[j-nsp] SRX IPv6 VRRP

Tobias Heister lists at tobias-heister.de
Wed Aug 13 03:25:46 EDT 2014


Hi,

Am 12.08.2014 um 23:36 schrieb ashish verma:
> /64 is not bad if it solves your problem and I guess most of the people use /64 as minimum.

It might be really bad using /64 everywhere, for example have a look at
http://inconcepts.biz/~jsw/IPv6_NDP_Exhaustion.pdf

When talking about a security platform where everything is firewalled in the first place hopefully it will not come to any NDP actions at all (because the firewall killed all the inbound traffic before that), /64s might be a viable solution.

But at least IPv6 VRRP (which also uses RAs, at least on Juniper) can work with prefixes < /64 and will happily send RAs with smaller prefixes, so in theory you should be able to spread your default GW via RAs even with smaller prefixes. You will use the SLAAC capabilities, but depending on the deployment scenario it might be OK.

That being said, i have no idea whether one can configure RAs on Juniper gear (besides from VRRPv6) which uses/announces smaller prefixes than /64.

-- 
Kind Regards
Tobias Heister


More information about the juniper-nsp mailing list