You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by nv...@apache.org on 2022/04/29 13:37:46 UTC
[cloudstack-documentation] branch main updated: ipv6: support for isolated nw, vpc tiers (#262)
This is an automated email from the ASF dual-hosted git repository.
nvazquez pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/cloudstack-documentation.git
The following commit(s) were added to refs/heads/main by this push:
new 06a06c4 ipv6: support for isolated nw, vpc tiers (#262)
06a06c4 is described below
commit 06a06c4d6daa3d3a1e5f783dda1eeacb0f2452de
Author: Abhishek Kumar <ab...@gmail.com>
AuthorDate: Fri Apr 29 19:07:41 2022 +0530
ipv6: support for isolated nw, vpc tiers (#262)
* ipv6: support for isolated nw, vpc tiers
Feature PR: https://github.com/apache/cloudstack/pull/5786
Signed-off-by: Abhishek Kumar <ab...@gmail.com>
* typo fix
Signed-off-by: Abhishek Kumar <ab...@gmail.com>
* more typo
Signed-off-by: Abhishek Kumar <ab...@gmail.com>
* changes
Signed-off-by: Abhishek Kumar <ab...@gmail.com>
* change
Signed-off-by: Abhishek Kumar <ab...@gmail.com>
* public ip range note
Signed-off-by: Abhishek Kumar <ab...@gmail.com>
* vpc offering, global setting change
Signed-off-by: Abhishek Kumar <ab...@gmail.com>
* missing changes from previous commit
Signed-off-by: Abhishek Kumar <ab...@gmail.com>
* add detail about firewall and acl
Signed-off-by: Abhishek Kumar <ab...@gmail.com>
* typo
Signed-off-by: Abhishek Kumar <ab...@gmail.com>
---
.../_static/images/add-guest-ipv6-prefix-form.png | Bin 0 -> 7335 bytes
source/_static/images/add-ipv6-acl-rule-form.png | Bin 0 -> 26852 bytes
.../images/add-ipv6-network-offering-form.png | Bin 0 -> 42433 bytes
.../_static/images/add-ipv6-vpc-offering-form.png | Bin 0 -> 53450 bytes
.../_static/images/add-public-ipv6-range-form.png | Bin 0 -> 15262 bytes
source/_static/images/ipv6-acl-list.png | Bin 0 -> 47807 bytes
.../images/network-details-ipv6-firewall.png | Bin 0 -> 87853 bytes
.../network-details-upstream-ipv6-routes.png | Bin 0 -> 51367 bytes
source/plugins/ipv6.rst | 157 ++++++++++++++++++++-
9 files changed, 151 insertions(+), 6 deletions(-)
diff --git a/source/_static/images/add-guest-ipv6-prefix-form.png b/source/_static/images/add-guest-ipv6-prefix-form.png
new file mode 100644
index 0000000..f436b9e
Binary files /dev/null and b/source/_static/images/add-guest-ipv6-prefix-form.png differ
diff --git a/source/_static/images/add-ipv6-acl-rule-form.png b/source/_static/images/add-ipv6-acl-rule-form.png
new file mode 100644
index 0000000..ae36e64
Binary files /dev/null and b/source/_static/images/add-ipv6-acl-rule-form.png differ
diff --git a/source/_static/images/add-ipv6-network-offering-form.png b/source/_static/images/add-ipv6-network-offering-form.png
new file mode 100644
index 0000000..fa73ae6
Binary files /dev/null and b/source/_static/images/add-ipv6-network-offering-form.png differ
diff --git a/source/_static/images/add-ipv6-vpc-offering-form.png b/source/_static/images/add-ipv6-vpc-offering-form.png
new file mode 100644
index 0000000..1d9ee59
Binary files /dev/null and b/source/_static/images/add-ipv6-vpc-offering-form.png differ
diff --git a/source/_static/images/add-public-ipv6-range-form.png b/source/_static/images/add-public-ipv6-range-form.png
new file mode 100644
index 0000000..42a7ff0
Binary files /dev/null and b/source/_static/images/add-public-ipv6-range-form.png differ
diff --git a/source/_static/images/ipv6-acl-list.png b/source/_static/images/ipv6-acl-list.png
new file mode 100644
index 0000000..f9fb2bd
Binary files /dev/null and b/source/_static/images/ipv6-acl-list.png differ
diff --git a/source/_static/images/network-details-ipv6-firewall.png b/source/_static/images/network-details-ipv6-firewall.png
new file mode 100644
index 0000000..78133fe
Binary files /dev/null and b/source/_static/images/network-details-ipv6-firewall.png differ
diff --git a/source/_static/images/network-details-upstream-ipv6-routes.png b/source/_static/images/network-details-upstream-ipv6-routes.png
new file mode 100644
index 0000000..f128360
Binary files /dev/null and b/source/_static/images/network-details-upstream-ipv6-routes.png differ
diff --git a/source/plugins/ipv6.rst b/source/plugins/ipv6.rst
index 2a53cd5..bbd22a1 100644
--- a/source/plugins/ipv6.rst
+++ b/source/plugins/ipv6.rst
@@ -23,8 +23,11 @@ traffic. IPv6 uses a 128-bit address that exponentially expands the
current address space that is available to the users. IPv6 addresses
consist of eight groups of four hexadecimal digits separated by colons,
for example, 5001:0dt8:83a3:1012:1000:8s2e:0870:7454. CloudStack
-supports IPv6 for public IPs in shared networks. With IPv6 support, VMs
-in shared networks can obtain both IPv4 and IPv6 addresses from the DHCP
+supports IPv6 for shared and isolated networks. It also supports IPv6 for VPC tiers.
+
+Shared network
+--------------
+With IPv6 support, VMs in shared networks can obtain both IPv4 and IPv6 addresses from the DHCP
server. You can deploy VMs either in a IPv6 or IPv4 network, or in a
dual network environment. If IPv6 network is used, the VM generates a
link-local IPv6 address by itself, and receives a stateful IPv6 address
@@ -44,7 +47,7 @@ Here's the sequence of events when IPv6 is used:
Prerequisites and Guidelines
-----------------------------
+############################
Consider the following:
@@ -91,8 +94,8 @@ Consider the following:
data.
-Limitations of IPv6 in CloudStack
----------------------------------
+Limitations
+###########
The following are not yet supported:
@@ -104,7 +107,7 @@ The following are not yet supported:
Guest VM Configuration for DHCPv6
----------------------------------
+#################################
For the guest VMs to get IPv6 address, run dhclient command manually on
each of the VMs. Use DUID-LL to set up dhclient.
@@ -199,3 +202,145 @@ each of the VMs. Use DUID-LL to set up dhclient.
iface eth0 inet6 dhcp
autoconf 0
accept_ra 1
+
+
+Isolated network and VPC tier
+-----------------------------
+
+.. note::
+ - The IPv6 support for isolated networks and VPC tiers is available from version 4.17.0.
+
+ - The IPv6 isolated networks and VPC tiers only supports **Static routing**, i.e, the administrator will need to add upstream routes for routing to work inside the networks.
+
+ - IPv6 only isolated networks and VPC tiers are not supported currently. Public network for IPv6 supported isolated networks and VPC tiers must be on the same VLAN for both IPv4 and IPv6.
+
+Guest VMs in an isolated network or VPC tier can obtain both IPv4 and IPv6 IP addresses by using a supported network offering and appropriate configurations for IPv6 support by the administrator.
+Both VR for such networks and the guest VMs using these networks obtain a SLAAC based IPv6 address. While VR is assigned an IPv6 address from the public IPv6 range, guest VMs get their IPv6 addresses from the IPv6 subnet assinged to the network.
+
+Here's the sequence of events when IPv6 is used:
+
+#. The administrator sets global configuration - ``ipv6.offering.enabled`` to **true**.
+
+#. The administrator adds a public IPv6 range in an advanced zone.
+
+#. The administrator adds an IPv6 prefix for guest traffic type for the zone.
+
+#. The administrator creates a network or VPC offering with IPv4 + IPv6 (Dual stack) support.
+
+#. The user deploys an isolated network with the IPv6 supported network offering. For VPC, user creates a VPC with IPv6 supported VPC offering and then deploys a network tier with IPv6 supported network offering.
+
+#. CloudStack assigns a SLAAC based public IPv6 address to the network from the public IPv6 range of the zone. It also assigns an IPv6 subnet to the network from the guest IPv6 prefix for the zone. See `SLAAC <https://datatracker.ietf.org/doc/html/rfc4862>`__\ for more information.
+
+#. The user deploys a guest VM in the network. The VM is assigned a SLAAC based IPv6 address from the guest IPv6 subnet of the network.
+
+
+Prerequisites and Guidelines
+############################
+
+Consider the following:
+
+- CIDR size for the public IPv6 range for a zone must be 64.
+
+- CIDR size for the guest IPv6 prefix for the zone must be lesser than 64. Each guest network is assigned a subnet from this prefix with CIDR size 64 therefore only as many IPv6 supporting guest networks can be deployed from the guest prefix as the number of subnets with CIDR size 64.
+
+- Currently, a guest network cannot be IPv6 only and it can only be either IPv4 only or Dual Stack (both IPv4 + IPv6).
+
+- Once a public IPv6 address and guest subnet are assigned to the network or the network is successfully, the operator must update routing in the upstream router. For this, CloudStack returns the gateway and subnet for the network with listNetworks API response.
+
+
+Adding a Public IPv6 Range
+##########################
+
+The administrator can use both UI and API to add a public IPv6 range. UI is the preferable option.
+Option to add a new public IPv6 range in the UI can be found in Infrastructure > Zones > Zone details > Physical Network tab > Physical network details > Traffic Types tab > Public > *Add IP range*.
+In the Add IP range form, IPv6 can be selected as the IP Range Type. IPv6 Gateway and CIDR must be provided and optionally a VLAN/VNI can be provided.
+
+Alternatively, ``createVlanIpRange`` API can be used to add a new public IPv6 range.
+
+|add-public-ipv6-range-form.png|
+
+
+
+ .. note::
+ - The public IPv6 address range or CIDR must be added with same VLAN as that of public IPv4 address range.
+
+ - As SLAAC based public IPv6 addresses will be assigned to the networks therefore public IPv6 range must be added without specifying start and end IP addresses.
+
+
+Adding Guest IPv6 Prefix
+########################
+
+Again, both UI and API to add a guest IPv6 prefix. UI is the preferable option.
+Option to add a new public Ipv6 range in the UI can be found in Infrastructure > Zones > Zone details > Physical Network tab > Physical network details > Traffic Types tab > Guest > *Add IPv6 prefix*.
+In the Add IPv6 prefix form, an IPv6 prefix with CIDR size lesser than 64 must be provided.
+
+Alternatively, ``createGuestNetworkIpv6Prefix`` API can be used to add a new guest IPv6 prefix.
+
+|add-guest-ipv6-prefix-form.png|
+
+
+Adding Network or VPC Offering with IPv6 Support
+################################################
+
+To create an IPv6 suported network or VPC offering, global configuration - ``ipv6.offering.enabled`` must be set to **true**.
+
+With 4.17.0, a new paramter - ``internetprotocol`` has been added to:
+ - the ``createNetworkOffering`` API which can be used to create a network offering with IPv6 support by using the value dualstack.
+ - the ``createVPCOffering`` API which can be used to create a VPC offering with IPv6 support by using the value dualstack.
+Corresponding option has also been provided in the UI form creating network/VPC offering:
+
+|add-ipv6-network-offering-form.png|
+
+|add-ipv6-vpc-offering-form.png|
+
+
+Adding Upstream Route
+#####################
+
+Currently, CloudStack supports IPv6 isolated networks and VPC tiers only with **static** routes and therefore the administrator needs to add upstream IPv6 routes once a network is successfully deployed.
+To facilitate the automation, *CloudStack Event Notification* can be used. CloudStack will generate appropriate events on network creation or deletion and while assigning or releasing a public IPv6 address for a network. Based on the events the corresponding network can be queried for the IPv6 routes that it needs configured in upstream network.
+Upstream IPv6 routes required by an IPv6 supported isolated network or VPC tier are also shown in the UI in the network details.
+
+|network-details-upstream-ipv6-routes.png|
+
+
+IPv6 Firewall
+#############
+
+For using and managing firewall rules with an IPv6 supported isolated network, CloudStack provides following APIs:
+
+- ``listIpv6FirewallRules`` - To list existing IPv6 firewall rules for a network.
+- ``createIpv6FirewallRule`` - To create a new IPv6 firewall rules for a network.
+- ``updateIpv6FirewallRule`` - To update an exisitng IPv6 firewall rules for a network.
+- ``deleteIpv6FirewallRule`` - To delete an exisitng IPv6 firewall rules for a network.
+
+These operations are also available using UI in the network details view of an IPv6 supported network.
+
+|network-details-ipv6-firewall.png|
+
+
+IPv6 ACL
+########
+
+IPv6 ACL rules for an IPv6 supported VPC network tier can be managed using Network ACL lists for the VPC. IPv6 CIDRs can be specified while adding or updating an ACL rule.
+
+|add-ipv6-acl-rule-form.png|
+|ipv6-acl-list.png|
+
+
+.. |add-public-ipv6-range-form.png| image:: /_static/images/add-public-ipv6-range-form.png
+ :alt: Add Public IPv6 Range form.
+.. |add-guest-ipv6-prefix-form.png| image:: /_static/images/add-guest-ipv6-prefix-form.png
+ :alt: Add Guest IPv6 Prefix form.
+.. |add-ipv6-network-offering-form.png| image:: /_static/images/add-ipv6-network-offering-form.png
+ :alt: Add IPv6 supported Network Offering form.
+.. |add-ipv6-vpc-offering-form.png| image:: /_static/images/add-ipv6-vpc-offering-form.png
+ :alt: Add IPv6 supported VPC Offering form.
+.. |network-details-upstream-ipv6-routes.png| image:: /_static/images/network-details-upstream-ipv6-routes.png
+ :alt: Upstream IPv6 routes in network details.
+.. |network-details-ipv6-firewall.png| image:: /_static/images/network-details-ipv6-firewall.png
+ :alt: IPv6 Firewall management in network details.
+.. |add-ipv6-acl-rule-form.png| image:: /_static/images/add-ipv6-acl-rule-form.png
+ :alt: Add IPv6 ACL rule.
+.. |ipv6-acl-list.png| image:: /_static/images/ipv6-acl-list.png
+ :alt: IPv6 ACL rule in Network ACL list.