SRX

As of 10.2 the branch srx devices support flow based ipv6. Does anyone Have an example of ipv6 policies. Before my upgrade I was using firewall filters to control ipv6 access. Now that it supports flow based ipv6 security. Do I just add ipv6 address book entries to my policies, or are there separate ipv6 policies?

I figured it out today. 

you have to issue the following commands:

set security forwarding-options family inet6 mode flow-based   <this requires a reboot>

at this point you can create address-book entries for ipv6 addresses as normal, however the address entry name cannot contain : colons, which is weird since ipv6 addresses contain colons.

Other than that works like a charm.

You can even assign ipv6 addresses on logic and vlan interfaces.  Its great, finally ipv6 support is complete on branch devices.

Thanks for the kudos, we appreciate it, and we look forward to hearing your opinions as you get more experience with this initial IPv6 feature set. 

We do have plans for continued feature delivery for IPv6, we don't consider it done by a long shot. The next major release where you will see IPv6 features is 10.4R1.

I've just tryed this out and applied this fix as you describe.. rebooted, but it made no difference.. Still cant' configure IPv6 on a VLAN..   

Not even given the option to configure it..

The release notes say IPv6, ISIS CLass of service, Encapsulations, CLNS and PIM are not supported on a VLAN interface.

[edit interfaces vlan]
root# set unit 0 family ?        
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> inet                 IPv4 parameters
> mpls                 MPLS protocol parameters
> tcc                  Translational cross-connect parameters
> vpls                 Virtual private LAN service parameters
[edit interfaces vlan]
root# set unit 0 family    

So, seems that the SRX aint quite so action packed and ready to enter bravely into the IPV6 world

i have it working and configured on a vlan interface. I will attach my config and information. Well I know they said the support was not complete, and they are right, no ds-lite, no nat64 etc. But after all this time I am just happy to have basic and solid ipv6 support running without issues, ipv6->ipv4 nat and other features would be nice. But in a standard duel stack configuration at least this works without any issues.

# RANCID-CONTENT-TYPE: juniper

#

# Sokar> show chassis environment 

# Class Item                           Status

# Temp  Routing Engine                 OK        

#       Routing Engine CPU             Absent    

# Fans  SRX210 Chassis fan             OK

# Power Power Supply 0                 OK        

# 

# Sokar> show chassis firmware 

# Part                     Type       Version

# FPC 0                    O/S        Version 10.2R2.11 by builder on 2010-08-06 

# FWDD                     O/S        Version 10.2R2.11 by builder on 2010-08-06 

# Sokar> show chassis routing-engine 

# Routing Engine status:

#     Model                          RE-SRX210H

#     Serial ID                     

interfaces {

 ip-0/0/0 {

        unit 0 {

            tunnel {

                source 173.12.12x.xx;

                destination 216.66.22.2;

            }

            family inet6 {

                address 2001:470:7:3ed::2/64;

            }

        }

    }

 vlan {

        unit 0 {

            family inet {

                address 10.12.0.254/24;

            }

        }

        unit 2 {

            family inet {

                filter {

                    input to-dsl;

                }

                address 10.0.0.254/24;

            }

            family inet6 {

                address 2001:470:8:3ed::1/64;

            }

        }

        unit 3 {

            family inet {

                address 192.168.10.253/24;

            }

        }

    }

}

routing-options {

    interface-routes {

        rib-group inet import-phy;

    }

    rib inet6.0 {

        static {

            route ::/0 next-hop 2001:470:7:3ed::1;

        }

    }

protocols {

    router-advertisement {

        interface vlan.2 {

            max-advertisement-interval 5;

            min-advertisement-interval 3;

            prefix 2001:470:8:3ed::/64 {

                on-link;

                autonomous;

            }

    }

}

security {

forwarding-options {

        family {

            inet6 {

                mode flow-based;

            }

        }

    }

Ok, so heres where it gets weird and i suspect we are both correct!

If you try to set the ipv6 address via the CLI on the VLAN, it does'nt work.. The CLI simply doe'snt present the option.

If you set the ipv6 address via the WEB ui, its accepted and guess what it even works! 

Ok Juniper this is bizzare, but i guess you did say its not supported.

Regards

Andrew.

I am experiencing some odd issues related to flow based ipv6. I am trying to enable it on a half-production system, two srx-240hm in chassis cluster, that's already working stable with ipv4.

when I issue 'set security forwarding-options family inet6 mode flow-based', and reboot, one of my reth interfaces (which doesn't look any different from the others that are unaffected) is not forwarding *any* traffic, not even ipv4. If I revert to packet-based ipv6, and reboot, it is still not forwarding forward anything. Nothing else is changing, ipv4 or ipv6 related.

The only way I have found to restore it to a proper working state is to remove the said reth from the interface configuration (and all the references), commit that (or a minimal configuration for speed), then reload the production config from file and commit.

Same applies if I stay with flow ipv6, loading a blank configuration (with flow ipv6), then the production one (again with flow ipv6) works until the cluster is rebooted, when I do, the reth stops forwarding until I repeat the cycle. 

Looks like, when mode flow-based is enabled, some interface is initialized differently at boot compared to when configured from scratch.

I did have one weird problem since upgrading to 10.2. This may be what has affected your system. After I turned on ipv6 flow mode. I had an interface stop forwarding traffic. I issued the request chassis fpc restart command. After the fpc restarted everything returned to normal and I have not experienced the issue since.

I think it is related to enabling flow mode on ipv6 the first time, as the issue happened after the required reboot. However restarting the fpc fixed the issue. Be aware that restarting the fpc can take up to 10 minutes and will stop all traffic flowing through the box. Just somethign to be aware of.

hi bufo, 

Could you confirm how you configured the VLAN interface? Did you use the CLI or the WEB GUI?

CLI, I have my web interface disabled, too slow.

Thats really werid,

I only tryed the web interface as a last resort, because the CLI simply would'nt let me configure the inet6 family on the vlan interface..  No matter what i tryed, it was'nt an option.

Has anyone else been able to configure ipv6 on the CLI directly?  ( in 10.2R11 ) or am i doing something odd.

Regards

Andrew.

I'm seeing the same thing here.  Interesting thing is I was able to add IPv6 addresses to my vlan interfaces in 10.1R1.8 only because the code didn't complain.  Of course if wasnt' supported, so I left the config in place and awaited this release.

Now that I have 10.2R2.11 I'm finding that not only does the inet6 option not exist for vlan interfaces, but the SRX is not responding to neighbor solicitation icmp6 meesages.  This is after my PC has has recived autoconf config from the SRX.  Doesn't make sense, and this release seems very choppy regarding basic IPv6 support.

I'm still investigating on my end, but those are my findings thus far.  As you can see below I have previous IPv6 addreses from 10.1R1.8, but the inet6 option is still not available.

techniq@trinity# show            
family inet {
    rpf-check;
    address 192.168.13.1/24;
}
family inet6 {
    rpf-check;
    address 2001:470:e0bb:13::1/64;
}

[edit interfaces vlan unit 13]
techniq@trinity# show family ?
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> inet                 IPv4 parameters
> mpls                 MPLS protocol parameters
> tcc                  Translational cross-connect parameters
> vpls                 Virtual private LAN service parameters
[edit interfaces vlan unit 13]
techniq@trinity#

That almost certainly explains whats happening..   10.1R1.8 did allow you to use the CLI to configure the interface..   10.1R2 did'nt,    and 10.2R2.11 certainly does'nt..  

its just strange that this release lets you configure it via the Web Gui..

I guess at least Juniper said "unsupported"...  I wonder when Juniper will finally fix this stuff.

10.3 did not change this behaviour

Same here, the SRX in 10.2R2 doesn't respond to ICMP6 router solicitations:

jeje@gw1-1.tip# show protocols router-advertisement 

interface reth0.134 {

    managed-configuration;

    other-stateful-configuration;

    prefix xxx:xxx:8100:1::/64;

}

I found the solution to my issue. The problem is not related to the SRX, it's related to igmp-snooping in the intermediary EX4200 switch that is mangling multicast packets.

So it's not a SRX 10.2R2 bug, it's an EX4200 10.0S3.1 bug 

ipv6 definately not setable from command line or cli on a vlan interface on 10.4R2.7 on an SRX240.  Works on standard interfaces.