IPv6 management support for Vectra appliances

As of v8.5, the use of IPv6 for management is supported on most Vectra appliances. This article provides additional details.

Applicability

IPv6 management of Vectra appliances is supported in versions 8.5 and above.

There are 3 main categories of appliances (physical, virtual, and cloud). "Cloud" appliances are also virtual, but for the purposes of this article, a cloud appliance is a Brain or Sensor deployed in a public cloud such as AWS, Azure, or GCP.

Please see the table below for IPv6 support by appliance category:

Appliance Category

Example Appliance Models (not all are listed)

IPv6 MGT Support

Physical

S1, S11, S101, X29, B101, etc

Yes

Virtual (Traditional Hypervisors)

VMware Brain/Sensor, Hyper-V Sensor, Nutanix Sensor, KVM Sensor, etc

Yes

Cloud (Supported Public Clouds)

AWS Brain/Sensor, Azure Brain/Sensor

Enabling/Disabling IPv6 Support

The use of IPv6 for management of Vectra appliances is not enabled by default. It is controlled by a feature flag that must be set by the customer before an IPv6 address can be assigned.

To enable IPv6 support on an already running Vectra appliance, log in to the appliance as the vectra user using any supported method. Supported methods are detailed in Console access on Vectra Cognito appliances. Users other than the vectra user can be used in v9.8 and higher (see SSH login process for CLI for details).

The following commands can be used to enable and disable IPv6 support for MGT1 as well as check the status.

# show ipv6 enabled
IPv6 is disabled

# set ipv6 enabled
Response: ok

# show ipv6 enabled
IPv6 is enabled

# set ipv6 disabled
Response: ok

After changing the feature flag status with the above commands, there are some back end processes that need to complete. The status of the feature flag will update immediately, but if a show interface command was used and you were set to DHCP in a dual stack environment, it may not be immediate that you see both the IPv4 and IPv6 addresses being output as a result. If it has been more than 5 minutes and the expected results are not being displayed, a support ticket should be opened.

Dual Stack Support

Supported appliances can be used as IPv6 only, IPv4 only (default), or in dual stack mode. Please note the following about dual stack support

In an IPv6 only environment, the customer network must have NAT64 and DNS64 available so that the Brain appliance can reach Vectra services because Vectra services are IPv4 only in Vectra's cloud.
- This is not required for air gap deployments.
- NAT64 - Network Address Translation IPv6 to IPv4 (NAT64) translates IPv6 packets to IPv4 packets and vice versa. When an IPv6-only host wants to communicate with an IPv4 destination, the NAT64 device translates the IPv6 packets to IPv4 and forwards them to the IPv4 destination. When the response comes back, it translates the IPv4 packets back to IPv6 and sends them back to the IPv6-only host.
- DNS64 - DNS64 is used in conjunction with NAT64. When an IPv6-only host wants to resolve the IPv4 address of a domain name (which only has IPv4 records), the DNS64 server synthesizes an AAAA record (IPv6 address) using the IPv6 prefix of the NAT64 device and the IPv4 address obtained from the DNS A record. This synthesized AAAA record allows the IPv6-only host to communicate with IPv4-only servers via the NAT64 device.
In an environment that supports both IPv4 and IPv6, please note the following:
- Both the IPv4 and IPv6 stacks must be set to Static or DHCP, you cannot have one be Static and the other be DHCP.
- When DHCP is configured using the set interface command, both stacks are automatically set to DHCP.
- When setting a static IP using the set interface command, you must execute the command twice to set a static IP for each stack.
  - Set the IPv4 stack to a static IP using the syntax for an IPv4 address.
  - Set the IPv6 stack to a static IP using the syntax for an IPv6 address.
If an IPv4 destination is configured for a supported integration or for pairing a Sensor to a Brain for example, the IPv4 stack will be used to initiate the connection in dual stack environments. Similarly, if an IPv6 destination is used for an integration or pairing, the IPv6 stack will be used to initiate the connection.

Pairing Considerations

When a Sensor is paired to a Brain, it is a one to one mapping and the pairing will be specific to the stack that the pairing was done from (see Dual Stack Support above). In other words, you will be paired using IPv4 or IPv6, not both. If one network becomes unavailable, there is no automatic fallback to the other network. It is suggested to pair by hostname instead of IP to make failover scenarios easier to deal with.

VMware Brains and vSensors

VMware Brains and Sensors are capable of automatically enabling the IPv6 feature flag and deploying directly with IPv6 support enabled if an IPv6 address is configured for the MGT interface when deploying the appliance. If dual stack support is desired, you must still configure the 2nd stack in the same manner described in the Dual Stack Support section above.

MGT2 IPv6 Support

Some physical Vectra appliances have a MGT2 port that can be used to connect for console access. Please see more details about using MGT2 to connect to Vectra appliances here. MGT2 defaults to an IPv4 address but can be configured to an IPv6 address if required. When IPv6 is enabled, there is no default IPv6 address assigned to MGT2. To configure MGT2 with an IPv6 address:

Ensure IPv6 is enabled (see above).
Use the set interface mgt2 command to set a static IP for MGT2.

Set Interface Command Details

For full details, please see: Configuring the IP address of a new Brain or Sensor

Once logged in to the appliance you can view command syntax for the set interface command as shown:

set interface -h
Usage: set interface [OPTIONS] {mgt1|mgt2} {dhcp|static} [IP] [SUBNET_MASK]
                     [GATEWAY_ADDRESS]

  Sets network interfaces to either dhcp or static ip configuration

Options:
  -h, --help  Show this message and exit.

Execute the following command to set the MGT1 or MGT2 (a gateway address cannot be configured for MGT2, the gateway on MGT1 will be used) interface to the desired static IP address:

IPv4 Syntax:
set interface mgt1 static x.x.x.x y.y.y.y z.z.z.z
set interface mgt2 static x.x.x.x y.y.y.y

Where:
x.x.x.x is the desired interface IP address
y.y.y.y is the desired interface network mask
z.z.z.z is the desired gateway

IPv6 Syntax:
set interface mgt1 static [IPv6 IP] [Subnet Mask] [Gateway]

Example:
set interface mgt1 static 2001:0db8:0:f101::25 64 2001:0db8:0:f101::1

Additional Examples and the "Unset" Command

Imagine all of the commands were run, one after the other in this section.

1st we set DHCP and since we have both IPv4 and IPv6 DHCP in the environment, we now have a dual stack configuration.
We then set MGT1 to a static IPv4 address and have moved to a single stack configuration.
We then set MGT1 to a static IPv6 address and now we have a dual stack configuration.
We then unset the IPv6 address and have moved back to a single stack IPv4 configuration.

Setting MGT1 to DHCP mode in a dual stack network and then showing the interface configuration

vscli > set interface mgt1 dhcp
Interfaces updated successfully

vscli > show interface
mgt1:
    Running:
        Carrier: 1,
        Gateway: 172.16.48.1,
        Gatewayv6: fe80::250:56ff:fea2:94e7,
        Ip: 172.16.48.88,
        Ipv6: 2001:db8:6:0:250:56ff:fea2:e6f0,
        Mac: 00:50:56:a2:e6:f0,
        Mode: dhcp,
        Netmask: 255.255.255.0,
        Netmaskv6: ffff:ffff:ffff:ffff::/64,
        Speed: 10000

Setting MGT1 to a static IPv4 address and then setting a static IPv6 address

Notice that since we moved from DHCP to static, the IPv6 address that was previously configured by DHCP is not configured until it is separately configured by the second use of the set interface command.

vscli > set interface mgt1 static 172.16.48.88 24 172.16.48.1
Interfaces updated successfully

vscli > show interface
mgt1:
    Running:
        Carrier: 1,
        Gateway: 172.16.48.1,
        Ip: 172.16.48.88,
        Mac: 00:50:56:a2:e6:f0,
        Mode: static,
        Netmask: 255.255.255.0,
        Speed: 10000

vscli > set interface mgt1 static 2001:db8:6:0:250:56ff:fea2:e6f0 64 fe80::250:56ff:fea2:94e7
Interfaces updated successfully

vscli > show interface
mgt1:
    Running:
        Carrier: 1,
        Gateway: 172.16.48.1,
        Gatewayv6: fe80::250:56ff:fea2:94e7,
        Ip: 172.16.48.88,
        Ipv6: 2001:db8:6:0:250:56ff:fea2:e6f0,
        Mac: 00:50:56:a2:e6:f0,
        Mode: static,
        Netmask: 255.255.255.0,
        Netmaskv6: 64,
        Speed: 10000

Using the "unset" command to remove a static assignment

This is essentially going from a dual stack configuration to a single stack configuration.

vscli > unset static mgt1 ipv6
Interface updated successfully

vscli > show interface
mgt1:
    Running:
        Carrier: 1,
        Gateway: 172.16.48.1,
        Ip: 172.16.48.88,
        Mac: 00:50:56:a2:e6:f0,
        Mode: static,
        Netmask: 255.255.255.0,
        Speed: 10000

PreviousDefault usernames and passwords NextIDR for Azure AD & CDR for M365

Last updated 16 days ago

Was this helpful?

Good evening

hashtagApplicability

hashtagEnabling/Disabling IPv6 Support

hashtagDual Stack Support

hashtagPairing Considerations

hashtagVMware Brains and vSensors

hashtagMGT2 IPv6 Support

hashtagSet Interface Command Details

hashtagAdditional Examples and the "Unset" Command

hashtagSetting MGT1 to DHCP mode in a dual stack network and then showing the interface configuration

hashtagSetting MGT1 to a static IPv4 address and then setting a static IPv6 address

hashtagUsing the "unset" command to remove a static assignment