SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 45
Registered: ‎10-20-2009
0 Kudos

Re: Branch SRX as a DHCPv6 prefix delegation client?

actually, no, it's not.  I'm not sure how much I am allowed to say, but suffice it to say that the SRX code is on a 'fast-path' to catch up in features, so essentially it will be on the 12.1 JunOS train for at least a year. This isn't necessarily a bad thing, it's actually good for the SRX to not have to upgrade normal 'router' features when they need to focus on the firewall aspect.  My only question then is how reliable is the '13.1' release stated by rkhetan?

 

Visitor
Posts: 3
Registered: ‎12-11-2012
0 Kudos

Re: Branch SRX as a DHCPv6 prefix delegation client?

Hi rkhetan, 

 

Is RLI 17269 still on track for R13.1?

 

 

 

 

Visitor
Posts: 2
Registered: ‎08-18-2011
0 Kudos

Re: Branch SRX as a DHCPv6 prefix delegation client?

Hi All, Can you please confirm this is still on track for release in 13.1? 

 

New User
Posts: 1
Registered: ‎12-01-2011
0 Kudos

Re: Branch SRX as a DHCPv6 prefix delegation client?

[ Edited ]

I see that with the new release schedule for SRX, we're going to have 12.1 as a standard release for all of 2013.

 

I'm hopeful that this doesn't make it 2014 until we see this functionality.

 

http://www.juniper.net/AlertUpload/PSN-2013-01-818.pdf

Visitor
Posts: 3
Registered: ‎12-11-2012
0 Kudos

Re: Branch SRX as a DHCPv6 prefix delegation client?

You'd hope it's a positive from what the PDF seems to indicate.

Contributor
Posts: 45
Registered: ‎10-20-2009
0 Kudos

Re: Branch SRX as a DHCPv6 prefix delegation client?

well, logically speaking, this would probably be a JunOS feature, not a security feature.  since the new SRX code train will be stuck to JunOS 12.1, and focus on security enhancements, we may be out of luck for this feature until the next year.  hopefully i'm wrong, but i'm not holding my breath.

New User
Posts: 1
Registered: ‎01-28-2013
0 Kudos

Re: Branch SRX as a DHCPv6 prefix delegation client?

Hi All I'm not sure about release trains as I am new to the J world. However, I spoke to a Juniper sales engineer in Australia about a month back. I was told it is on the roadmap and is scheduled to be released in the second half of 2013. It is painful using a tunnel broker when my isp offers native dual stack connectivity.
Contributor
Posts: 69
Registered: ‎09-14-2009
0 Kudos

Re: Branch SRX as a DHCPv6 prefix delegation client?

Well, we're headed into the third quarter.  Anyone hear anything new?  When will be PD be supported?

Contributor
Posts: 58
Registered: ‎01-13-2011
0 Kudos

Re: Branch SRX as a DHCPv6 prefix delegation client?

RLI 17269 has been included in the beta for 12.1X45-D10.

 

http://blog.ciscoinferno.net/dhcpv6-client-on-the-srx

 

https://www.juniper.net/beta/junos/techpubs/junos-security12.1X45-D10/RLI/X45-B2-RLI-17269-DHCPv6-cl...

 

I have tried configuring it..., but have not been able to get past commit check, yet.

Contributor
Posts: 69
Registered: ‎09-14-2009
0 Kudos

Re: Branch SRX as a DHCPv6 prefix delegation client?

Where do you find the beta download?  Latest I could find is 12.1X44-D15.5.

Contributor
Posts: 58
Registered: ‎01-13-2011
0 Kudos

Re: Branch SRX as a DHCPv6 prefix delegation client?

[ Edited ]

Your Juniper SE can usually get you on the beta program...

 

Visitor
Posts: 2
Registered: ‎08-18-2011
0 Kudos

Re: Branch SRX as a DHCPv6 prefix delegation client?

Can you share your working configuration?

Super Contributor
Posts: 206
Registered: ‎03-11-2008
0 Kudos

Re: Branch SRX as a DHCPv6 prefix delegation client?

Well X45 is out. Installed it on my SRX210 but I currently cannot work out how to get it to function.

 

When I try to comment my config I get an odd error:

Incompatible with the dhcp server configured under 'system services dhcp'

 

This happens whenever any dhcpv6-client settings are set under my untrust interface. Odd as this shouldn't change any internal/trust DHCPv4 stuff.

 

I ended up deactivating DHCPv4 and was able to commit the config (!?) but it still didn't pick up an IPv6 ip addresses from my ISP.

 

I didn't spent too long on it so I will do some more testing later, also I probably need to read the documentation first, heh.

Regular Visitor
Posts: 9
Registered: ‎12-14-2012
0 Kudos

Re: Branch SRX as a DHCPv6 prefix delegation client?

mwdmeyer, you could try that what is referenced over at ciscoInferno.net: http://blog.ciscoinferno.net/dhcpv6-client-on-the-srx


And with the official documentation found here: https://www.juniper.net/beta/junos/techpubs/junos-security12.1X45-D10/RLI/X45-B2-RLI-17269-DHCPv6-cl...

 

Good luck!

Super Contributor
Posts: 206
Registered: ‎03-11-2008
0 Kudos

Re: Branch SRX as a DHCPv6 prefix delegation client?

Thanks. I used the ciscoInferno site to create the config to start with, so unfortunately it doesn't seem to work. At least doesn't work for PPP style connections.

 

Also the Juniper documentation is not public, I cannot access it. I don't have beta access. X45 is now out for all users.

 

The public documentation is very lacking at this stage. 

Regular Visitor
Posts: 9
Registered: ‎12-14-2012
0 Kudos

Re: Branch SRX as a DHCPv6 prefix delegation client?

I have included the IPv6 / DHCPv6 document from the X45 beta Smiley Happy

The file is not marked as "internal" or "limited release", so I presume it won't be a problem.

Visitor
Posts: 4
Registered: ‎01-26-2013
0 Kudos

Re: Branch SRX as a DHCPv6 prefix delegation client?

I haven't been able to make this work on the ADSL interface of my 110H-VA towards my ISP (Internode here in Australia). Once I removed all references to the old dhcp method on other interfaces and only used dhcp-client, it accepts the config but show dhcp client binding shows nothing. I've had IPv6 working just fine with an OpenWRT box, so I know it's not the ISP/line.

 

Here's my config for the DSL interface which works just fine for IPv4, but not IPv6.

 

    at-1/0/0 {
        description "ADSL Interface";
        mtu 1540;
        encapsulation atm-pvc;
        atm-options {
            vpi 8;
        }
        dsl-options {
            operating-mode auto;
        }
        unit 0 {
            description PPPoA;
            encapsulation atm-ppp-llc;
            vci 8.35;
            ppp-options {
                chap {
                    default-chap-secret ...;
                    local-name ...;
                    passive;
                }
            }
            family inet {
                negotiate-address;
            }
            family inet6 {
                dhcpv6-client {
                    client-type statefull;
                    client-ia-type ia-na;
                    client-ia-type ia-pd;
                    client-identifier duid-type duid-ll;
                }
            }
        }
    }

 

For reference, the cisco configuration for my ISP is here:

 

http://www.internode.on.net/support/guides/internet_access/ipv6/cisco_routers/

 

 

Super Contributor
Posts: 206
Registered: ‎03-11-2008
0 Kudos

Re: Branch SRX as a DHCPv6 prefix delegation client?

[ Edited ]

None of this is documented by Juniper it seems, this is what I have worked out so far.

 

Firstly you need to use:

 

show dhcpv6 client binding

 Secondly you will need to allow DHCPv6 on the untrust interface, e.g

 

set security zones security-zone untrust interfaces at-1/0/0.0 host-inbound-traffic system-services dhcpv6

 You can use a local DHCP server but it needs to be in the "new" format.

system {
     services {
        dhcp-local-server {
            group trust {
                interface vlan.0;
            }                           
        }
     }    
}

 

access {
    address-assignment {
        pool trust {
            family inet {
                network 10.0.0.0/22;
                range pool {
                    low 10.0.1.1;
                    high 10.0.2.254;
                }
                dhcp-attributes {
                    maximum-lease-time 691200;
                    domain-name dalegroup.net;
                    name-server {
                        10.0.0.254;
                    }
                    router {
                        10.0.0.254;
                    }
                }
                host static-ip-1 {
                    hardware-address 00:0c:29:xx:xx:xx;
                    ip-address 10.0.2.7;
                }

            }
        }
    }
}

 

Not sure if you are following the chat on AugNOG mailing list. Probably are Smiley Happy


Saying all this I cannot get it to work! When all the above is enabled my CPU goes to 100%. It seems that the DHCPv6 service is sending and receiving a mass of requests, overloading the CPU. Even then it still doesn't pickup an IP address.

 

Maybe we will get there but I think it just doesn't work correctly yet Smiley Sad 

Distinguished Expert
Posts: 828
Registered: ‎04-17-2008
0 Kudos

Re: Branch SRX as a DHCPv6 prefix delegation client?

Heh - fancy meeting you guys here Smiley Wink

 

Can you drop into a root shell and get a capture - might be able to see what the DHCP server is sending:

 

start shell

tcpdump -i at-1/0/0 -s 2000 -w /var/tmp/dhcpv6.cap

 

 

Ben Dale
JNCIP-ENT, JNCIS-SP, JNCIE-SEC #63
Juniper Ambassador
Follow me @labelswitcher
Visitor
Posts: 4
Registered: ‎01-26-2013
0 Kudos

Re: Branch SRX as a DHCPv6 prefix delegation client?

Yeah, I've been following along, although I did try some other things first, but I did just notice the dhcp vs dhcpv6 mistake I was making. Here's what I'm seeing:

 

show dhcpv6 client binding detail

Client Interface: at-1/0/0.0
     Hardware Address:             XXX
     State:                        SELECTING(DHCPV6_CLIENT_STATE_SELECTING)
     ClientType:                   STATEFULL
     Bind Type:                    IA_NA IA_PD
     Client DUID:                  LL_TIME0x1-0x0-XXX
     Rapid Commit:                 On
     Server Ip Address:            ::/0
     Client IP Address:            ::/0
     Client IP Prefix:             ::/0

As for CPU usage, I'm not seeing dhcp use 100%, although it is using some CPU and a lot of memory for a dhcp client:

 

# run show system processes extensive
last pid:  3019;  load averages:  3.35,  3.80,  4.10  up 0+07:05:12    05:56:58
124 processes: 18 running, 93 sleeping, 1 zombie, 12 waiting

Mem: 152M Active, 100M Inact, 550M Wired, 127M Cache, 112M Buf, 41M Free
Swap:


  PID USERNAME  THR PRI NICE   SIZE    RES STATE  C   TIME   WCPU COMMAND
 1318 root        5  76    0   531M 80780K select 0 505:49 110.45% flowd_octeon_hm
 1300 root        1 138    0 34512K  8008K RUN    0  71:48 31.54% dcd
 1990 root        1  82    0 48632K 12320K select 0  27:33  7.47% jdhcpd
 1342 root        1   4    0  9880K  4432K kqread 0  11:44  2.25% mcsnoopd
   22 root        1 171   52     0K    16K RUN    0 163:46  0.00% idle: cpu0
...