of equipment tags them immediately anyway! The addition and subsequent stripping of the tag by various managed switches between here and there - doesn't break the HE tunnel at all.  

So just to be clear - the henet interface should work regardless of what layer 2 does? (assuming layer 2 is setup correctly)

Maybe it's protocol 41 being dropped somewhere along the way on that particular route?

Tunnelling1234

#4
Good old RFC4554 says:

Quote2.1.  IPv6 Routing over VLANs

  In a typical scenario where connectivity is to be offered to a number
  of existing IPv6 internal subnets, one IPv6 router could be deployed,
  with both an external interface and one or more internal interfaces.
  The external interface connects to the wider IPv6 internet, and may
  be dual-stack if some tunnel mechanism is used for external
  connectivity, or IPv6-only if a native external connection is
  available.

  The internal interface(s) can be connected directly to a VLAN-capable
  switch.  It is then possible to write VLAN tags on the packets sent
  from the internal router interface based on the target IPv6 link
  prefix.  The VLAN-tagged traffic is then transported across the
  internal VLAN-capable site infrastructure to the target IPv6 links
  (which may be dispersed widely across the site network).

  Where the IPv6 router is unable to VLAN-tag the packets, a protocol-
  based VLAN can be created on the VLAN-capable device connected to the
  IPv6 router, causing IPv6 traffic to be tagged and then redistributed
  on (congruent) IPv4 subnet links that lie in the same VLAN.

...thus answering my (uneducated) question. Now, the fun part - figuring out what's being filtered where. I have plenty to learn.