IPv6 Communication Between Service Engine to Controllers
Overview
NSX Advanced Load Balancer supports IPv6 and IPv4 network infrastructure for data plane while the management plane was still dependent on IPv4 network infrastructure. With increased adoption of IPv6 in traditional networks and modern infrastructure, enterprises are moving to hybrid (IPv4 + IPv6) layer3 networks.
With version 22.1.3, NSX Advanced Load Balancer supports IPv6 configuration for its Controllers and connectivity between Controllers to Service Engines. This support enables the IPv6 communication between control plane and data plane as an option.
For more details, see IPv6 Management Plane Support.
This article provides the work flow for to enable IPv6 communication between Service Engine to Controllers for the following cloud use-cases:
-
Write access vCenter Cloud
-
No access Service Engine in vCenter
Workflow 1: IPv6 Enabled Controller
The following workflow explains steps to configure Controllers with IPv6 interface and enabling IPv6 communication to the control planec. This workflow is followed for using an IPv6 interface on the Controller, and to use this configured IPv6 interface for IPv6 connectivity to Service Engine:
- Create the Controller.
- Add an additional network adapter on all the Controller nodes from vCenter configuration.
Notes:- Ensure that the Controller nodes are powered off and then the NIC is added and then powered on back.
- In case of a cluster setup, do this sequentially, one node at a time.
- Configure IPv6 addresses for the controller interfaces using the controller cluster configuration.
Notes:- Starting with NSX Advanced Load Balancer version 22.1.3, interface configuration under cluster node supports IPv6 fields in addition to IPv4 fields.
- Configure ip6, mode6 & gateway6 instead of ip, mode, gateway for IPv6 configuration for secondary interfaces (non-eth0).
- Move the
SE_SECURE_CHANNELlabel to the IPv6 interface from eth0. - Form a cluster with 3 nodes.
Notes:
-
You can complete step 5 before steps 3 and 4 as well. That is, form the cluster, followed by configuring IPv6 interface details on all the 3 nodes at once from the leader.
-
Moving the SE_SECURE_CHANNEL label is possible only if there are no SEs connected to the Controller.
After configuring the cluster for IPv6, the cluster configuration appears as shown below:
[admin:1234]: > show cluster
+-----------------+----------------------------------------------+
| Field | Value |
+-----------------+----------------------------------------------+
| uuid | cluster-38d7ba17-e356-431c-8778-0c1cd94c2fd7 |
| name | cluster-0-1 |
| nodes[1] | |
| name | 100.65.8.152 |
| ip | 100.65.8.152 |
| vm_uuid | 0000004bef8c |
| vm_mor | vm-39057 |
| vm_hostname | node1.controller.local |
| interfaces[1] | |
| if_name | eth0 |
| mac_address | 00:00:00:4b:ef:8c |
| mode | STATIC |
| ip | 100.65.8.152/20 |
| gateway | 100.65.15.254 |
| labels[1] | MGMT |
| labels[2] | HSM |
| interfaces[2] | |
| if_name | eth1 |
| mac_address | 00:00:00:43:fd:ac |
| labels[1] | SE_SECURE_CHANNEL |
| mode6 | STATIC |
| ip6 | 2402:740:0:412::152/64 |
+-----------------+----------------------------------------------+
[admin:12342]:
Workflow 2: No-Access Service Engines with IPv6 Management
After Deploying the Avi Controller with IPv6 interfaces and label moved for using IPv6 management, the following workflow must be followed to bring up the no access Service Engines with IPv6 management IP.
Configure the secondary interfaces on Controllers as mentioned in the workflow above and then use that IP address in the vCenter property (AVI_CTRL) for Controller IP to enable the SE to connect to the Controller using the steps below:
- Download the SE.OVA and Service Engine deployment in no-access mode.
- In the Deploy OVA template wizard, when prompted for management IP addresses and gateway, configure the following field:
avi.mgmt-ip-v6.SE: Management Interface IPv6 Addressavi.mgmt-mask-v6.SE: Management Interface IPv6 Subnet Maskdefault-gw-v6.SE: The Default IPv6 Gateway for the Service Engine
Note: The aforementioned fields are available in the service Engine OVA properties starting with NSX Advanced Load Balancer version 22.1.3.
If these OVF properties are left blank, the Service Engine tries to acquire an IPv6 address based on the Router Advertisements for the network.
Note: Service Engines can be dual stack as well for management IP.
Workflow 3: Write Access Service Engines with IPv6 Management
After deploying the Avi Controller with IPv6 interfaces and after the SE_SECURE_CHANNEL label is moved for using IPv6 management, the write access cloud should be created of type vCenter. Service Engine deployment is taken care of by the Controller automatically. You can create a virtual service for the write access cloud and this will trigger a Service Engine creation.
Notes:
-
Write access Service Engines try to acquire both IPv6 and IPv4 address when the Controller’s secondary interface has IPv6 address with label enabled for IPv6 communication.
-
The Controller will provide its IP when Service Engines are being created. The order of precedence is as follows for choosing the Controller IP the Service Engine should obtain i.e. Controller IP to communicate with the Service Engine:
- Secondary Interface IP with
SE_SECURE_CHANNELlabel - Public IP of the Controller
- Cluster VIP
- Leader Management IP
- Secondary Interface IP with
Caveat
In case of SE management network, v6 IPAM is not currently supported.