Follow

Native IPv6 (IP-IP) Tunnel Set-up Guide

Page Contents

 

------------------------------------------------------

Overview: Native IPv6 Tunnels

If you create an Native IPv6 Tunnel instead of a GRE Tunnel (IPv4 over iPv6), this is called an IP-IP Tunnel.

IPv6Setup-adddrop.jpg

IP in IP (IP-IP) is an IP tunneling protocol that encapsulates one IP packet in another IP packet.

Similar to a GRE Tunnel, an IP-IP Tunnel establishes a route between F5 and the Customer Data Center. Once customer traffic has been cleansed of malicious attack traffic, it is routed into the IP-IP Tunnel and back to the customer over the Internet. The advantage is that attackers can not attack the Client network, since all traffic must come through F5 for inspection. 

 

Summary: Standard Setup Process

NOTE:  Your account MUST be enabled for IPv6 services.  If you have not yet setup your account to enable IPv6 features please contact support and your account can be modified.

Here is the standard process that we will follow to set up your IP-IP Tunnels and start routing your traffic through the F5 Silverline scrubbing center as soon as possible.

  1. Establish the IP-IP tunnels. -- See below sections on Requirements for IP-IP Tunnel Setup & How to Provision IP-IP Tunnels
  2. Test BGP/subnet is routed through F5 Silverline to your endpoints.
  3. Legitimate traffic requests begin. 
  4. Customer (that's you!) verifies they are receiving traffic via the tunnel and routing out via their carrier.
  5. Customer verifies they see traffic in the Portal graphs.

 

Requirements for IPv6 Tunnel Setup

Important: Before you can provision your IP-IP Tunnels (Step-by-step guide in next section!), you'll need to be prepared with the following information:

  • ASN: You must have an ASN assigned by ARIN (APNIC, etc).
  • BGP Subnets: IP Addresses that we will be announcing (minimum /48), or your AS SET. Important Note: With IPv6, a /48 is the smallest allocation that will be honored across multiple carriers. This is different than the GRE Tunnel minimum of /24.
  • Customer Endpoint: IPv6 Address on your router where F5 will terminate tunnel. Must be non-RFC1918 (publicly routable).
  • Location:  A basic notation used as a tunnel identifier. Generally, companies will use the three letter code for the airport nearest their data center.
  • Redundant Tunnels: For each of your locations, you will create at least 2 tunnels to F5 Silverline (e.g. 1 to US West and 1 to US East). More on this below:

 

Why Do I Need Redundant Tunnels?

We require 2 tunnels per router to ensure redundancy to each of our scrubbing centers. If we're connecting to one customer site, we'll build 2 tunnels from each of our scrubbing centers. 

Note that despite the Portal naming convention of "IPv6 Tunnel Primary" and "IPv6 Tunnel Backup," this does not mean that the tunnels are active/passive.  If customer prefixes are advertised identically across two GRE tunnels, Equal Cost Multi Path (ECMP) routing will ensure load balancing between tunnels so as to not saturate one customer link. For more details, see the article on BGP Configuration.

A visual representation of the need for 4 tunnels:

201801_IPv6-diagram2.png

 

 

------------------------------------------------------

 

How to Provision Native IPv6 Tunnels (Portal UI)

 

1. In the Portal, navigate to Config > Routed Configuration > GRE Tunnel Management

201801_Config_Routed_GRE-Tunnel-Mgmt.png

 

2. Click the "+ Add" button to add a New Tunnel.

GRE_Tunnels_-_Add_Button.png

 

3. Choose "IPv6 Tunnel" from the drop-down. (For IPv4 GRE Tunnel Setup, see GRE Tunnel Setup Guide.) NOTE:  Your account MUST be enabled for IPv6 services.  If you have not yet setup your account to enable IPv6 features please contact support and your account can be modified.

GRE_Tunnel_Add_Button_Dropdown.png

 

4. On the "New IPv6 Tunnel" page, fill in all of the required information in the form, then click "Submit for Provisioning."

New_IPv6_Tunnel_for_F5_SOC.png

 

Sample Configs

 

CISCO

interface Tunnel1  (IPv6)
 description IPv6GRETunnel
 load-interval 30
 ipv6 address 2604:E180:5000:101:5000:0:3:2/112
 tunnel source 2604:E180:5000:A02::1
 tunnel mode ipv6
 tunnel destination 2604:E180:5000:A01:5000::1

- OR -

interface Tunnel50  (IPv6 with IPv4 interconnect)
ipv6 address 2604:E180:5100:169:2:0:3:2/112
ip address 192.168.15.18 255.255.255.252
tunnel source 2604:E180:5000:A02::4
tunnel mode ipv6
tunnel destination 2604:E180:5400:169::3

- OR -

router bgp 64501
bgp log-neighbor-changes
address-family ipv6
  network 2604:E180:5000:FF00::/56
  neighbor dfn6 send-community
  neighbor dfn6 soft-reconfiguration inbound
  neighbor 2604:E180:5000:A01:5000::1 activate
  neighbor 2604:E180:5400:169::3 activate
 exit-address-family

 

JUNIPER

interfaces {                            
    ip-0/2/0 {
        unit 217 {
            description IPv6Tunnel;
            tunnel {
                      source 2604:E180:5000:A02::1;
                      destination 2604:E180:5000:A01:5000::1;
            routing-instance {
              destination core;
             }
    family inet6 {
        address 2604:e180:5100:169:2:0:b:2/112;
    }
etc.


- OR -

interfaces {

ip-0/0/0 {
  unit 10 {
            description IPv6 with IPv4 interconnect;
tunnel {
    source 2604:e180:5000:a03::1;
    destination 2604:e180:5400:169::7;
    }
    family inet {
       address 192.168.15.34/30;
    }
    family inet6 {     
      address 2604:e180:5100:169:2:0:9:2/112;
    }
etc.


}
protocols {
    bgp {
     hold-time 60;
     log-updown;
     local-as 55002;
     graceful-restart;
    group f5silverline {
        type external;
        family inet {
            unicast {
                prefix-limit {
                    maximum 10;
                    teardown idle-timeout 10;
                }
            }
        }
        authentication-key xxxxxxxx; ## SECRET-DATA
        export filter;
        peer-as 55002;
        neighbor 192.168.151.229 {
            local-address 107.162.207.27;
            mtu-discovery;
        }

       group dfn6 {
            type external;
            advertise-inactive;
            import reject-all;
            authentication-key md5BGPpassword;
            export route-to-dfn;
            peer-as 55002;
            neighbor 2604:E180:5000:A01:5000::1;
           }
       }
    }
etc.
Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request