How to configure a HP Procurve network for IPv4+IPv6

Question

The setup:

We are an apartment complex with approximately 1700 units. Every apartment has internet with an ethernet plug in each. The network has 60 HP 2910al-48G switches connected to a central HP 5412 core switch.

The tenants can plug in their PC directly to the network or they can buy their own home gateway and plug that in. Tenants also have the option of using a dump L2 switch to connect multiple PC's. Some tenants have a SIP phone with a buildin 2 port switch.

The problem:

We want to provide IPv4 and IPv6 with L2 separation between apartments. We want to avoid sharing a VLAN between multiple apartments. We want to avoid broadcast chatter between apartments. For example, Windows PCs should not automatically discover any devices at your neighbor.

Due to the IPv4 exhaustion issue, we can not allocate a full IPv4 subnet to each apartment. We do not wish to deploy NAT.

We want to allocate a unique /64 IPv6 subnet to each apartment. Additionally we want to provide /60 subnets to home gateways that requests such through DHCPv6 prefix delegation.

How to configure a DHCP/DHCPv6 server is outside the scope of this question. This is only about how to configure the switches. But assume the DHCP server can run scripts as a trigger on address assignments and other events.

It has been suggested that we should configure an unique VLAN for each apartment. Then deploy a static IPv6 /64 subnet on each VLAN. Should the 5412 or the 2910's do the routing? How do the switches learn about /60 routes allocated by DHCPv6-PD?

Assume RIPE allocated a /21 (2048 addresses) IPv4 subnet. The problem is to assign single addresses throughout all 1700 VLANs.

It has been suggested that we use the proxy-arp option. This would allow us to use the whole /21 using host routes to send traffic to the proper port. The proxy-arp solves the case were one tenant sends packets to another tenant.

How do the switches learn about host routes? The DHCP server assigns an address to a device on a port and as a consequence the switch needs to configure a route.

Answer 1

At layer 2, what you're looking for is network isolation between apartments - effectively each port on your switches should be able to communicate with the upstream router, but not directly with any other ports. This is exactly the case that private vlans were designed for. (Warning: The link is Cisco-tailored content but the general concept is applicable to ProCurve gear) Effectively, you put every access port in a single VLAN, and mark it as an isolated private VLAN. The upstream port is then marked as as a primary/promiscuous port, and you've established what you're looking for at layer 2.

This gets more complicated when you move up the stack, however. It sounds like you're considering using the access switches as layer 4 devices acting as the default router. I'm not familiar with the L3/L4 capabilities of these devices enough to speak towards how this will work, and more specifically how having the access switch act as a router will interact with the PVLAN implementation above. It'll probably be simpler to use the 5412 as the L4 router, and keep the 2910's as pure L2 devices for simplicity.