Bad

 

I was expecting 10.1 due to be released in february to have IPv6 for the larger SRX models - but it seems it wont :-(

 

I am feeling let down here, since test equipment like the SRX210H has this feature, only not flow based filtering - but it can forward IPv6 packets.

 

If you need IPv6 then don't buy the bigger SRX models, anything bigger than SRX210H, check with Juniper salespeople.

I have several srx-210's and I would not call the ipv6 support on those models complete or usable. I need to run dual stack on vlan interfaces. This is currently not supported, who cares if I can run ipv6 on a physical interface. I need to be able to run it on a vlan interface. This is a big issue!!

I agree, this is pretty sad to see Juniper pushing SRX to customers and partners, yet if you want IPV6 you're better off running the SSGs.  At least there you can dual-stacked on a bgroup interface and it support security flow-based forwarding.  Is it really asking too much to get the SRXs to have the same functionality as the SSGs?

IPv6 is packet-based only right now. It's a safe bet to say it won't stay that way, and will become flow-based.

 

To think of SRX as a one-to-one SSG replacement is an approach that will get you in hot water at this time. It's got some amazing strong points: Price/performance, JunOS, better CoS for VOIP applications, to name just a few. And just as many shortcomings: Dual ISP w/o dynamic routing, Dynamic VPN, interop VPNs w/ Cisco, the web UI, again to name just a few. All of which boils down to: Know which design you are placing SRX in, and whether it will be a good fit there. And really watch those quarterly JunOS releases, as features are being added all the time to bring SRX closer and closer to SSG feature parity.

 

In 10.2 flow-based IPv6 will be available. It will be released for the SRX devices < 650 around August. What I have seen and heard about 10.2 you also will be able to configure v4 and v6 on vlan interfaces.

 

 

I've tested 10.2R1.8 the non-public release for SRX branch on my SRX210H at home this weekend.

It works in flow mode too, I have several made several security policies.

Still can't get IPv6 to work in a dual stack vlan interface. If you put it on a physical interface, then change/commit the address to a vlan interface it works for a few minutes. When I sniff the network it seems the SRX is not answering to neighbor discovery even though I do allow that inbound on the interface (it's a new host-inbound-traffic protocol in 10.2).

Let's hope 10.2R2 is even better then we will get there finally.

I'm replying to yours as the most recent message, but I'll try to cover some of the unanswered questions from earlier in this message thread. All of my comments are in reference to the default "flow" mode of the SRX. Yes, we should have the VLAN bug fixed in 10.2R2 when we release it in late July. IPv6 support in SRX in JUNOS 10.2 is "ships in the night" unicast firewall support, administrative access, dynamic routing protocols, and active/passive HA. IPSec VPNs, multicast support, IDP and AppSecure, NAT-PT, NAT64, enterprise DS-lite initiator, and other services will come in later releases later this year and next year. Mike Kouri Product Line Manager, Security Gateway Software Juniper Networks

Hi Mike, do you mean that the basic IPv6 features will also be available in the data center models of the SRX family in 10.2R2?

Yes, all SRX platforms from the 100 thru the 5800 will provide flow-based IPv6 support as of 10.2R2.