Using ULA ( Unique Local Addresses ) and GUA ( Global Unicast Addresses ) on the same network.
We're going to see how to use both ULA and GUA on the same network, the limitations or problems that might occur, as well as the way to solve them.
we'll use ULA subnets based on the fd07:44de:a327::/48 prefix :
and GUA subnets based on the 2001:0DB8:0::/48 prefix :
keeping the subnet ID in line ( fd07:44de:a327:0::/64 and 2001:0DB8:0::0/64 on the same physical subnet, etc ... ).
thus, [G] represents a /48 prefix throughout this post.
Using ULA and GUA on a single subnet
Using our neat little Dlink DIR 626-L router ( Router 1 ), let's add ULA capability to a GUA network.
We keep GUA networking in the router's main networking page ( Internet connectivity setup ), and as we do static networking, we disable LAN address autoconfiguration on this page.
and use for the first time the ' local connectivity setup ' to add an ULA capability :
. We check ' enable ULA '
. We don't use default ULA, so we can use our own choosen subnet ID
( the default subnet ID seems to be one-time uniquely generated, but it is fixed. there is no documentation as to how it is generated. MAC derived ? )
We're going to configure PC1 to use both an ULA and a GUA.
First, as we're doing static networking here, we disable the ability for PC1 to autoconfigure itself ( ie we disable router discovery ) :
netsh int ipv6 set int [Idx] router=dis
We statically configure a GUA address ( in network connections )
We too need to add an ULA address, using the command line :
netsh int ipv6 add address [Idx] [IP address]
ex : netsh int ipv6 add address 12 fd07:44de:a327:2::140
we can now check the interface addresses :
netsh int ipv6 show address [Idx]
we can too check our local connectivity :
and our global connectivity :
ping -6 www.wikipedia.org
Tools for troubleshooting ULA/GUA combinaison
As we now have 2 potential source address, it is good to be able to check which address is used as a source. Here are some tips :
tracert [IP address] shows you the nodes used, thus the address type ( ULA or GUA )
tracert -S [source IP] [dest IP] forces the use of the source IP
ping -S [source IP] [dest IP] ( idem )
Please note that ULA address, as a source address, gets discarded by Internet router, so there won't be any answer to an ULA source packet.
thus this packet :
tracert -S fd07:44de:a327:3::140 www.wikipedia.org
won't get any answer.
This is one of the big shift when going IPv6 : ULA addresses are private. Period. No NAT will turn them into public IPs.
On the other hand, GUA addresses are public. So all our network hosts using GUA are public. Period. So take good care of your firewalls ...
There is no tipid waters, like IPv4 private address geting internet access through NAT, and IPv4 Public IP being forwarded to the private Lan.
A good deal of the problems when doing both ULA//GUA over a subnet is the source address selection, which is well documented ( RFC 6724). So checking and troubleshooting the source address selection is the first essential step.
The second essential step is using ' netsh int ipv6 show prefixpolicies ' to see the prefix policies table. ( More informations about these in the next post )
Adding ULA and GUA over several subnets
The ULA fonctionnality works very well over a single subnet. Unfortunately, the DLink 626-L network engine can't handle routing both ULA and GUA through the WAN port.
Using a Windows OS as a Router, we can have ULA and GUA both routed easily. There's no extra step needed compared to simple ULA or GUA routing.
We just need to have two IPv6 static routes pointing to the subnet #2 in Router 2, one for ULA and one for GUA :
The benefits of using both ULA and GUA in a network
The first benefit is network numbering autonomy. In case of ISP change, or of ISP-attributed network ID change, we can avoid network renumbering, which is a huge task. We just have to setup the routers GUA addresses, and can leave most of our servers infrastructure and setups unchanged ( DNS, AD, ... ).
The second benefit is network isolation. As ULA can't reach the Internet, and can't be reached, we can isolate some key components from the outside world ( AD Server, internal Data Server, .. ), leaving them with ULA-only connectivity.
The benefits of using a GUA-only network :
When using only GUA on our network, we have a somewhat easier to manage and troubleshoot network.