IPv6 with A10 Load Balancers

So I got to do some honest IPv6 related work at the job the last 2 weeks. One task was to verify we had IPv6 working on the load balancers to hosts behind it. I was a bit wary of the state of IPv6 security on these A10 LBs, so I opted to keep the globally routed IPv6 space on the LB’s uplink interface, and the VIPs. And behind the scenes, use ULA.

Step 1: I generated a /48 of ULA for the location, and assigned a /64 for use on the VLAN that the inside interface of the LB sits on with the servers themselves.

Step 2: Configure ::1/64 on the LB inside vlan interface, and ::2/64 on a server, and verified that they could reach each other.

Step 3: I installed lighttpd on the server and configured it to listen on the ULA address.

Step 4: From my ARIN allocation, I have a /64 reserved for configuring /126s on device links to the router, so I configured it on the LB’s dedicated interface on the router. Using ::1/126 on the router; ::2/126 on the LB’s interface; ::3/126 as the VIP.

Step 5: Create on the LB an “IPv6 NAT Pool”, which is really a set of IPs that will act as source IP when talking to the webserver from the LB. I used ::3 through ::ff/64 of the same ULA space. The A10 LB only allows you to create a pool of 1000 IPs, so keep that in mind.

Step 6: Next you create the “Server” entry which is a description referencing an IPv6 address, in this case the ULA address of the web server. You also specify what IP services it will host that the LB can healthcheck, so I only set TCP 80.

Step 7: Then a “Service Group” needs to be created, and this is where you set what kind of LB algorithm and which servers will be used.

Step 8: Now a “Virtual Service” is defined that will tie in what service is forwarded to servers behind the LB, in this case HTTP on port 80, as well as what “NAT Pool” to use.

Step 9: Finally we create the “Virtual Server” (or VIP) with what globally routed IPv6 address you want to use, and what host/service will be used internally.

Now the above is just for getting IPv6 working through the unit. You can obviously attain dual-stack status by doing the same using IPv4. As well as actual load balancing when creating multiple “Server” entries and adding them to the “Service Group”.