Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




227 posts

Master Geek
+1 received by user: 26


Topic # 150302 17-Jul-2014 19:19
Send private message

Configuring DHCPv6 client on a Juniper SRX isn't as straight forward as it should have been. I hit a couple of speed bumps during the configuration so thought I’d document the experience for anyone else using a Juniper SRX with Orcon.
This was written with my test environment in mind and is not a complete long term config that you should use.  There are some issues which I discuss later on.
NOTE: I've used full configuration set lines for completeness. You can navigate down the configuration tree if you want.
This isn't a newbie guide (I.E.: you should know what the prompts "#" & ">" mean) but I can try to help if you get stuck.

Junos Software Release 12.1X45-D10 (the first Junos version to introduce the DHCPv6 client) has some issues, I suggest using 12.1X46-D20.5 (this is what I've used).
NOTE: At the time of writing, the JTAC recommended Junos version is Junos 12.1X44-D35.5.

Enable IPv6 flow mode (unless you really want to run in packet mode), otherwise it will just drop IPv6 traffic!
# set security forwarding-options family inet6 mode flow-based

You can see what mode you’re currently in with:
> show security flow status
  Flow forwarding mode:
    Inet forwarding mode: flow based
    Inet6 forwarding mode: drop
    MPLS forwarding mode: drop
    ISO forwarding mode: drop
    Advanced services data-plane memory mode: Default
  Flow trace status
    Flow tracing status: off
  Flow session distribution
    Distribution mode: RR-based
  Flow ipsec performance acceleration: off
  Flow packet ordering
    Ordering mode: Hardware

As this firewall was (almost) fresh out of the box configuration wise. As you can see, IPv6 traffic is dropped by default (unlike IPv4 traffic which is set to flow based).

Reboot. You must do this when enabling or disabling IPv6 flow mode (in most instances).
> request system reboot

Configure our outward interface (in my example, fe-0/0/0.10 is the outward facing untrusted logical interface). Also note that vlan.0 is my inward facing (trusted) logical interface.
# set interfaces fe-0/0/0 unit 10 family inet6 dhcpv6-client client-type statefull
# set interfaces fe-0/0/0 unit 10 family inet6 dhcpv6-client client-ia-type ia-na
# set interfaces fe-0/0/0 unit 10 family inet6 dhcpv6-client client-ia-type ia-pd
# set interfaces fe-0/0/0 unit 10 family inet6 dhcpv6-client client-identifier duid-type duid-ll
# set interfaces fe-0/0/0 unit 10 family inet6 dhcpv6-client update-router-advertisement interface vlan.0

Our trusted interface vlan.0, is used to propagate IPv6 addresses.
Orcon offer global address assignment (IA_NA) and prefix delegation (IA_PD). Some ISP’s overseas don’t and only offer prefix delegation which is the cause of a few headaches for some Junos users.

You may strike an issue where you get the following message if your configuration looks like this:
vlan-tagging;
unit 10 {
  vlan-id 10;
  family inet {
    dhcp;
  }
  family inet6 {
    ##
    ## Warning: Incompatible with the client configured under 'family inet6 dhcpv6-client'
    ##
    dhcpv6-client {
      client-type statefull;
      client-ia-type ia-na;
      client-ia-type ia-pd;
      client-identifier duid-type duid-ll;
      update-router-advertisement {
        interface vlan.0;
      }
    }
  }
}

It would appear that Juniper have changed the way they want you configure IPv4 DHCP since Junos 10 (which is what I was using), especially when using DHCPv6. The above message is a really obscure one and it’s really complaining about the family inet dhcp config item.

Either remove the “family inet” configuration (which means no dual stack. IE: no IPv4), or change the DHCP daemon you use (this is the preferred option).

To stop IPv4 on the logical interface:
# delete interfaces fe-0/0/0 unit 10 family inet

To change the DHCP daemon:
# delete interfaces fe-0/0/0 unit 10 family inet dhcp
# set interfaces fe-0/0/0 unit 10 family inet dhcp-client
NOTE: use "show dhcp client binding" rather than "show system services dhcp client". They show the same information but the later won’t work any more. You’ll get dhcp subsystem not running – not needed by configuration.  It's a very badly worded warning message as with the configuration warning message!
The above DHCP configuration configure's different daemons.  And that the two are mutually exclusive (but achieve the same result).  Hence the message.
The dhcpd (family inet dhcp) daemon will only handle DHCPv4 whereas the jdhcpd (family inet dhcp-client) daemon will handle DHCP and DHCPv6.

Allow DHCPv6 on the outward facing logical interface
# set security zones security-zone untrust interfaces fe-0/0/0.10 host-inbound-traffic system-services dhcpv6

Commit your configuration and you should be looking good.
# commit and-quit

Your configuration will now look something like this:
vlan-tagging;
unit 10 {
  vlan-id 10;
  family inet {
    dhcp-client;
  }
  family inet6 {
    dhcpv6-client {
      client-type statefull;
      client-ia-type ia-na;
      client-ia-type ia-pd;
      client-identifier duid-type duid-ll;
      update-router-advertisement {
        interface vlan.0;
      }
    }
  }
}

Find our route to the internet and set it.
NOTE:
I couldn't find a way have the route injected automatically (whereas it just happens with DHCPv4). If anyone has any ideas……
> show ipv6 neighbors
  IPv6 Address Linklayer Address State Exp Rtr Secure Interface
  fe80::ea4:2ff:feed:555b 0c:a4:02:ed:55:5b stale 26 yes no fe-0/0/0.10

You can also find this information by typing:
> show dhcpv6 client binding detail
  Client Interface: fe-0/0/0.10
  Hardware Address: 28:c0:da:xx:xx:xx
  State: BOUND(DHCPV6_CLIENT_STATE_BOUND)
  ClientType: STATEFUL
  Lease Expires: 2014-07-18 16:50:23 NZST
  Lease Expires in: 630537 seconds
  Lease Start: 2014-07-10 16:50:23 NZST
  Bind Type: IA_NA IA_PD
  Client Interface Vlan Id: 10
  Client DUID: LL0xd-28:c0:da:xx:xx:xx
  Rapid Commit: Off
  Server Ip Address: fe80::ea4:2ff:feed:555b
  Client IP Address: xxxx:xxxx:xxxx:xxxx::1/128
  Client IP Prefix: xxxx:xxxx:xxxx:xxxx::/56
  DHCP options:
  Name: server-identifier, Value: LL0x1-0c:a4:02:ed:55:5b

Take the IPv6 address and use that as our next hop.
# set routing-options rib inet6.0 static route ::/0 next-hop fe80::ea4:2ff:feed:555b
Or you could just use the qualified-next-hop (which gives you a whole lot more control)
# set routing-options rib inet6.0 static route ::/0 qualified-next-hop fe80::ea4:2ff:feed:555b interface fe-0/0/0.10
There are ramifications with doing this and I'll try to find out why DHCPv6 isn't injecting the route and post an update.

Commit the config again.

You can test your connection by pinging Googles DNS servers:
> ping 2001:4860:4860::8888 (or 2001:4860:4860::8844)

That is the basics really.


NOTE: Original updated due to clarification of Static assignments from SoundDude.

Create new topic
5419 posts

Uber Geek
+1 received by user: 231

Trusted
Geekzone
Subscriber

  Reply # 1090974 17-Jul-2014 19:19
Send private message

Hello... Our robot found some keywords in your post, so here is an automated reply with some important things to note regarding broadband speeds.

 



 

If you are posting regarding DSL speeds please check that

 



 

- you have reset your modem and router

 


 

- your PC (or other PCs in your LAN) is not downloading large files when you are testing

 

- you are not being throttled by your ISP due to going over the monthly cap

 


 

- your tests are always done on an ethernet connection to the router - do not use wireless for testing

 


 

- you read this topic and follow the instructions there.

 



 

Make sure you provide information for other users to help you. If you have not already done it, please EDIT your post and add this now:

 



 

- Your ISP and plan

 


 

- Type of connection (ADSL, ADSL2, VDSL)

 


 

- Your modem DSL stats (do not worry about posting Speedtest, we need sync rate, attenuation and noise margin)

 


 

- Your general location (or street)

 


 

- If you are rural or urban

 


 

- If you know your connection is to an exchange, cabinet or conklin

 


 

- If your connection is to a ULL or wholesale service

 


 

- If you have done an isolation test as per the link above

 



 

Most of the problems with speed are likely to be related to internal wiring issues. Read this discussion to find out more about this. Your ISP is not intentionally slowing you down today (unless you are on a managed plan). Also if this is the school holidays it's likely you will notice slower than usual speed due to more users online.

 



 

A master splitter is required for VDSL2 and in most cases will improve speeds on DSL connections. Regular disconnections can be a monitored alarm or a set top box trying to connect. If there's an alarm connected to your line even if you don't have an alarm contract it may still try to connect so it's worth checking.

 



 

I recommend you read these two blog posts:

 



 

- Is your premises phone wiring impacting your broadband performance? (very technical)

 


 

- Are you receiving a substandard ULL ADSL2+ connection from your ISP?




I am the Geekzone Robot and I am here to help. I am from the Internet. I do not interact. Do not expect other replies from me.



I fix stuff!
1574 posts

Uber Geek
+1 received by user: 250

Trusted
Vocus
Subscriber

  Reply # 1090989 17-Jul-2014 19:46
Send private message


To statically set your IP address:
# delete interfaces fe-0/0/0 unit 10 family inet dhcp
# set interfaces fe-0/0/0 unit 10 family inet address xxx.xxx.xxx.xxx/xx
Where xxx.xxx.xxx.xxx/xx is your Orcon assigned IP and netmask.
Note: You'll also need a static route
# set routing-options static route 0.0.0.0/0 qualified-next-hop 121.99.228.1 interface fe-0/0/0.10
This BNG could change so talk with Orcon to understand the implications before taking this option (at which point the CSR will probably tell you to just use the Genius modem if you can't get on to someone more knowledgeable).


This won't work very well. The BNG on our side requires DHCP Renews otherwise it will delete your BNG session.

You need to have DHCP enabled at all times and use the IP address assigned by DHCP.

This is the case even when using static IP addresses, as they are assigned by DHCP.


 
 
 
 




227 posts

Master Geek
+1 received by user: 26


  Reply # 1090991 17-Jul-2014 19:50
Send private message

Sounddude:

To statically set your IP address:
# delete interfaces fe-0/0/0 unit 10 family inet dhcp
# set interfaces fe-0/0/0 unit 10 family inet address xxx.xxx.xxx.xxx/xx
Where xxx.xxx.xxx.xxx/xx is your Orcon assigned IP and netmask.
Note: You'll also need a static route
# set routing-options static route 0.0.0.0/0 qualified-next-hop 121.99.228.1 interface fe-0/0/0.10
This BNG could change so talk with Orcon to understand the implications before taking this option (at which point the CSR will probably tell you to just use the Genius modem if you can't get on to someone more knowledgeable).


This won't work very well. The BNG on our side requires DHCP Renews otherwise it will delete your BNG session.

You need to have DHCP enabled at all times and use the IP address assigned by DHCP.

This is the case even when using static IP addresses, as they are assigned by DHCP.


I didn't think so.  Hence why I asked you the question via PM earlier.
Thanks for the clarification though.  I'll amend the post.

I fix stuff!
1574 posts

Uber Geek
+1 received by user: 250

Trusted
Vocus
Subscriber

  Reply # 1091008 17-Jul-2014 20:39
Send private message

Also, try setting your DHCPv6 to stateless.

We are sending RA's for the next-hop gateway, so it should honor it rather than statically assigning it.




227 posts

Master Geek
+1 received by user: 26


  Reply # 1091200 18-Jul-2014 09:46
Send private message

Sounddude: Also, try setting your DHCPv6 to stateless.

We are sending RA's for the next-hop gateway, so it should honor it rather than statically assigning it.


Thanks.  I did try stateless but the config didn't work.
I'll try again today.



227 posts

Master Geek
+1 received by user: 26


  Reply # 1092532 20-Jul-2014 16:15
Send private message

BigGuy:
Sounddude: Also, try setting your DHCPv6 to stateless.
We are sending RA's for the next-hop gateway, so it should honor it rather than statically assigning it.

Thanks.  I did try stateless but the config didn't work.
I'll try again today.

The SRX absolutely refuses to bind when the logical interface is set to autoconfig.

I get a state of INIT but that's as far as it will go.
 Client Interface: fe-0/0/0.10
  Hardware Address: 28:c0:da:xx:xx:xx
  State: INIT(DHCPV6_CLIENT_STATE_INIT)
  ClientType: AUTO
  Bind Type: IA_NA
  Client Interface Vlan Id: 10
  Client DUID: LL_TIME0xd-0x0-28:c0:da:xx:xx:xx
  Rapid Commit: Off
  Server Ip Address: ::/0
  Client IP Address: ::/0
  Client IP Prefix: ::/0

This give me the impression Junipers firmware needs work, I'm doing something completely wrong (there's not much to configure), or Orcon don't support SLAAC!
You mentioned (elsewhere) having to set IA-PD and this tends to give credence to my thoughts about the lack of support for SLAAC as you cant set IA-PD on the interface with it set to autoconfig (please correct me if I'm wrong).

Separate to not being able to use SLAAC, For some reason I don't see RA messages with the next-hop.  Time to break out wireshark :(

Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Spark doubles down on wireless broadband
Posted 24-Jan-2018 15:44


New Zealand's IT industry in 2018 and beyond
Posted 22-Jan-2018 12:50


Introducing your new workplace headache: Gen Z
Posted 22-Jan-2018 12:45


Jucy set to introduce electric campervan fleet
Posted 22-Jan-2018 12:41


Hawaiki cable system will be ready for service in June 2018
Posted 22-Jan-2018 12:32


New Zealand hits peak broadband data
Posted 18-Jan-2018 12:21


Amazon Echo devices coming to New Zealand early February 2018
Posted 18-Jan-2018 10:53


$3.74 million for new electric vehicles in New Zealand
Posted 17-Jan-2018 11:27


Nova 2i: Value, not excitement from Huawei
Posted 17-Jan-2018 09:02


Less news in Facebook News Feed revamp
Posted 15-Jan-2018 13:15


Australian Government contract awarded to Datacom Connect
Posted 11-Jan-2018 08:37


Why New Zealand needs a chief technology officer
Posted 6-Jan-2018 13:59


Amazon release Silk Browser and Firefox for Fire TV
Posted 21-Dec-2017 13:42


New Chief Technology Officer role created
Posted 19-Dec-2017 22:18


All I want for Christmas is a new EV
Posted 19-Dec-2017 19:54



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.