SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Highlighted
Visitor
Posts: 4
Registered: ‎11-09-2007
0

SRX and IPv6

Hello,

What is the status of IPv6 support for SRX? Is is ready to do dual-stack or 6PE/VPE? Is it possible to use SRX as a gateway for DS-Lite environment with NAT? If so, what is the NAT performance for this device in your opinion.

 

Thanks for any suggestions,

Krzysztof 

Regular Visitor
Posts: 8
Registered: ‎11-11-2009
0

Re: SRX and IPv6

[ Edited ]

Bad

 

I was expecting 10.1 due to be released in february to have IPv6 for the larger SRX models - but it seems it wont :-(

 

I am feeling let down here, since test equipment like the SRX210H has this feature, only not flow based filtering - but it can forward IPv6 packets.

 

If you need IPv6 then don't buy the bigger SRX models, anything bigger than SRX210H, check with Juniper salespeople.

Trusted Contributor
Posts: 52
Registered: ‎12-22-2009
0

Re: SRX and IPv6

I have several srx-210's and I would not call the ipv6 support on those models complete or usable. I need to run dual stack on vlan interfaces. This is currently not supported, who cares if I can run ipv6 on a physical interface. I need to be able to run it on a vlan interface. This is a big issue!!

John Burns
Contributor
Posts: 40
Registered: ‎01-14-2009
0

Re: SRX and IPv6

I agree, this is pretty sad to see Juniper pushing SRX to customers and partners, yet if you want IPV6 you're better off running the SSGs.  At least there you can dual-stacked on a bgroup interface and it support security flow-based forwarding.  Is it really asking too much to get the SRXs to have the same functionality as the SSGs?

Super Contributor
Posts: 353
Registered: ‎04-30-2010
0

Re: SRX and IPv6

IPv6 is packet-based only right now. It's a safe bet to say it won't stay that way, and will become flow-based.

 

To think of SRX as a one-to-one SSG replacement is an approach that will get you in hot water at this time. It's got some amazing strong points: Price/performance, JunOS, better CoS for VOIP applications, to name just a few. And just as many shortcomings: Dual ISP w/o dynamic routing, Dynamic VPN, interop VPNs w/ Cisco, the web UI, again to name just a few. All of which boils down to: Know which design you are placing SRX in, and whether it will be a good fit there. And really watch those quarterly JunOS releases, as features are being added all the time to bring SRX closer and closer to SSG feature parity.

 

Distinguished Expert
Posts: 821
Registered: ‎10-18-2009
0

Re: SRX and IPv6

In 10.2 flow-based IPv6 will be available. It will be released for the SRX devices < 650 around August. What I have seen and heard about 10.2 you also will be able to configure v4 and v6 on vlan interfaces.

 

 

Marc

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

Visitor
Posts: 3
Registered: ‎11-02-2009
0

Re: SRX and IPv6

I've tested 10.2R1.8 the non-public release for SRX branch on my SRX210H at home this weekend.

It works in flow mode too, I have several made several security policies.

Still can't get IPv6 to work in a dual stack vlan interface. If you put it on a physical interface, then change/commit the address to a vlan interface it works for a few minutes. When I sniff the network it seems the SRX is not answering to neighbor discovery even though I do allow that inbound on the interface (it's a new host-inbound-traffic protocol in 10.2).

Let's hope 10.2R2 is even better then we will get there finally. Smiley Very Happy

Juniper Employee
Juniper Employee
Posts: 13
Registered: ‎02-06-2008
0

Re: SRX and IPv6

I'm replying to yours as the most recent message, but I'll try to cover some of the unanswered questions from earlier in this message thread. All of my comments are in reference to the default "flow" mode of the SRX. Yes, we should have the VLAN bug fixed in 10.2R2 when we release it in late July. IPv6 support in SRX in JUNOS 10.2 is "ships in the night" unicast firewall support, administrative access, dynamic routing protocols, and active/passive HA. IPSec VPNs, multicast support, IDP and AppSecure, NAT-PT, NAT64, enterprise DS-lite initiator, and other services will come in later releases later this year and next year. Mike Kouri Product Line Manager, Security Gateway Software Juniper Networks

--mxk
Contributor
Posts: 17
Registered: ‎05-06-2010
0

Re: SRX and IPv6

Hi Mike, do you mean that the basic IPv6 features will also be available in the data center models of the SRX family in 10.2R2?

Juniper Employee
Juniper Employee
Posts: 13
Registered: ‎02-06-2008
0

Re: SRX and IPv6

Yes, all SRX platforms from the 100 thru the 5800 will provide flow-based IPv6 support as of 10.2R2. 


--mxk
Regular Visitor
Posts: 8
Registered: ‎11-11-2009
0

Re: SRX and IPv6

Great to hear that!

 

then maybe when you are finished you can go help out IPv6 for SSL VPN SA2500 ;-)

 

they don't even have a plan for IPv6, as far as the reps I asked.

Distinguished Expert
Posts: 821
Registered: ‎10-18-2009
0

Re: SRX and IPv6

10.2R2.11 has been released. Not tested it yet

Marc

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

Trusted Contributor
Posts: 59
Registered: ‎11-10-2009
0

Re: SRX and IPv6

On a SRX-210h-poe running 10.2R2.11

 

 

edit interfaces vlan unit 10]

root@tau-srx101# set family ?

Possible completions:

+ apply-groups         Groups from which to inherit configuration data

+ apply-groups-except  Don't inherit configuration data from these groups

> inet                 IPv4 parameters

> mpls                 MPLS protocol parameters

> tcc                  Translational cross-connect parameters

> vpls                 Virtual private LAN service parameters

[edit interfaces vlan unit 10]

 

No support yet.. What happend Mike?

 

 

 

Trusted Contributor
Posts: 236
Registered: ‎06-11-2010
0

Re: SRX and IPv6


andrewfrazer wrote:

On a SRX-210h-poe running 10.2R2.11

 

 

edit interfaces vlan unit 10]

root@tau-srx101# set family ?

Possible completions:

+ apply-groups         Groups from which to inherit configuration data

+ apply-groups-except  Don't inherit configuration data from these groups

> inet                 IPv4 parameters

> mpls                 MPLS protocol parameters

> tcc                  Translational cross-connect parameters

> vpls                 Virtual private LAN service parameters

[edit interfaces vlan unit 10]

 

No support yet.. What happend Mike?

 

 

 


IPv6 is turned off by default.  See this thread for more information.

Trusted Contributor
Posts: 59
Registered: ‎11-10-2009
0

Re: SRX and IPv6

read your suggested fix, but it doesnt solve my problem..  please go and see the post i've made in the other thread

Distinguished Expert
Posts: 821
Registered: ‎10-18-2009
0

Re: SRX and IPv6

Their is something in the release notes of R2.11 about IPv6 and vlans.

Marc

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

Trusted Contributor
Posts: 59
Registered: ‎11-10-2009
0

Re: SRX and IPv6

So, heres some bizzareness;

 

You can set a Ipv6 address for a VLAN from the Web UI under 10.2R2.11 and it works just fine, however you can't set it from the CLI..

 

How bizzare is that!

 

Regards

 

 

Visitor
Posts: 6
Registered: ‎08-21-2010
0

Re: SRX and IPv6

After reading http://www.juniper.net/techpubs/en_US/junos10.2/information-products/topic-collections/release-notes... and seeing:

 

  • Interfaces—A logical interface can be configured with an IPv4 address, IPv6 address, or both.

    To configure an IPv6 address for a logical interface, use the inet6 statement at the [edit interfaces interface-name unit logical-unit family] hierarchy level. [Junos OS Interfaces Configuration Guide for Security Devices]

I was pretty hopeful that 10.2R3.10 would enable this functionality, but alas, no such luck.

 

JUNOS Software Release [10.2R3.10]

[edit]
root@vpn1.he# set interfaces st0 unit 0 family ?
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> inet                 IPv4 parameters
> mpls                 MPLS protocol parameters
> vpls                 Virtual private LAN service parameters

 

Does anyone from Juniper know when this functionality will be enabled?

Trusted Contributor
Posts: 117
Registered: ‎08-07-2010
0

Re: SRX and IPv6

Has anyone just tried typing set interface vlan unit 1 family inet6 instead of just using the ? to check to see if it is a valid command? You can't necesarrily rely on the question mark all the time because sometimes commands are hidden for future support or during times of trouble with the feature in the OS.

-Adam
Contributor
Posts: 32
Registered: ‎08-04-2008
0

Re: SRX and IPv6

When will IPv6 supported in transparent mode (tested on Junos 10.4r1.9)?

 

> admin@srx3600# set security forwarding-options family inet6 mode flow-based

> admin@srx3600# commit

>

> error: Cannot configure security forwarding-options inet6 flow-based in transparent mode
> error: configuration check-out failed

 

It's strange because I can configure IPv6 on irb interface (at least from 10.2):

 

> admin@srx3600# set interfaces irb unit 10 family inet6 address address fdfd:aa8f:5209:0aee::1/64

> admin@srx3600# commit

>

> admin@srx3600#