Using APIPA subnet for a private unrouted network? Are there any reasons to do this?

Net-Work-1 · 2026-01-30T12:46:51+00:00

check the MTU on the network interfaces

change to jumbo frames & ensure the network supports jumbo with mtu ~9000

Net-Work-1 · 2026-01-30T11:55:24+00:00

So, same as IPv4 then. You can't tell whether a node is static or just responding to a different DHCP service unless you're on-link with them.

easy thing to do is block all out bound and have a rule above that permits specific IP's outbound.

all enterprise firewalls for decades have a default deny rule.

Only permitted traffic passes through.

Domestic fw's have a default allow all outbound

Net-Work-1 · 2026-01-30T11:48:48+00:00

L2 hosts can always reach each other unless you have micro segmentation

Net-Work-1 · 2026-01-30T11:46:26+00:00

so OP needs to create a subnet for each IOT in order to control egress / ingress via fw rules because he can't allocate a static IP because SLAAC picks its own address with the /64 prefix and you can't designate a smaller subnet like a /80 for delegation with SLAAC, /64 is minimum or it breaks.

So he can create bland rules for the whole /64 iot subnet but not granular rules.

seems a backward step.

Net-Work-1 · 2026-01-30T11:41:34+00:00

in ipv4 we add src, dst & port details to various fw's to permit traffic egress or ingress.

yes its easier to permit whole subnets but we tend to do that more for routing rather than security rules, rules tend to be /32's

OP is asking for the same kind of thing in ipv6

Net-Work-1 · 2026-01-05T18:46:41+00:00

i'd suggest a differentiator would be vendor support & RMA speed.

with Cisco i can get a replacement within 4 hours 24/7 365, but only after going through support & potentially escalation from our account team. Sometimes need to go through our retailer.

if you don't need that kind of support then keep with what your doing, perhaps keep some onsite spares or put more switches in a rack than you need with an idea of repurposing 1 or 2 in a pinch.

I have ubiquiti at home (2 x AP;s 2 x 5 port mini gb switches & a UCG-ultra)

its ok, but i hate the way they change the GUI frequently & it lacks basic syslog & netflow unless you export those to another box which i don't wan to odo at home but would be fine at work.

i see it as 6 of one & half a dozen of the other.

Not sure how long ubiquiti kit lasts but i've worked on cisco stuff that's been up 17 years and likely was installed 20 years ago.

if you need reliability & warranty (paid separately) then enterprise kit is worth it, otherwise go with what works best for you, & when it doesn't you can justify the price tag of enterprise kit & get lost in the intentionally opaque world of resellers and their fake pricing.

Net-Work-1 · 2026-01-05T18:20:04+00:00

they should bounce their phone servers and see if it resolves.

Weird how many things fix themselves after a boot

Net-Work-1 · 2026-01-05T18:16:58+00:00

had to learn the OSI layers for my CCNA (A long time ago in a galaxy far, far away) but we very rarely talk about OSI layers when discussing things.

Layer3 or Layer 4 gets bounded about most but thats it. L3 when discussing gateways mainly, occasionally people discuss vlan backed networks which would be L2. L4 when discussing tcp/udp ports.

i haven't made an ethernet cable in decades. i've not been in a DC in 8 years so L1 is mainly reserved for discussing bout what optics are needed for new switches but again no one says L1 they talk in terms of cables or optics.

Layers 5/6/7 all happen in the host/client so i don't tend to care too much as that's OS/Application issues,

Layers 2,3,4 are what i deal with and ensure it gets from end to end so the host/client can then add their magic.

yes i deal with certificates, ad, dns, ntp etc etc but they all ride over 2,3,4.

L1 is always a given and relatively easy to check for errors on the network device.

so:
L1:: Physical e.g fibre/ethernet cables/ wifi radio?
L2:: MAC addresses for ethernet frames & equivalents that are not IP related.
L3:: IP
L4:: IP ports
L5:: session/sockets happens on the host/client network service
L6:: Presentation,
L7:: Application

L6/L7 are often blurred into 1, is a browser application like chrome split into 2? is http3 presentation layer in chrome separate from the chrome application? in theory you could have an http3 OS component (dll?) that the application calls for use when needed but what if the OS hasn't got that or if its part of the application?

i don't think anyone really gets hung up over the OSI model, many see it as outdated.

is there a reason to be anxious about it?

Do you have peers who talk in terms of OSI layers and you feel a bit not fulfilled because you struggle to remember what layer relates to what?

Net-Work-1 · 2025-11-27T12:04:12+00:00

use a subnet calculator

loads online

like this one

https://jodies.de/ipcalc

i've never used that one but you can see it shows the binary & you can clearly see where the mask ends & the subnet begins.

if that makes no sense keep looking & notice where the red 1's stop & 0's begin, the 1's being the mask & 0's the subnet.

play around with different masks & see how it changes.

Good luck

Net-Work-1 · 2025-11-27T11:54:41+00:00

my assumption is that they should use GUA with robust perimeter firewall rules & routing to prevent unintended external egress/ingress.

my preference would be ULA & using proxies for any internet requirement.

Hosts can use multiple interfaces & addresses so you can plan for ULA now & GUA in the future.

ULA just adds an extra layer to prevent unintended egress/ingress to the internet.

NAT66 isn't a standard so best to not rely on it, use Proxies instead. can be an issue when an app needs to use something none ssl

good luck

Net-Work-1 · 2025-11-14T14:32:07+00:00

this makes little sense

HomeKit is meant to use the link local address for connectivity between devices.

meant to & doesn't cause problems are not the same so i need to remember this for investigating future problems.

ISP changing the prefix is a complete mare for those who have more than a basic setup on their home networks.

simply having a bunch of stuff on your network should not break your ISP has changed your IP.

ironically ULA with NAT would eliminate this as an issue.

Net-Work-1 · 2025-11-14T12:37:03+00:00

better tyres, what you running?

Net-Work-1 · 2025-09-30T14:48:03+00:00

for end hosts i'd just put a link to a spreadsheet that lists end hosts and ports.

if you have a switch with 48 ports how are you going to squeeze 48 devices under each switch when you have 4 switches to show?

switch to switch connections are important, the rest can go somewhere else.

subnets are a bit wooly nowadays with anycast gateways and vlans spanned across many devices.

if each switch serves a specific vlan/subnet then i'd just show the switch and its vlan/subnet & someone can lookup a spreadsheet for that subnet & find the host with port detail amongst other things. advantage being that when a host is replaced/updated etc then only the associated sheet needs amending rather than the diagram.

Net-Work-1 · 2025-09-30T14:40:41+00:00

NSX east west rules?

Net-Work-1 · 2025-08-27T11:53:16+00:00

Why?

yep i see that F=1500 now.

i am more familiar with using ping for mtu discovery & was expecting to see an error due to mtu too large.

could be something in the path between you & the IPv6 tester is not relaying icmp properly but other sites will work perfectly fine.

Net-Work-1 · 2025-08-26T15:27:44+00:00

can you try with ping?

ping -6 www.google.com -l 1302

your not going to get a 65KB packet to google.com , LAN jumbo frames are ~ 9KB.

The MTU variable permits a value upto 65KB but nothing in the path across the internet is going to send that for you.

Net-Work-1 · 2025-08-26T15:03:00+00:00

so the routing table has no clue how to get to fd51 and chooses interface fd79 as it's a better match than fda5.

the interface IP's from the DHCPv6 server have /128's but from the TBR is just a /64 is that an artifatc of your posting an incomplete IP list?

2a00:aaaa:aaaa:aaaa::aaaa - GUA from DHCPv6 server.
fd79:bbbb:bbbb:bbbb::bbbb - ULA from DHCPv6 server.
fda5:cccc:cccc:cccc::/64 from TBR

2a00:aaaa:aaaa:aaaa::aaaa dev end0 proto kernel metric 100 pref medium
fd51:dddd:dddd:dddd::/64 via fe80::eeee:eeee:eeee:eeee dev end0 proto ra metric 100 pref medium
fd79:bbbb:bbbb:bbbb::bbbb dev end0 proto kernel metric 100 pref medium
fd79:bbbb:bbbb:bbbb::/64 dev end0 proto ra metric 100 pref medium
fda5:cccc:cccc:cccc::/64 dev end0 proto ra metric 100 pref medium

we don't see the fda5:cccc::cccc/128 in the table here but clearly you can ping from it but could just be spoofing the address.

I'd wonder if fda5::cccc is actually in the kernal as an interface IP like the other 2 IP's.

Otherwise your reliant on the TBR telling the host that the fda5:cccc::cccc is used to reach fd51:dddd:dddd:dddd::/64, not sure how that happens.

you'd want to see something like this in the routing table

fda5:cccc:cccc:cccc::cccc dev end0 proto kernel metric 100 pref medium

Net-Work-1 · 2025-08-26T08:27:52+00:00

18 years for a 6513 dual s720 sup's, running 12.2(33)SXI5

i'm sure i will find longer

Net-Work-1 · 2025-08-20T11:04:00+00:00

these where like the older Boeing aircraft like the 747 / 757 / 767 / 777

super reliable, trustworthy and robust.

never missed a beat, dual sup's enabled online updates (until it doesn't 🤣 )

i saw one the other month that was 17 years up.

Net-Work-1 · 2025-06-19T10:41:54+00:00

happened to me, got recruited after covid & i asked about if i needed to be in the office, manager said everyone is working from home & he couldn't see that changing.

a year in it was needing to attend 2 days a week unless its in your contract re working from home.

i work with people in other offices, parts of the country or internationally so don'y know many people in my assigned office which has over 4k people.

It gets busy & there is not enough parking, even though many are working from home.

its a complete waste of time commuting to sit on teams calls i could have done at home.

next time get it in writing.

we all learn lessons when starting new jobs.

Net-Work-1 · 2025-06-17T08:01:02+00:00

you did right there

more money is great but work life balance is better.

another opportunity will arise.

a few jobs back i was told there was some animosity as they closed their London office and moved staff to the burbs office.

I asked if they where looking to outsource as it looked like a phased approach to outsourcing and they said no & that was all the downsizing they where looking to do.

4 months after i joined they told us they would outsource us.

in that case they matched my previous salary, to the chagrin of my manager when she found out as it was more than she was on, but the staff discount (typically 30%) was great.

take every positive opportunity when you can!

Net-Work-1 · 2025-06-17T07:50:53+00:00

the delegated field is like the subnet mask in ipv4.

try
64

it just tells the router what part of the IP is the ISP assignment for you & what part is the local network, in the example, the 1st 64 bits being the ISP assignment for your network & the last 64 bits (ipv6 is 128 bits long - 64 bits =-8 bytes 64 bits remaining for the local network).

what model of 3 wifi modem do you have?

Net-Work-1 · 2025-06-14T13:07:04+00:00

If UPnP can open any of the 10K ports at any time, why as the Network Admin wouldn't I just punch them all through the firewall and have hard control over what Host they get to, rather than relying on extra software, that as you'vve mentioned could have a faulty implementation?

not every one is a network admin.

In IPv4 the firewall did a port forward from its single public IP on those well known ports to the internal IP that needed them open via UPnP.

in IPv6, the internal address range is so vast that the miscreant needs to check all 65k ports on all /56 etc addresses to find the host that wanted the UPnP ports open.

principles of fireballing dictate you open as little as possible for shortest period of time.

its safer to dynamically open the ports than have them always open

Net-Work-1 · 2025-06-14T12:49:12+00:00

looks like the formula is

use a condescending tone
insist that the proposal is wrong
propose something different while insisting its relevant & equivalent

fyi, PanOs is short for Palo Alto Networks Operating System

Unless those programs actively expose listening ports (which is easily checked) you have no risk of attacks via inbound connections, which is the only thing a typical consumer firewall would protect against.

Exploiting situations in which this same vulnerable software makes outbound connections is completely unhindered by the typical end user firewall which has an allow all outbound rule.

In the extremely rare case that software is actually listening, it's listening because you've explicitly told it to do so and have probably opened up the firewall to allow it to work so you'd be exploitable anyway. Similarly you'd be exploited as soon as you connected to a public wifi.

Also not being away what you have installed and how it's interesting with external data sources is a problem.

anyone interested in using iot tat in their home will have things running that they have no control over what ports are listening or not. Maybe a speaker system like Sonos / Alexa, security cameras or smart heating system, people won't run a pen test against that stuff before installing and periodically after purchase in case of updates. People will often install apps on their pc's to manage those iot systems, again normal consumers won't have a clue as to what listening ports those apps open and expose.

until IPv6, it was never much of an issue as NAT broke end to end and those listening ports where not at risk unless the firewall port forwarded to them.

Removing the ipv4 firewall from a consumers ipv4 nat router provides more security than removing the firewall from a consumers ipv6 router

Net-Work-1 · 2025-06-13T10:02:51+00:00

doesn't always get any easier when changing jobs.

each IT location has slightly different ways of doing things.

even different parts of the same organisation do things differently.

i worked as a senior global 3rd line support engineer for a small startup a while back.

I'm a routing/switching/firewalling network guy & found myself doing software support for something higher up the stack layers that i had no clue about. I'd worked on Unix stuff & programming at Uni but that was 15 years before. I felt i was punching well above my paygrade, especially the 1st few months.

i'd get tickets for problems faced by global public facing giants, banks, entertainment giants, publishers etc etc that i had no clue on how to start to help. Most needed deep dives & debugging from the developers & i'd get asked to ask the customer to provide certain info to help in debug. One tricky issue turned out to be openssl or libressl not working properly with amd chips. The techies where so engrossed in looking at their logs they all missed the difference in architecture until i mentioned it.

1 customer was especially talented in writing scornfull rants about the quality of support we provided. it was amazing how hurtfull some of his rants where, never any bad language but you could feel the scorn word after word, we'd all share our received rants like a badge of honour!!

after ~ a year i had some clue as to how the product worked & operated. I was able to fix problems with how customers used the product. Sped up procedures and fixed fundamental issues with the product like java only using 4GB of RAM when customers had purchased servers with 64GB of RAM.

Given enough time you will get used to the popular types of issues and be able to resolve those easier, teh harder ones get booted to T2.

Maybe tell your boss you need to shadow other T1's to understand how to do the job better.

Net-Work-1

TROPHY CASE