With the latest release for VMware NSX-T Data Center 2.4, we announced the support for IPv6. Since the advent of IPv4 address space exhaustion, IPv6 adoption has continued to increase around the world. A quick look at the Google IPv6 adoption statistics proves the fact that IPv6 adoption is ramping up. With the advances in IoT space and explosion in number of endpoints (mobile devices), this adoption will continue to grow. IPv6 increases the number of network address bits from its predecessor IPv4 from 32 to 128 bits, providing more than enough globally unique IP addresses for global end-to-end reachability. Several government agencies mandate use of IPv6. In addition to that, IPv6 also provides operational simplification.
NSX-T Data Center 2.4 release introduces the dual stack support for the interfaces on a logical router (now referred as Gateway). You can now leverage all the goodness of distributed routing or distributed firewall in a single tier topology or multi-tiered topology. If you are wondering what dual stack is; it is the capability of a device that can simultaneously originate and understand both IPv4 and IPv6 packets. In this blog, I will discuss the IPv6 features that are made generally available with NSX-T 2.4 Data Center.
IPv6 Addressing
Let’s start by understanding IPv6 addressing in the NSX-T Datacenter world and what kind of IPv6 addresses are supported. NSX-T Datacenter supports the following unicast IPv6 addresses:
- Global Unicast: Globally unique IPv6 address and internet routable
- Link-Local: Link specific IPv6 address and used as next hop for IPv6 routing protocols
- Unique local: Site specific unique IPv6 addresses used for inter-site communication but not routable on internet. Based on RFC4193.
The following table shows a summarized view of IPv6 unicast and multicast address types on NSX-T Datacenter components.
NSX-T Data Center 2.4 release introduces dual stack support for the interfaces on a logical router/gateway in both single tier topology and multi-tiered topology.
The diagram on the left shows a single tiered routing topology with a Tier-0 Gateway supporting dual stack on all interfaces. The diagram on the right shows a multi-tiered routing topology with a Tier-0 Gateway and Tier-1 Gateway supporting dual stack on all interfaces. You can either assign static IPv6 addresses to the workloads or use a DHCPv6 relay supported on gateway interfaces to get dynamic IPv6 addresses from an external DHCPv6 server.
In my previous blog, I explained how connectivity is provided between Tier-1 and Tier-0 Gateway in a multi-tiered topology. Each tier-0-to-tier-1 peer connection is provided a /31 subnet within the 100.64.0.0/10 reserved address space (RFC6598). Similarly, for IPv6, each tier-0-to-tier-1 peer connection is provided a /64 unique local IPv6 address from a pool i.e. fc5f:b8e2:ac6a::/48. A user has the flexibility to change this subnet range and use another subnet if desired.
IPv6 Routing
A global flag is provided to enable/disable IPv6 forwarding. It is disabled by default because of security reasons and to ensure that an upgrade from 2.3 to 2.4 release doesn’t enable link-local IPv6 address on all interfaces. The following screenshot shows how to enable IPv6 forwarding.
Let’s start with E-W routing. In my previous blog, I have discussed how NSX-T Data Center can provide optimal distributed routing for E-W traffic. If your workloads are on the same hypervisor but in different subnets, traffic doesn’t have to leave the hypervisor to get routed. This is also applicable for IPv6 workloads now, whether it’s a single tiered topology or multi-tiered topology.
Let’s validate E-W distributed routing by running traceflow between two IPv6 workloads 2001::10/64 and 2002::20/64. Both workloads are logically connected to a Tier-1 Gateway and hosted on the same hypervisor.
Notice that the packet doesn’t leave the hypervisor to get routed. Moving on, let’s look at the IPv6 routing feature set that we have introduced in this release.
Tier-0 Gateway supports following IPv6 routing features:
- Static routes with IPv6 Next-hop
- MP-eBGP with IPv4 and IPv6 address families
- Multi-hop eBGP
- IBGP
- ECMP support with static routes, EBGP and IBGP
- Outbound and Inbound route influencing using Weight, Local Pref, AS Path prepend and MED.
- IPv6 Route Redistribution
- IPv6 Route Aggregation
- IPv6 Prefix List and Route map
Tier1 Gateway supports following IPv6 routing features:
- Static routes with IPv6 Next-hop
Now, let’s understand how IPv6 routing is done in a multi-tiered topology. IPv6 routing between Tier-1 and Tier-0 Gateways are auto plumbed just like IPv4 routing. Configuring routing between Tier-1 and Tier-0 Gateway is a one-click or one API call configuration. Same is true for advertising routes from Tier-1 to Tier-0. Following diagram shows what happens in the background:
When a Tier-1 Gateway is connected to Tier-0 Gateway, management plane configures a default route (::/0) on Tier-1 Gateway with next hop IPv6 address as Router link IP of Tier-0 Gateway (fc5f:b8e2:ac6a:5000::1/64, in the following topology). To provide reachability to subnets connected to the Tier-1 Gateway, the Management Plane (MP) configures routes on the Tier-0 Gateway for all the LIFs connected to Tier-1 Gateway with a next hop IPv6 address as Tier-1 Gateway Router link IP (fc5f:b8e2:ac6a:5000::2/64, in the following topology). 2001::/64 & 2002:/64 are seen as “Tier-1 Connected” routes on Tier-0. Tier-0 Gateway can now redistribute and advertise these routes in BGP peering towards physical router.
IPv6 Security
Nearly all organizations that use NSX, leverage Micro-segmentation. Users can now enforce L2-L4 stateful distributed firewall (DFW) for IPv6 VM workloads. These firewall rules can use IPv6 addresses, IPv6 CIDR, IP Sets that include both IPv4 and IPv6 addresses and NSGroups that can include logical ports that have both IPv4 and IPv6 addresses.
Along with distributed firewall (DFW), we also support Edge firewall for IPv6 VM workloads connected to both Tier-0 and Tier-1 Gateways. This Edge firewall is a perimeter firewall that provides inter-tenant/inter-zone firewalling capability and can be used for developing PCI zones.
IPv6 Switch Security
Along with DFW and Edge firewall features for IPv6, we also support DHCPv6 guard and RA guard.
- DHCPv6 server block feature prevents unauthorized or rogue DHCPv6 servers to send DHCP reply to a VM, this is done by filtering UDP Source port 547.
- DHCPv6 client block feature prevents a VM from sending out DHCPv6 messages which are typically sent out by a DHCPv6 client, this is done by filtering UDP Source port 546.
- RA Guard feature prevents against rogue RA (Router Advertisement) generated by unauthorized routers/devices on the network.
IPv6 Operations
With NSX-T Data Center 2.4, we have enhanced existing operational tools to support IPv6. Along with enhancing CLI and UI to show IPv6 counters/statistics, we have added IPv6 support in following operational tools:
- Ping, Traceroute, Traceflow
- Port Mirroring
– IPv6 packet support to packet mirroring on all transport nodes
– Destination address in ERSPAN can be an IPv6 address
- IPFIX
– IPv6 address in flow info
– Collector IP can now be IPv6 address
- Packet capture on all TN (KVM, ESX and Edge) with IPv6 filters
Summary
NSX-T Data Center 2.4 introduces IPv6 support along with a plethora of networking and security features. This release introduces distributed routing support for E-W IPv6 and centralized routing support for N-S IPv6 traffic with static routing or BGP with all the inbound and outbound route influencing knobs. Users can now leverage NSX-T’s unique distributed firewall (DFW) functionality or Edge firewall functionality for IPv6 VM workloads available on both Tier-0 and Tier-1 Gateway. For more details, take a look at the NSX-T Data Center 2.4 release notes.
Comments
0 Comments have been added so far