SD-WAN segmentation over a single overlay using IPv6
IPv6 is supported for SD-WAN segmentation over a single overlay. This allows seamless communication between IPv6 devices within virtual routing and forwarding (VRF) overlay networks, benefiting organizations transitioning to IPv6 or operating in a dual-stack environment.
Example
In this example, multiple companies (or departments of a company) share the ADVPN. Company A and company B each have two branches in two different locations. Company A's branches (A-1 and A-2) can talk to each other using the VPN shortcut, but not to company B's branches (B-1 and B-2). Likewise, company B's branches can talk to each other using the VPN shortcut, but not to company A's branches. Traffic can share the tunnels and shortcuts, but cannot be mixed up.
In this example, two spokes each have two tunnels to the hub.
- Each spoke has two VRFs behind it that can use the same IP address or subnets.
- The computers in VRF1 behind spoke 1 can talk to the computers in VRF1 behind spoke 2, but not to any of the computers in the VRF2s behind either spoke.
- The computers in VRF2 behind spoke 1 can talk to the computers in VRF2 behind spoke 2, but not to any of the computers in the VRF1s behind either spoke.
- Loopback addresses are used for communication between the spokes and the hub instead of tunnel IP address.
The |
See config router bgp and config router route-map in the CLI Reference for a comprehensive list of commands.
To configure the hub:
-
Configure the BGP settings:
config router bgp set as 65100 set router-id 10.200.1.1 set keepalive-timer 5 set holdtime-timer 15 set ibgp-multipath enable set network-import-check disable set additional-path6 enable set additional-path-vpnv6 enable set additional-path-select6 4 config neighbor-group edit "EDGEv6" set advertisement-interval 1 set activate disable set activate-vpnv4 disable set capability-graceful-restart enable set next-hop-self-rr6 enable set soft-reconfiguration6 enable set remote-as 65100 set update-source "vd11-lo1" set additional-path6 both set adv-additional-path6 4 set route-reflector-client6 enable set route-reflector-client-vpnv6 enable next end config neighbor-range6 edit 2 set prefix6 2001::10:200:1:0/112 set neighbor-group "EDGEv6" next end config network6 edit 1 set prefix6 2001::10:200:1:0/112 next end config vrf6 edit "0" set role pe next edit "1" set role ce set rd "1:1" set export-rt "1:1" set import-rt "1:1" next edit "2" set role ce set rd "2:1" set export-rt "2:1" set import-rt "2:1" next end end
-
Configure the IPsec phase 1 interface settings:
config vpn ipsec phase1-interface edit "p1" set type dynamic set interface "vd11-vlan1" set ike-version 2 set peertype any set net-device disable set exchange-ip-addr6 2001::10:200:1:1 set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256 set add-route disable set dpd on-idle set npu-offload disable set dhgrp 5 set auto-discovery-sender enable set encapsulation vpn-id-ipip set psksecret ********** set dpd-retryinterval 60 next edit "p111" set type dynamic set interface "vd11-vlan111" set ike-version 2 set peertype any set net-device disable set exchange-ip-addr6 2001::10:200:1:1 set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256 set add-route disable set dpd on-idle set npu-offload disable set dhgrp 5 set auto-discovery-sender enable set encapsulation vpn-id-ipip set psksecret ********** set dpd-retryinterval 60 next end
-
Configure the IPsec phase 2 interface settings:
config vpn ipsec phase2-interface edit "p1-v6" set phase1name "p1" set proposal aes128-sha1 set replay disable set src-addr-type subnet6 set dst-addr-type subnet6 next edit "p111-v6" set phase1name "p111" set proposal aes128-sha1 set replay disable set src-addr-type subnet6 set dst-addr-type subnet6 next end
To configure a spoke:
-
Configure the BGP settings:
config router bgp set as 65100 set router-id 10.200.1.100 set keepalive-timer 5 set holdtime-timer 15 set ibgp-multipath enable set additional-path6 enable set additional-path-vpnv6 enable set recursive-next-hop enable set tag-resolve-mode merge set graceful-restart enable set additional-path-select6 4 config neighbor edit "2001::10:200:1:1" set advertisement-interval 1 set activate disable set activate-vpnv4 disable set capability-dynamic enable set capability-graceful-restart6 enable set capability-graceful-restart-vpnv6 enable set soft-reconfiguration6 enable set remote-as 65100 set route-map-in6 "tag" set route-map-in-vpnv6 "tag" set connect-timer 10 set update-source "vd2-lo1" set additional-path6 both set additional-path-vpnv6 both next end config network6 edit 1 set prefix6 2001:22::/64 next edit 2 set prefix6 2001::10:200:1:100/128 next end config vrf6 edit "0" set role pe next edit "1" set role ce set rd "1:1" set export-rt "1:1" set import-rt "1:1" next edit "2" set role ce set rd "2:1" set export-rt "2:1" set import-rt "2:1" next end end
-
Configure the IPsec phase 1 interface settings:
config vpn ipsec phase1-interface edit "vd2-1" set interface "vd2-vlan12" set ike-version 2 set peertype any set net-device enable set exchange-ip-addr6 2001::10:200:1:100 set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256 set add-route disable set npu-offload disable set dhgrp 5 set auto-discovery-receiver enable set encapsulation vpn-id-ipip set remote-gw 11.1.1.11 set psksecret ********** next edit "vd2-2" set interface "vd2-vlan112" set ike-version 2 set peertype any set net-device enable set exchange-ip-addr6 2001::10:200:1:100 set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256 set add-route disable set npu-offload disable set dhgrp 5 set auto-discovery-receiver enable set encapsulation vpn-id-ipip set remote-gw 111.1.1.11 set psksecret ********** next end
-
Configure the IPsec phase 2 interface settings:
config vpn ipsec phase2-interface edit "vd2-1-6" set phase1name "vd2-1" set proposal aes128-sha1 set dhgrp 5 set replay disable set auto-negotiate enable set src-addr-type subnet6 set dst-addr-type subnet6 next edit "vd2-2-6" set phase1name "vd2-2" set proposal aes128-sha1 set dhgrp 5 set replay disable set auto-negotiate enable set src-addr-type subnet6 set dst-addr-type subnet6 next end
-
Configure the SD-WAN settings:
config system sdwan set status enable config zone edit "virtual-wan-link" next end config members edit 1 set interface "vd2-1" set cost 10 next edit 2 set interface "vd2-2" set cost 20 next end config health-check edit "ping6" set addr-mode ipv6 set server "2001::10:200:1:1" set source6 2001::10:200:1:100 set members 1 2 config sla edit 1 next end next end config service edit 61 set addr-mode ipv6 set priority-members 1 set dst6 "6001-100" next edit 62 set addr-mode ipv6 set priority-members 2 set dst6 "6100-200" next end end
To check the spoke 1 routes:
# get router info6 routing-table bgp Routing table for VRF=0 B 2001::10:200:1:0/112 [200/0] via 2001::10:200:1:1 tag 100 (recursive via vd2-1 tunnel ::11.1.1.11), 1d15h41m (recursive via vd2-2 tunnel ::111.1.1.11), 1d15h41m, [1024/0] B 2001::10:200:1:101/128 [200/0] via 2001::10:200:1:1 tag 100 (recursive via vd2-1 tunnel ::11.1.1.11), 1d15h41m (recursive via vd2-2 tunnel ::111.1.1.11), 1d15h41m, [1024/0] Routing table for VRF=1 B V 2001:33::/64 [200/0] via 2001::10:200:1:101 tag 100 (recursive via vd2-1 tunnel ::11.1.1.11), 1d15h41m (recursive via vd2-2 tunnel ::111.1.1.11), 1d15h41m, [1024/0] Routing table for VRF=2 B V 2001:33::/64 [200/0] via 2001::10:200:1:101 tag 100 (recursive via vd2-1 tunnel ::11.1.1.11), 1d15h41m (recursive via vd2-2 tunnel ::111.1.1.11), 1d15h41m, [1024/0]
To test the configuration on shortcut 1:
-
From VRF1 of spoke 1, ping VRF1 of spoke 2.
-
From VRF2 of spoke 1, ping VRF2 spoke 2. Both VRF1 and VRF2 source and destination IP addresses are the same, so you can see how the traffic is isolated.
-
Verify the session list:
# diagnose sys session6 list session6 info: proto=58 proto_state=00 duration=3 expire=59 timeout=0 refresh_dir=both flags=00000000 sockport=0 socktype=0 use=3 origin-shaper= reply-shaper= per_ip_shaper= class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0 state=may_dirty statistic(bytes/packets/allow_err): org=416/4/0 reply=416/4/0 tuples=2 tx speed(Bps/kbps): 136/1 rx speed(Bps/kbps): 136/1 orgin->sink: org pre->post, reply pre->post dev=100->223/223->100 hook=pre dir=org act=noop 2001:22::55:398->2001:33::44:128(:::0) hook=post dir=reply act=noop 2001:33::44:398->2001:22::55:129(:::0) src_mac=02:4c:a5:fc:77:6f misc=0 policy_id=1 pol_uuid_idx=1070 auth_info=0 chk_client_info=0 vd=3:2 serial=0001104d tos=ff/ff ips_view=0 app_list=0 app=0 url_cat=0 sdwan_mbr_seq=0 sdwan_service_id=61 rpdb_link_id=ff00003d ngfwid=n/a npu_state=0x1040001 no_offload no_ofld_reason: disabled-by-policy non-npu-intf total session6: 1
In the output,
vd=<vdom_ID>:<VRF_ID>
indicates that sessions are created in and stay in the corresponding VRFs.