Segment Routing over IPv6
Objective
This guide provides instructions on how to enable Segment Routing over IPv6 (SRv6) for your F5® Distributed Cloud sites. Segment routing is a source-based routing technology simplifying management of network domains and enhancing bandwidth efficiency.
Distributed Cloud Services support the following for SRv6 functionality:
-
Configuring IPv6 addresses on physical interfaces of a Distributed Cloud site.
-
BGP Peering between a SRv6 router and Distributed Cloud site with IPv6 address family.
-
SRv6 network slice in an operator network that uses SRv6.
-
SRv6 Virtual Network
-
Segment Identifier (SID) counters for ingress and egress traffic.
Using the instructions provided in this guide, you can enable SRv6 for your Distributed Cloud site, configure Segment Identifier (SID), and enable BGP peering with another SRv6 capable router that acts as the ingress router for the network domain over which the traffic flows.
Prerequisites
The following prerequisites apply:
-
F5 Distributed Cloud Account. If you do not have an account, see Create an Account.
-
API certificate or token for F5® Distributed Cloud API access. If you do not have a certificate or token, see My Credentials.
-
KVM or VMware or Baremetal for F5 Distributed Cloud App Stack site.
-
A peer router or device that is capable of SRv6.
Restrictions
The following restrictions apply:
-
Enabling SRv6 is supported using only Distributed Cloud API.
-
SRv6 is supported for only Distributed Cloud App Stack sites created using Distributed Cloud API.
-
Only one-to-one mapping between the user namespace and SRv6 virtual network is supported Multiple namespaces cannot be referred inside the same SRv6 VN.
-
The SRv6 VN and slice must be created in system namespace.
Configuration
Configuring SRv6 for your Distributed Cloud site includes creating a App Stack site, creating network slices, and creating a virtual network applying the network slice and fleet of App Stack site to it.
The following figure shows an example SRv6 setup using Distributed Cloud site:
Figure: F5 Distributed Cloud SRv6 Sample Setup
Note: The sample image does not show the IP addresses for brevity.
Perform the following steps to enable SRv6 for your sites:
Step 1: Create App Stack site.
Create a App Stack site with local control plane using the Distributed Cloud site API. The following example shows creating a KVM multi node App Stack site using the API certificate and a sample request body:
curl -v -s -X POST https://<tenant>.console.ves.volterra.io/api/config/namespaces/system/voltstack_sites --cert-type P12 --cert /Users/bobmarley/Downloads/<tenant>.demo1.api-creds.p12:volterra -H 'Content-Type: application/json' -k -H 'cache-cotrol: no-cache' -d '{
"namespace": "system",
"metadata": {
"name": "bob-srv6-v3-03",
"namespace": null,
"labels": {},
"annotations": {},
"description": null,
"disable": null
},
"spec": {
"volterra_certified_hw": "kvm-multi-nic-voltstack",
"master_nodes": [
"master-0",
"master-1",
"master-2"
],
"worker_nodes": null,
"no_bond_devices": {},
"custom_network_config": {
"default_config": {},
"sli_config": {
"static_routes": {
"static_routes": [
{
"ip_prefixes": [
"1.2.3.0/24",
"2.3.4.0/24"
],
"default_gateway": {},
"attrs": [
"ROUTE_ATTR_INSTALL_HOST",
"ROUTE_ATTR_INSTALL_FORWARDING"
]
}
]
}
},
"interface_list": {
"interfaces": [
{
"description": "eth0",
"labels": {},
"dedicated_interface": {
"device": "eth0",
"cluster": {},
"mtu": null,
"priority": null,
"not_primary": {},
"monitor_disabled": {}
}
},
{
"description": "master-0-eth1",
"labels": {},
"ethernet_interface": {
"device": "eth1",
"node": "master-0",
"untagged": {},
"dhcp_client": {},
"static_ipv6_address": {
"node_static_ip": {
"ip_address": "21DA:D3:0:2F3D::31/64",
"default_gw": "21DA:D3:0:2F3D::50"
}
},
"site_local_inside_network": {},
"mtu": null,
"priority": null,
"not_primary": {},
"monitor_disabled": {}
}
},
{
"description": "master-1-eth1",
"labels": {},
"ethernet_interface": {
"device": "eth1",
"node": "master-1",
"untagged": {},
"dhcp_client": {},
"static_ipv6_address": {
"node_static_ip": {
"ip_address": "21DA:D3:0:2F3D::76/64",
"default_gw": "21DA:D3:0:2F3D::50"
}
},
"site_local_inside_network": {},
"mtu": null,
"priority": null,
"not_primary": {},
"monitor_disabled": {}
}
},
{
"description": "master-2-eth1",
"labels": {},
"ethernet_interface": {
"device": "eth1",
"node": "master-2",
"untagged": {},
"dhcp_client": {},
"static_ipv6_address": {
"node_static_ip": {
"ip_address": "21DA:D3:0:2F3D::220/64",
"default_gw": "21DA:D3:0:2F3D::50"
}
},
"site_local_inside_network": {},
"mtu": null,
"priority": null,
"not_primary": {},
"monitor_disabled": {}
}
}
]
},
"no_network_policy": {},
"no_forward_proxy": {},
"no_global_network": {},
"outside_vip": null,
"outside_nameserver": null,
"bgp_router_id": null,
"bgp_peer_address": null,
"vip_vrrp_mode": null,
"site_to_site_tunnel_ip": null,
"tunnel_dead_timeout": null
},
"default_storage_config": {},
"disable_gpu": {},
"address": null,
"coordinates": {
"latitude": 11.22,
"longitude": 77.88
},
"no_k8s_cluster": {},
"logs_streaming_disabled": {},
"deny_all_usb": {},
"local_control_plane": {
"inside_vn": {},
"bgp_config": {
"asn": 65534,
"peers": [
{
"metadata": {
"name": "peer-0",
"description": "",
"disable": false
},
"internal": {
"address": "192.168.10.50",
"port": 179,
"family_inet6vpn": {
"enable": {}
},
"family_rtarget": {
"enable": {}
},
"family_inetvpn": {
"enable": {
"enable": {}
}
},
"disable_mtls": {}
},
"target_service": "phobos"
}
]
}
},
"sw": {
"default_sw_version": {}
},
"os": {
"default_os_version": {}
}
}
}' --insecure
Note: Replace
<tenant>with your tenant name. Ensure that you add the appropriate values for the fields in thelocal_control_planesection and IPv6 addresses for the interfaces for all nodes in theinterface_listsection of the request body. For more information on App Stack API, see Create App Stack Site API.
Step 2: Create network slices.
For enabling SRv6, you must first configure SID. This example shows creating network slices using IPv6 SIDs:
curl -v -s -X POST https://<tenant>.console.ves.volterra.io/api/config/namespaces/system/srv6_network_slices --cert-type P12 --cert /Users/bobmarley/Downloads/<tenant>.demo1.api-creds.p12:volterra -H 'Content-Type: application/json' -k -H 'cache-cotrol: no-cache' -d '{
"metadata": {
"name": "bob-srv6-v3-03-slice-vn1",
"namespace": "system"
},
"spec": {
"sid_prefixes": [
"2201:f00f::0/32"
],
"connect_to_internet": true
}
}' --insecure
Note: Replace
<tenant>with your tenant name. For more information on network slice API, see Create Network Slice API.
Step 3: Create virtual network.
Create an SRv6 virtual network specifying the SIDs and associating with the fleet of App Stack sites created in previous steps. The following example shows a sample API request using curl:
curl -v -s -X POST https://<tenant>.console.ves.volterra.io/api/config/namespaces/system/virtual_networks --cert-type P12 --cert /Users/bobmarley/Downloads/<tenant>.demo1.api-creds.p12:volterra -H 'Content-Type: application/json' -k -H 'cache-cotrol: no-cache' -d '{
"metadata": {
"name": "bob-srv6-v3-03-vn1",
"namespace": "system"
},
"spec": {
"srv6_network": {
"srv6_network_ns_params": {
"namespace": "bob-test-1"
},
"interface_ip_vip": {},
"site_snat_pool": {
"node_snat_pool": {
"master-0": {
"ipv4_prefixes": [
"4.4.4.0/28"
]
}
}
},
"slice": {
"tenant": "demo-hagrmdbk",
"namespace": "system",
"name": "bob-srv6-v3-01-slice-vn1"
},
"fleets": [
{
"tenant": demo-hagrmdbk",
"namespace": "system",
"name": "ves-io-voltstack-site-bob-srv6-v3-01"
}
],
"access_network_rtargets": null,
"internet_rtargets": [
{
"asn2byte_rtarget": {
"as_number": 65534,
"value": 4294967294
}
}
],
"enterprise_network_rtargets": null,
"export_rtargets": [
{
"asn2byte_rtarget": {
"as_number": 65534,
"value": 4294967293
}
}
]
}
}
}' --insecure
Note: Replace
<tenant>with your tenant name. Ensure you specify the SNAT pool with IPv4 prefixes so that the address translation happens from IPv6 to IPv4. See Create Virtual Network API for information on virtual network creation.
Step 4: Deploy your app and advertise over the virtual network.
Deploy your web app using Distributed Cloud vK8s, create the origin pool, and advertise the services using a load balancer on the created virtual network. Ensure that you select virtual network created in previous step for VIP advertisement section of load balancer.
After this, the App Stack site exports the routes for the advertised services and the BGP peer imports the routes. The requests to your services are steered through the segments imported by the peer.
Note: See vK8s Deployment for information on app deployment. See Origin Pools and Create HTTP Load Balancer for information on origin pools and load balancer creation.
Step 5: Verify that the traffic is routed over the SRv6 network.
Enter the following command to verify the SID counters for ingress and egress traffic:
curl POST https://<tenant>.console.ves.volterra.io/api/data/namespaces/system/virtual_network/sid_counters -d '{
"namespace": "system",
"group_by": [
"SITE",
"VIRTUAL_NETWORK",
"SID_PREFIX"
],
"filter": "{SITE=\"bob-srv6-v3-01\"}",
"field_selector": [
"SID_COUNTER_IN_BYTES",
"SID_COUNTER_IN_PACKETS",
"SID_COUNTER_OUT_BYTES",
"SID_COUNTER_OUT_PACKETS"
],
"step": "300s",
"range": "300s"
}' --cert-type P12 --cert /Users/bobmarley/Downloads/testcorp.demo1.api-creds.p12:volterra -H 'Content-Type: application/json' -k -H 'cache-cotrol: no-cache' --insecure
curl: (6) Could not resolve host: POST
{
"data": [
{
"type": "SID_COUNTER_OUT_PACKETS",
"data": [
{
"key": {
"SID_PREFIX": "2201:f00f:199:a001:26::/80",
"SITE": "bob-srv6-v3-01",
"VIRTUAL_NETWORK": "bob-srv6-v3-01-vn1"
},
"value": [
{
"timestamp": 1621277400,
"value": "0"
},
{
"timestamp": 1621277700,
"value": "18"
},
{
"timestamp": 1621278000,
"value": "0"
}
]
}
]
},
{
"type": "SID_COUNTER_IN_BYTES",
"data": [
{
"key": {
"SID_PREFIX": "2101:f00f:199:9003:2c::/128",
"SITE": "bob-srv6-v3-01",
"VIRTUAL_NETWORK": "bob-srv6-v3-01-vn1"
},
"value": [
{
"timestamp": 1621277400,
"value": "0"
},
{
"timestamp": 1621277700,
"value": "2270"
},
{
"timestamp": 1621278000,
"value": "0"
}
]
}
]
},
{
"type": "SID_COUNTER_OUT_BYTES",
"data": [
{
"key": {
"SID_PREFIX": "2201:f00f:199:a001:26::/80",
"SITE": "bob-srv6-v3-01",
"VIRTUAL_NETWORK": "bob-srv6-v3-01-vn1"
},
"value": [
{
"timestamp": 1621277400,
"value": "0"
},
{
"timestamp": 1621277700,
"value": "6085"
},
{
"timestamp": 1621278000,
"value": "0"
}
]
}
]
},
{
"type": "SID_COUNTER_IN_PACKETS",
"data": [
{
"key": {
"SID_PREFIX": "2101:f00f:199:9003:2c::/128",
"SITE": "bob-srv6-v3-01",
"VIRTUAL_NETWORK": "bob-srv6-v3-01-vn1"
},
"value": [
{
"timestamp": 1621277400,
"value": "0"
},
{
"timestamp": 1621277700,
"value": "18"
},
{
"timestamp": 1621278000,
"value": "0"
}
]
}
]
}
]
}
Note: Verify the value for the following counters to confirm that traffic is flowing through the SRv6 network:
SID_COUNTER_IN_BYTESSID_COUNTER_IN_PACKETSSID_COUNTER_OUT_BYTESSID_COUNTER_OUT_PACKETS