Actions
Commonly used IPv6 networks¶
By ungleich¶
Assuming that you have a /48 per location/site, there are some specific /64 sub networks that we usually use at ungleich.
As an example let's take 2001:db8:a::/48, then the we often use these networks:
Typical IPv6 plan from ungleich¶
- Assuming 2001:db8:a::/48 as a base network
| Network | Description |
| 2001:db8:a::/64 | The network 0 is usually internal |
| For netboot, untrusted equipment, IPMI and co. Usually firewall for no incoming traffic at all | |
| 2001:db8:a:1::/64 | Servers, sensible equipment: stuff we trust ssh is safe |
| For accessing servers, usually only port 22 (ssh) or an alternative SSH port (222,2202,2222) open | |
| 2001:db8:a:8::/64 | Transfer network |
| For routing, might contain /124 or smaller sub networks for "point to point" | |
| 2001:db8:a:88::/64 | Transfer tunnel network: Used for transferring via tunnels |
| 2001:db8:a:a::/64 | DNS network: houses DNS servers in the network. |
| Regular DNS servers are usually 2001:db8:a:a::a and 2001:db8:a:a::b | |
| DNS64 enabled servers are usually 2001:db8:a:a::64 and 2001:db8:a:a::65 | |
| 2001:db8:a:b::/64 | MX network: houses mx servers in the network. |
| 2001:db8:a:bee::/64 | LAN network: usually wifi/coworking |
| "bee" is something people can easily pronounce; ssh open from outside | |
| 2001:db8:a:cafe::/64 | LAN network: usually wired/regular clients |
| 2001:db8:a:d::/64 | Downstream network: routing to physically present downstreams |
| 2001:db8:a:d::/80 | Static IP addresses OUR side |
| 2001:db8:a:d:1::/80 | Static IP addresses DOWNSTREAM |
| 2001:db8:a:7ea::/64 | LAN network: Usually 2nd wifi network |
| 2001:db8:a:b00::/96 | Incoming NAT64 prefix: mapping IPv4 islands: 2001:db8:a:b00::192.168.1.1 is IPv6 reachable |
| 2001:db8:a:b0d::/64 | Kubernetes "pod (b0d)" network |
| 2001:db8:a:6fc::/108 | Kubernetes "svc (6fc)" network |
| 2001:db8:a:c00::/96 | 2nd Incoming NAT64 prefix: use this if one of them is stateful, the other one is stateless |
| 2001:db8:a:c001::/96 | Outgoing NAT64 prefix: mapping the IPv4 Internet, allowing IPv6 only hosts to reach the IPv4 Internet |
| 2001:db8:a:x::10::/79 | Kubernetes cluster 1 |
| 2001:db8:a:x::10::/108 | Kubernetes pod sub network 1 |
| 2001:db8:a:x::11::/108 | Kubernetes service sub network 1 |
| 2001:db8:a:x::12::/79 | Kubernetes cluster 2 |
| 2001:db8:a:x::12::/108 | Kubernetes pod sub network 2 |
| 2001:db8:a:x::13::/108 | Kubernetes service sub network 2 |
| 2001:db8:a:x::14::/79 | Kubernetes cluster 3 |
| 2001:db8:a:x::14::/108 | Kubernetes pod sub network 3 |
| 2001:db8:a:x::15::/108 | Kubernetes service sub network 3 |
IPv6 address guidelines¶
- /124s are nice to read as they cut off the last byte
- When using a /96 to access from or to the IPv4 Internet, reserve the whole /64
- When sub dividing a /64 on a VM/server, use /80's (nibble boundaries)
- /64: When in doubt, take a /64
- /48's work great per location or customer
- No need to use a bigger network, even if you have space
- VPN concentrators / routers usually need /40 or /32 to redistribute /48's
In other places¶
Updated by Nico Schottelius about 2 months ago · 19 revisions