ACI IPv6 Configuration in L3OUT

To make a bit interesting, we will take an example where we already an IPv4 configured on the interface and we will additionally configure IPv6. For that, we need to take into consideration the following guideline:

When IPv4 and IPv6 addresses need to be configured on the same interface, the Logical Interface Profiles for IPv4 and IPv6 need to be different while the Logical Node Profiles can still be shared.


Configuring New Logical Interface Profile for IPv6


Configuring an IPv6 ND Interface Policy with RA on a L3OUT Interface

Under the IPv6 Interface configuration, you can check the ND RA Prefix:


Eventually, I’m not going to use Auto-configuration on the end device, but ND RA Prefix is an option you can use if needed, along with DAD(Duplicate Address Detection):

router1# sh run int vlan 1202

interface Vlan1202
  no shutdown
  vrf member vrf-x
  ip address 172.16.11.2/30
  ipv6 address 2a00:abc:abab::2/64
  ip router ospf 3 area 0.0.0.0
  ipv6 router ospfv3 3 area 0.0.0.


ND Verification on ACI Side:

leaf1# show ipv6 interface vrf bameur_MC:VRF_FL
IPv6 Interface Status for VRF "bameur_MC:VRF_FL"(11)

vlan183, Interface status: protocol-up/link-up/admin-up, iod: 17
if_mode: ext, address count: 1
  IPv6 address:
    2a00:abc:abab::1/64 [VALID] [PREFERRED]
  IPv6 subnet:  2a00:abc:abab::/64
  IPv6 link-local address: fe80::a23d:6fff:fe2e:2f57/128 (Default) [VALID]
leaf1# show ipv6 adjacency vrf bameur_MC:VRF_FL

Flags: # - Adjacencies Throttled for Glean
       G - Adjacencies of vPC peer with G/W bit

IPv6 Adjacency Table for VRF bameur_MC:VRF_FL
Total number of entries: 1
Address         Age       MAC Address        Pref Source     Interface       VRF Name
2a00:abc:abab::2
                00:09:03  AC:3A:67:32:FA:07  50   icmpv6     vlan183         bameur_MC:VRF_FL


Disabling DAD (Duplicate Address Detection)for secondary IPv6

Duplicate Address Detection (DAD) is a process that is used by Neighbor Discovery to detect the duplicated addresses in the network. By default, DAD is enabled for the link-local and global-subnet IPv6 addresses used on the ACI fabric leaf layer 3 interfaces.

Disabling DAD when the same shared secondary address is required to be used across L3Outs on different border leaf switches to provide border leaf redundancy to the external connected devices. Disabling the DAD process in this case will avoid the situation where the DAD considers the same shared secondary address on multiple border leaf switches as duplicates.

If you do not disable the DAD process in this case, the shared secondary address might enter into the DUPLICATE DAD state and become unusable.


OSPF Interface Profile under IPv6 logical Interface Profile

If using OSPFv3, don’t forget to add OSPF Interface Profile for the newly created Logical Interface Profile used for IPv6:


Verify OSPFv3 adjacency is FULL:

leaf1# show ipv6 ospfv3 interface vrf bameur_MC:VRF_FL
 Vlan183 is up, line protocol is up
    IPv6 address 2a00:abc:abab::1/64
    Process ID default VRF bameur_MC:VRF_FL, area backbone
    Enabled by interface configuration
    State BDR, Network type BROADCAST, cost 4
    Index 17, Transmit delay 1 sec, Router Priority 1
    Designated Router ID: 100.0.11.1, address: fe80::ae3a:67ff:fe32:fa07
    Backup Designated Router ID: 1.1.1.1, address: fe80::a23d:6fff:fe2e:2f57
    1 Neighbors, flooding to 1, adjacent with 1
    Timer intervals: Hello 10, Dead 40, Wait 40, Retransmit 5
      Hello timer due in 0.000000
    Number of link LSAs: 2, checksum sum 75569

and it is 😊:

leaf1# show ipv6 ospfv3 neighbors vrf bameur_MC:VRF_FL
OSPFv3 Process ID default VRF bameur_MC:VRF_FL
Total number of neighbors: 1
Neighbor ID Pri State Up Time Interface Id Interface
100.0.11.1 1 FULL/DROTHER 00:00:01 111 Vlan183
Neighbor address fe80::ae3a:67ff:fe32:fa07


Note about link-local Address on L3OUT interface

You’ve probably noticed from previous screenshots that we have the possibility to explicitly configure IPv6 Unicast link-local address, but that’s optional.

Because for the IPv6 link-local address for the sub-interface, routed interface, or SVI. By default, ACI creates an IPv6 link-local address from each leaf’s system MAC address in EUI-64 format.

We can verify how is it being generated via command below:


leaf1# show sprom backplane | grep 'MAC Address'
 MAC Addresses   : a0-3d-6f-2e-ab-57Code language: PHP (php)

ACI leaf leverages the system MAC address of the switch to calculate the IPv6 link-local address usign EUI-64 format:

leaf1# show ipv6 interface vrf bameur_MC:VRF_FL
IPv6 Interface Status for VRF "bameur_MC:VRF_FL"(11)

vlan183, Interface status: protocol-up/link-up/admin-up, iod: 17
if_mode: ext, address count: 1
  IPv6 address:
    2a00:abc:abab::1/64 [VALID] [PREFERRED]
  IPv6 subnet:  2a00:abc:abab::/64
  IPv6 link-local address: fe80::a23d:6fff:fe2e:ab57/128 (Default) [VALID]

Please refer to the following article for more details about IPv6 EUI-64 process:

Bilel Ameur

Enthusiastic Network Engineer specializing in Cisco ACI, passionate about solving challenges. A lifelong learner who loves gaining and sharing knowledge. Profile: https://www.linkedin.com/in/bilel-ameur-71116b2b5
0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x