Build the Next-Generation Data Center
6 week online course starting in spring 2017

Disabling SLAAC in Data Center Subnets

Continuing the IPv6 address selection discussion we have a few days ago, Luka Manojlovič sent me a seemingly workable proposal:

I think we were discussing a borderline problem. In a server environment there won’t be any SLAAC, and we could turn off DHCPv6 client on servers with fixed IP addresses.

Sounds great, but as always, the reality tends to be a bit harsher.

The crucial question is: can you turn off autoconfiguration flag in individual prefixes advertised in RA messages? As always, the answer is it depends.

I checked latest configuration guides from Cisco (Nexus 9300), Juniper (QFX5200, Junos release 15.1), Arista (EOS 14.5) and HP (5900 switches). All these switches allow you to configure flags on every single prefix advertised in router advertisement… apart from QFX5200 where it seems like you can’t do a thing (even though RA twiddling was available before Junos version 7.4 on MX-series routers).

Moral of the story: do a thorough check of how well your vendor supports obscure IPv6 features that might become crucial in your IPv6 deployment, and if you're struggling with it, turn to specialists like NIL or ERNW.

As always, there’s an alternative: disable RA processing on Windows servers, and use static default routing and IPv6 VRRP. Welcome back to the 90s.

3 comments:

  1. As I commented on your other article, turning off RA (and DHCPv6 relay) on server nets is exactly what I do. First hop "router" is an ASA 5585-X failover pair, so using RAs for redundancy isn't something I need. Not that doing that (RA as an FHRP) works all that well anyway in my experience.

    But as always, one size rarely fits all...

    ReplyDelete
  2. Apart from using plain old "default routing" (I don't see a major problem with this), you can also play with the prefix (suppress or non-/64).

    Besides, pushing an "RA or nothing" approach is very energy-consumming in a lot of places (where IT people barely understand IPv4).

    ReplyDelete
  3. I don't think IPv6 RA is an alternative to VRRP. Fast failover does not work with RAs. We use static routing and do not even configure RA on our Juniper gateways. I know noone who does it otherwise in a server environment.

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.