SRX Services Gateway
Highlighted
SRX Services Gateway

Setting up NDP proxy on SRX

‎12-05-2019 02:02 AM

I have been trying to enable NDP proxy on my SRX340. The official documentation is a bit vauge - https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/ndp-proxy-configuring.ht...

 

I have two interfaces, ge-0/0/0.0 and irb.1 both set to the same IPv6 /64 prefix and using the eui-64 option to generate the SRX's addresses. For example lets say the prefix is 2001Smiley Very HappyB8::/64

 

The ge-0/0/0.0 interface is the egress interface and is in the untrust security zone. It is directly connected to the ISPs upstream router. The default gateway has been configured by the ISP as 2001Smiley Very HappyB8::1 and this is set as the default IPv6 route in the SRX.

 

The irb.1 is a VLAN used by hosts in the trust security zone and has a router advertisement enabled with the prefix 2001Smiley Very HappyB8::/64 so that hosts on the VLAN can use SLAAC to configure their prefix and set the SRX as their default route.

 

At this stage the SRX can ping both the ISP gateway on 2001Smiley Very HappyB8::1 and other public addresses such as 2001:4860:4860::8888. The SRX can also ping hosts on the VLAN.

 

However other public IPv6 addresses can't ping the VLAN hosts. I traced this to the ISP gateway not knowing about a next hop so it instead generates Neighbor Discovery Protocol solicitations for the VLAN host IP on the ge-0/0/0.0 link and of course doesn't get a reply as the host is on a different interface. There is a similar story when VLAN hosts attempt to ping the ISP gateway.

 

However when a VLAN pings another public address it knows from the RA to forward it to the SRX. The SRX then knows to forward this to the ISP gateway and the ping request makes it to the destination, however the reply gets stuck at the ge-0/0/0.0 link.

 

After some Googling I discovered the correct solution to this problem is a NDP proxy. The proxy will listen on both interfaces for NDP solicititations for addresses it knows is on a different interface. The proxy then replies to the solicititation with a advertisement using the SRX's MAC on the interface. This will then cause hosts to forward the traffic to the SRX which can then be correctly routed.

 

According to the SRX documentation at https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/ndp-proxy-configuring.ht... I need to enable "set interfaces interface-name family inet6 ndp-proxy interface-restricted". It doesn't specify if I should do both interfaces, but that is what I have tried along with only enabling it on one or ther other interface.

 

However it appears the NDP proxy doesn't work correctly. I have verified both with the built in SRX packet capture using "monitor traffic" command as well as with Wireshark on the VLAN hosts that the SRX receives the NDP solicitation request, then immediately it sends out another soliciation request for the exact same IP address on the interface it received the solicitation on. Of course there is no reply to either solicitation.

 

It seems as though the SRX should also send a soliciation request for the IP address on the other subnet interface but it doesn't. Thus it never finds the MAC for the IP address. This is even the case when the SRX already knows which interface the IP is on when looking at the "show ipv6 neighbors" command.

 

So far I have tried many different settings but I still can't get the SRX to forward NDP solicitations from one interface to another one when they are both on the same subnet. I am not sure if this is because the interfaces are in different zones and the documentation doesn't mention any reasons for it to not be working.

 

Has anyone managed to enable the IPv6 Neighbor Discovery Protocol proxy on a SRX? If so what configuration did you use?

 

Is this a bug in the SRX?