As the IPv4 address pool depletes, some ISPs will not be able to provide globally routable IPv4 addresses to customers. Nevertheless, customers are likely to require access to services on the IPv4 Internet. Several technologies have been developed for providing IPv4 service over an IPv6 access network.
Geoff Huston’s projection of the evolution of the IP pool for each RIR
In ISP-level IPv4 NAT, ISPs may implement IPv4 network address translation within their networks and assign private IPv4 addresses to customers. This approach may allow customers to keep using existing hardware. Some estimates for NAT argue that US ISPs have 5-10 times the number of IPs they need in order to service their existing customers.
Deployment of IPv6 is the standards-based solution to the IPv4 address shortage. IPv6 is endorsed and implemented by all Internet technical standards bodies and network equipment vendors. It encompasses many design improvements, including the replacement of the 32-bit IPv4 address format with a 128-bit address which provides an addressing space without limitations for the foreseeable future. IPv6 has been in active production deployment since June 2006, after organized worldwide testing and evaluation in the 6bone project ceased. Interoperability for hosts using only IPv4 protocols is implemented with a variety of IPv6 transition mechanisms.
In this blog, we are going to talk about IPv6 tunneling and dual-stack for SD-WAN using Versa VOS.
IPv6 Tunneling configuration in Versa VOS SD-WAN (Dual-Stack)
You can configure the IPv6 tunneling for SD-WAN to tunnel IPv6 traffic over an SD-WAN-based IPv4 network. This configuration allows you to interconnect smaller IPv6 networks over an IPv4-based network core, giving you the ability to provide IPv6 service without having to upgrade the switches in your core network. BGP is configured to exchange routes between the IPv6 networks, and data is tunneled between these IPv6 networks by means of IPv4-based SD-WAN dynamic-tunnels.
Versa VOS now supports both IPv4 and IPv6 network addresses. It can host multiple IPv4 and IPv6 address on a single logical interface.
This includes support for IPv6 interfaces in host mode/ router mode and DHCP6 Client and Server modes.
Versa VOS supports complete IPv6 protocol stack including Neighbor Discovery protocol, Router Solicitation/Advertisement
To configure IPv6 tunneling for SD-WAN on your Versa VOS CPE:
- Configure VOS CPE Templates to support IPv6 (Static/DHCP)
- Apply Template to Devices
Example: Tunneling IPv6 Traffic over SD-WAN IPv4 Networks
This example shows how to configure the Versa VOS to tunnel IPv6 over an SD-WAN-based IPv4 network. External BGP (EBGP) is used between the customer edge (CE) and Versa VOS devices. The remote CE devices have different AS numbers for loop detection.
Requirements:
Make sure that your Versa devices are running supported version(16.1R2+). For our example, we are running VOS 20.2.1.
Overview:
This example shows you how to interconnect a two IPv6 networks over an IPv4-based SD-WAN network, giving you the ability to provide IPv6 service without having to upgrade or modify the routers in your underlay network. Multiprotocol Border Gateway Protocol (MP-BGP) is configured to exchange routes between the IPv6 networks, and data is tunneled between these IPv6 networks by means of IPv4-based SD-WAN.
In Figure 2 below, Routers CPE1 and CPE2 are dual-stack BGP routers, meaning they have both IPv4 and IPv6 stacks. The CE routers and the CPE routers connect through a link layer that can carry IPv6 traffic. The CPE routers use IPv6 on the CE router-facing interfaces and use IPv4 and SD-WAN on the core-facing interfaces. Note that one of the connected IPv6 networks could be the global IPv6 Internet.
We are using Hub and Spoke topology as shown in below diagram.
The two Branch CPE routers are linked through an MP-BGP session using IPv4 addresses. Each Versa VOS Branch router sets the next hop for the IPv6 routes advertised on this session to its own IPv4 address. Because MP-BGP requires the BGP next hop to correspond to the same address family as the network layer reachability information (NLRI), this IPv4 address needs to be embedded within an IPv6 format. The routes are advertised to the Versa Controller which acts as MP-BGP Route Reflector and it alters the next-hop before forwarding back to other clients.
The Branch CPE routers running Versa VOS can learn the IPv6 routes from the CE routers connected to them using routing protocols Routing Information Protocol OSPF3 or BGP, or through static configuration.
The VOS CPE routers have overlay clear text and encrypted tunnels routed to each other’s IPv4 addresses. The next hops use IPv4-mapped IPv6 addresses, while the Overlay IPSec tunnels use IPv4 addresses.
The VOS CPE routers always advertise IPv6 routes to each other using a label value.
When the VOS CPE1 (Branch-1) router in Figure 2 receives an IPv6 packet from the CE1 router, it performs a lookup in the IPv6 forwarding table. If the destination matches a prefix learned from the CE1 router, then no labels need to be pushed and the packet is simply sent to the CE1 router. If the destination matches a prefix that was learned from the VOS CPE2 (Branch-2) router, then the VOS CPE1 router pushes one label onto the packet and sends it to Hub router.
The Hub router will swap the label as it passes through it. When the VOS CPE2 router receives the packet, it pops this label and treats it as an IPv6 packet, performing a lookup in the IPv6 forwarding table and forwarding the packet to the CE2 router.
This example includes the following settings:
In addition to configuring the family inet6 statement on all the CE router–facing interfaces, you must also configure family inet6-vpn under bgp configuration at each SD-WAN Spoke and Hub VOS devices. Both configurations are necessary because the router must be able to process any IPv6 packets it receives on these interfaces. You should not see any regular IPv6 traffic arrive on these interfaces, but you will receive SD-WAN packets tagged with Label. Even though Label SD-WAN packets are sent in IPv4, these packets are treated as native IPv6 packets
Configurations
This section describes the values configured for each SD-WAN device to achieve dual-stack IPv4/IPv6 configuration in SD-WAN Hub and Spoke topology. We have three devices (two spokes and one hub) and you will find below the configuration related only to IPv6 because basic hub and spoke is automatically configured by Versa Secure SD-WAN templates.
VOS CPE1 [ Branch-1]
The first spoke is running VOS 20.2.1 and its hostname is SPOKE-ONE. We will display below the main components that should be configured by the user.
versa@SPOKE-ONE-cli> show configuration interfaces vni-0/1 | display set
set interfaces vni-0/1 enable true
set interfaces vni-0/1 unit 0 vlan-id 0
set interfaces vni-0/1 unit 0 enable true
set interfaces vni-0/1 unit 0 family
set interfaces vni-0/1 unit 0 family inet
set interfaces vni-0/1 unit 0 family inet address 10.1.1.1/24
set interfaces vni-0/1 unit 0 family inet6
set interfaces vni-0/1 unit 0 family inet6 address ::10:1:1:1/126
set interfaces vni-0/1 unit 0 family inet6 mode router
[ok][2020-06-13 03:54:51]
versa@SPOKE-ONE-cli>
versa@SPOKE-ONE-cli> show configuration | display set | match bgp
set routing-instances paul-lab-Control-VR protocols bgp 2 group Controllers-Group family inet6-vpn unicast
set routing-instances paul-lab-Control-VR protocols bgp 2 group Controllers-Group family inet6-vpn unicast prefix-limit-control threshold 75
set routing-instances paul-lab-LAN-VR policy-options redistribution-policy Default-Policy-To-BGP6 term T4-BGP match protocol bgp
set routing-instances paul-lab-LAN-VR policy-options redistribute-to-bgp6 Default-Policy-To-BGP6
set routing-instances paul-lab-LAN-VR policy-options redistribution-policy Default-Policy-To-BGP6 term T2-DIRECT match protocol direct
set routing-instances paul-lab-LAN-VR policy-options redistribution-policy Default-Policy-To-BGP6 term T2-DIRECT action accept
set routing-instances paul-lab-LAN-VR policy-options redistribution-policy Default-Policy-To-BGP6 term T2-DIRECT action set-community "8001:132 8000:1"
set routing-instances paul-lab-LAN-VR policy-options redistribution-policy Default-Policy-To-BGP6 term T2-DIRECT action set-origin igp
set routing-instances paul-lab-LAN-VR policy-options redistribution-policy Default-Policy-To-BGP6 term T2-DIRECT action set-local-preference 110
set routing-instances paul-lab-LAN-VR policy-options redistribution-policy Default-Policy-To-BGP6 term T4-BGP match protocol bgp
set routing-instances paul-lab-LAN-VR policy-options redistribution-policy Default-Policy-To-BGP6 term T4-BGP action accept
set routing-instances paul-lab-LAN-VR policy-options redistribution-policy Default-Policy-To-BGP6 term T4-BGP action set-community "8001:132 8000:1"
set routing-instances paul-lab-LAN-VR policy-options redistribution-policy Default-Policy-To-BGP6 term T4-BGP action set-origin egp
set routing-instances paul-lab-LAN-VR policy-options redistribution-policy Default-Policy-To-BGP6 term T4-BGP action set-local-preference 110
set routing-instances paul-lab-LAN-VR protocols bgp 3015 local-as as-number 64514
set routing-instances paul-lab-LAN-VR protocols bgp 3015 group LAN-group type external
set routing-instances paul-lab-LAN-VR protocols bgp 3015 group LAN-group import Import-From-LAN-Policy
set routing-instances paul-lab-LAN-VR protocols bgp 3015 group LAN-group export Export-To-LAN-Policy
set routing-instances paul-lab-LAN-VR protocols bgp 3015 group LAN-group neighbor ::10:1:1:2 local-as 64512
set routing-instances paul-lab-LAN-VR protocols bgp 3015 group LAN-group neighbor ::10:1:1:2 peer-as 64515
VOS CPE2 (Branch-2)
The second spoke is running VOS 20.2.1 and its hostname is SPOKE-TWO. We will display below the main components that should be configured by the user.VOS CPE2 [ Branch-2]
versa@SPOKE-TWO-cli> show configuration interfaces vni-0/1 | display set
set interfaces vni-0/1 enable true
set interfaces vni-0/1 unit 0 vlan-id 0
set interfaces vni-0/1 unit 0 enable true
set interfaces vni-0/1 unit 0 family
set interfaces vni-0/1 unit 0 family inet
set interfaces vni-0/1 unit 0 family inet address 10.2.1.1/24
set interfaces vni-0/1 unit 0 family inet6
set interfaces vni-0/1 unit 0 family inet6 address ::10:2:1:1/126
set interfaces vni-0/1 unit 0 family inet6 mode router
[ok][2020-06-13 04:21:44]
versa@SPOKE-TWO-cli>
versa@SPOKE-TWO-cli> show configuration | display set | match bgp
set routing-instances paul-lab-Control-VR protocols bgp 2 group Controllers-Group family inet6-vpn unicast
set routing-instances paul-lab-Control-VR protocols bgp 2 group Controllers-Group family inet6-vpn unicast prefix-limit-control threshold 75
set routing-instances paul-lab-LAN-VR policy-options redistribution-policy Default-Policy-To-BGP6 term T2-DIRECT match protocol direct
set routing-instances paul-lab-LAN-VR policy-options redistribution-policy Default-Policy-To-BGP6 term T2-DIRECT action accept
set routing-instances paul-lab-LAN-VR policy-options redistribution-policy Default-Policy-To-BGP6 term T2-DIRECT action set-community "8001:132 8000:1"
set routing-instances paul-lab-LAN-VR policy-options redistribution-policy Default-Policy-To-BGP6 term T2-DIRECT action set-origin igp
set routing-instances paul-lab-LAN-VR policy-options redistribution-policy Default-Policy-To-BGP6 term T2-DIRECT action set-local-preference 110
set routing-instances paul-lab-LAN-VR policy-options redistribution-policy Default-Policy-To-BGP6 term T4-BGP match protocol bgp
set routing-instances paul-lab-LAN-VR policy-options redistribution-policy Default-Policy-To-BGP6 term T4-BGP action accept
set routing-instances paul-lab-LAN-VR policy-options redistribution-policy Default-Policy-To-BGP6 term T4-BGP action set-community "8001:132 8000:1"
set routing-instances paul-lab-LAN-VR policy-options redistribution-policy Default-Policy-To-BGP6 term T4-BGP action set-origin egp
set routing-instances paul-lab-LAN-VR policy-options redistribution-policy Default-Policy-To-BGP6 term T4-BGP action set-local-preference 110
set routing-instances paul-lab-LAN-VR policy-options redistribute-to-bgp6 Default-Policy-To-BGP6
set routing-instances paul-lab-LAN-VR protocols bgp 3015 prefix-list Default-Route-Prefix seq 1 address-family ipv4 unicast address-mask 0.0.0.0/0
set routing-instances paul-lab-LAN-VR protocols bgp 3015 routing-peer-policy Export-To-LAN-Policy term T1-Primary action accept
set routing-instances paul-lab-LAN-VR protocols bgp 3015 routing-peer-policy Import-From-LAN-Policy term Reject-SDWAN-Routes match community "(^|,)8009:8009($|,)"
set routing-instances paul-lab-LAN-VR protocols bgp 3015 routing-peer-policy Import-From-LAN-Policy term Reject-SDWAN-Routes action reject
set routing-instances paul-lab-LAN-VR protocols bgp 3015 routing-peer-policy Import-From-LAN-Policy term Allow-All action accept
set routing-instances paul-lab-LAN-VR protocols bgp 3015 local-as as-number 64514
set routing-instances paul-lab-LAN-VR protocols bgp 3015 group LAN-group type external
set routing-instances paul-lab-LAN-VR protocols bgp 3015 group LAN-group import Import-From-LAN-Policy
set routing-instances paul-lab-LAN-VR protocols bgp 3015 group LAN-group export Export-To-LAN-Policy
set routing-instances paul-lab-LAN-VR protocols bgp 3015 group LAN-group neighbor ::10:2:1:2 local-as 64512
set routing-instances paul-lab-LAN-VR protocols bgp 3015 group LAN-group neighbor ::10:2:1:2 peer-as 64516
VOS HUB1 (HUB)
The hub is running VOS 20.2.1 and its hostname is HUB-ONE. We will display below the main components that should be configured by the user.
versa@HUB-ONE-cli> show configuration interfaces vni-0/1 | display set
set interfaces vni-0/1 enable true
set interfaces vni-0/1 unit 0 vlan-id 0
set interfaces vni-0/1 unit 0 enable true
set interfaces vni-0/1 unit 0 family
set interfaces vni-0/1 unit 0 family inet
set interfaces vni-0/1 unit 0 family inet address 10.10.1.1/24
set interfaces vni-0/1 unit 0 family inet6
set interfaces vni-0/1 unit 0 family inet6 address ::10:10:1:1/126
set interfaces vni-0/1 unit 0 family inet6 mode router
[ok][2020-06-13 04:33:08]
versa@HUB-ONE-cli>
versa@HUB-ONE-cli> show configuration | display set | match bgp
set routing-instances paul-lab-Control-VR protocols bgp 2 group Controllers-Group family inet6-vpn unicast
set routing-instances paul-lab-Control-VR protocols bgp 2 group Controllers-Group family inet6-vpn unicast prefix-limit-control threshold 75
set routing-instances paul-lab-LAN-VR policy-options redistribution-policy Default-Policy-To-BGP6 term T2-DIRECT match protocol direct
set routing-instances paul-lab-LAN-VR policy-options redistribution-policy Default-Policy-To-BGP6 term T2-DIRECT action accept
set routing-instances paul-lab-LAN-VR policy-options redistribution-policy Default-Policy-To-BGP6 term T2-DIRECT action set-community "8009:8010 8012:132"
set routing-instances paul-lab-LAN-VR policy-options redistribution-policy Default-Policy-To-BGP6 term T2-DIRECT action set-origin igp
set routing-instances paul-lab-LAN-VR policy-options redistribution-policy Default-Policy-To-BGP6 term T2-DIRECT action set-local-preference 110
set routing-instances paul-lab-LAN-VR policy-options redistribute-to-bgp6 Default-Policy-To-BGP6
CE-1 Configuration
root@vMX-1> show configuration routing-instances CE-1 | display set
set routing-instances CE-1 instance-type virtual-router
set routing-instances CE-1 interface ge-0/0/0.0
set routing-instances CE-1 protocols bgp group ebgp type external
set routing-instances CE-1 protocols bgp group ebgp family inet6 unicast
set routing-instances CE-1 protocols bgp group ebgp peer-as 64512
set routing-instances CE-1 protocols bgp group ebgp local-as 64515
set routing-instances CE-1 protocols bgp group ebgp neighbor ::10:1:1:1
set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.2/24
set interfaces ge-0/0/0 unit 0 family inet6 address ::10:1:1:2/126
CE-2 configuration
root@vMX-2> show configuration routing-instances CE-1 | display set
set routing-instances CE-2 instance-type virtual-router
set routing-instances CE-2 interface ge-0/0/1.0
set routing-instances CE-2 protocols bgp group ebgp type external
set routing-instances CE-2 protocols bgp group ebgp family inet6 unicast
set routing-instances CE-2 protocols bgp group ebgp peer-as 64512
set routing-instances CE-2 protocols bgp group ebgp local-as 64516
set routing-instances CE-2 protocols bgp group ebgp neighbor ::10:2:1:1
set interfaces ge-0/0/1 unit 0 family inet address 10.2.1.2/24
set interfaces ge-0/0/1 unit 0 family inet6 address ::10:2:1:2/126
Verification
Confirm that the configuration is working properly by verifying that the CE Devices have connectivity; making sure that the tunnel is operating and IPv6 routes exchanged between CE routers.
Routing at CE routers
root@vMX-1> show bgp summary
Groups: 2 Peers: 2 Down peers: 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
::10:1:1:1 64512 159 153 0 0 1:07:15 Establ CE-1.inet6.0: 1/2/2/0
::10:2:1:1 64512 32 30 0 0 12:41 Establ CE-2.inet6.0: 1/2/2/0root@vMX-1> show route table CE-1.inet6.0
CE-1.inet6.0: 5 destinations, 6 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
::10:1:1:0/126 *[Direct/0] 00:02:21
> via ge-0/0/0.0
::10:1:1:2/128 *[Local/0] 00:02:32
Local via ge-0/0/0.0
::10:2:1:0/126 *[BGP/170] 00:02:14, localpref 100
AS path: 64512 64514 E, validation-state: unverified
> to ::10:1:1:1 via ge-0/0/0.0
fe80::/64 *[Direct/0] 00:02:21
> via ge-0/0/0.0
fe80::205:86ff:fe71:6a00/128
*[Local/0] 00:02:32
Local via ge-0/0/0.0
root@vMX-1> show route table CE-2.inet6.0
CE-2.inet6.0: 5 destinations, 6 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
::10:1:1:0/126 *[BGP/170] 00:03:49, localpref 100
AS path: 64512 64514 E, validation-state: unverified
> to ::10:2:1:1 via ge-0/0/1.0
::10:2:1:0/126 *[Direct/0] 00:03:51
> via ge-0/0/1.0
::10:2:1:2/128 *[Local/0] 00:04:02
Local via ge-0/0/1.0
fe80::/64 *[Direct/0] 00:03:51
> via ge-0/0/1.0
fe80::205:86ff:fe71:6a01/128
*[Local/0] 00:04:02
Local via ge-0/0/1.0
Routing at VOS CPE routers
Tunnel Status
VPN routes:
Received from Versa Controller (Route Reflector)
Sent to Versa Controller (Route Reflector)
Verify Connectivity between CE routers:
Ping CE-2 from CE-1
root@vMX-1> ping routing-instance CE-1 ::10:2:1:2
PING6(56=40+8+8 bytes) ::10:1:1:2 --> ::10:2:1:2
16 bytes from ::10:2:1:2, icmp_seq=0 hlim=61 time=5.951 ms
16 bytes from ::10:2:1:2, icmp_seq=1 hlim=61 time=4.562 ms
16 bytes from ::10:2:1:2, icmp_seq=2 hlim=61 time=4.477 ms
16 bytes from ::10:2:1:2, icmp_seq=3 hlim=61 time=5.220 ms
16 bytes from ::10:2:1:2, icmp_seq=9 hlim=61 time=4.612 ms
16 bytes from ::10:2:1:2, icmp_seq=10 hlim=61 time=4.088 ms