How to: SLAAC/DHCPv6 on Juniper vSRX

By on 7 Jun 2019

Category: Tech matters

Tags: , , , ,

3 Comments

Blog home

The following article is an excerpt from the APNIC Academy’s Juniper SLAAC/DHCPv6 Router Lab exercise. The APNIC Academy also features virtual labs for SLAAC/DHCPv6 using Cisco and Mikrotik routers, as well as full mesh routing environments for you to learn about BGP, OSPF, IS-IS, NetFlow, SNMP, NETCONF and much more.

Part 1: Setting up

The network topology for setting up SLAAC/DHCPv6 is below. We will only be dealing with the configuration of Router R1 and Linux host H1.

Note: Your vSRX needs to be running in packet mode (that is, as a router, not a firewall) for this exercise. You can check this with the following command:

> show security flow status
  Flow forwarding mode:
    Inet forwarding mode: packet based
    Inet6 forwarding mode: packet based
    MPLS forwarding mode: packet based
    ISO forwarding mode: packet based
...

If your vSRX isn’t in packet mode, issue this command to enable IPv6 (and any other address families as desired) then commit and reboot.

set security forwarding-options family inet6 mode packet-based


Figure 1 — Network topology.

Your router should have a minimal operational configuration. If you need help getting your router up and running from scratch, consult the Juniper SLAAC/DHCPv6 Router Lab.

Part 2: Configuring SLAAC

There are multiple ways to assign an IPv6 address to a host interface. In this section, let’s look at using Stateless Address Auto-Configuration (SLAAC). The router will be configured to advertise an IPv6 prefix. The host uses the 64-bit prefix from the router, and assigns the rest randomly or using EUI-64 to complete the 128-bit address.

With your router in configure mode, assign an IPv6 address to physical and loopback interfaces.

edit interfaces ge-0/0/0 unit 0 family inet6
set address 2406:6400:0:100::1/64
top

edit interfaces lo0 unit 0 family inet6
set address 2406:6400::1/128

Configure the router to send router advertisements (RA) for the /64 prefix via ge-0/0/0.

set protocols router-advertisement interface ge-0/0/0 prefix 2406:6400:0:100::/64

Now verify the changes.

show interfaces

show protocols router-advertisement

Optional – Set a trace for neighbour discovery (ND) events to help with troubleshooting.

edit protocols router-advertisement traceoptions
set file ipv6-nd-trace
set flag all

You may want to limit how much is logged by altering the ‘all’ flag to something more specific.

Show your changes before you commit.

show | compare

If you’re happy with the changes, then commit.

commit check
commit and-quit

View the updated configuration.

run show configuration

Part 3: Verifying SLAAC

From your connected host, check that your interface has an IPv6 address. The address should look something like 2406:6400:0:100:x:x:x:x where the x:x:x:x ( the 64-bit interface ID) is generated randomly, as per RFC 4941.

If your interface doesn’t have an IPv6 address, toggle it.

sudo ifconfig ens32 down
sudo ifconfig ens32 up

Once you have your IPv6 address, try pinging the router.

ping6 2406:6400:0:100::1

Now check the output of the following show commands on the router. It should show some statistics on messages sent and received.

root@R1> show ipv6 neighbors
IPv6 Address                        Linklayer Address   State   Exp     Rtr Secure  Interface
2406:6400:0:100:d9:fd58:b528:39d3   00:0c:29:51:30:1d   stale   811     no  no      ge-0/0/0.0
2406:6400:0:100:e01b:f078:3c2:2926  00:0c:29:ba:5b:af   stale   1005    no  no      ge-0/0/0.0
fe80:6829:826e:fcfe:85dc            00:0c:29:51:30:1d   stale   775     no  no      ge-0/0/0.0

root@R1> show ipv6 router-advertisement
Interface:  ge-0/0/0.0
    Advertisements sent:    4,  last sent 00:07:38 ago
    Solicits received:  1,  last received 00:07:38 ago
    Advertisements received: 0
    Solicited router advertisement unicast: Disabled

Since you have enabled an IPv6 ND trace on the router, you should see ICMPv6 ND messages being exchanged between the router and the client hosts. Issue the following command from the operational mode to check.

show log ipv6-nd-trace

or from JunOS shell, run:

tail -f /var/log/ipv6-nd-trace

You should see something similar to the log below.

root@R1> show log ipv6-nd-trace
Nov 10 05:27:32 trace_on: Tracing to "/var/log/ipv6-nd-trace" started
Nov 10 05:27:32 369657 ipv6_ra_ifIchange(Router-Advertisement): ifl 0x9e44d80 ifl ge-0/0/0.0 72 change 0. intf 0x9de2280

Part 4: Configuring stateless DHCPv6

In this part, we will configure the router as the DHCP server. The client gets an IPv6 address using SLAAC, then looks for a DHCPv6 server to get other information such as a DNS server address.

In configuration mode, update the RA to tell the client to look for a DHCP server for additional information.

edit protocols router-advertisementset interface ge-0/0/0.0 other-stateful-configuration

Configure the router as a DHCPv6 server, with a DHCPv6 pool named STATELESS-DHCPV6.

edit system services dhcp-local-server dhcpv6 group STATELESS-DHCPV6
set overrides interface-client-limit 10
set overrides process-inform pool STATELESS-DHCPV6

Bind the DHCPv6 server to an interface.

edit system services dhcp-local-server dhcpv6
set group STATELESS-DHCPV6 interface ge-0/0/0

Add DHCPv6 attributes, including DNS and lease time. These attributes will be passed on to the client.

edit access address-assignment pool STATELESS-DHCPV6 family inet6
set prefix 2406:6400:0:100::/64set dhcp-attributes dns-server 2406:6400::53
set dhcp-attributes maximum-lease-time 120 grace-period 3600

Verify the changes.

show system services
show protocols router-advertisement
show access address-assignment

And commit when you are happy with the candidate configuration.

show | compare
commit check
commit

Part 5: Verify DHCPv6

Toggle your host’s interface.

 sudo ifconfig downsudo ifconfig up

Check that you are still being assigned an address by SLAAC — the address should look something like 2406:6400:0:100:x:x:x:x.

ifconfig

Verify that other information such as a DNS server address is being received from the DHCPv6 server.

cat /var/lib/dhcp/dhclient.leases | grep dhcp-server-identifier

Make sure you can still ping the router.

ping6 2406:6400::1

From the router’s operational mode, display the address bindings.

root@R1> show dhcpv6 server binding
Prefix              Session Id  Expires State   Interface   Clinet DUID
2406:6400:0:100:a9a3:ba70:bc37:1887/128    5   109     BOUND   ge-0/0/0.0  LL_TIME0X1-0x2379336c-00:0c:29:7b:f4:45

Display the DHCPv6 statistics. Confirm that DHCPV6_INFORMATION_REQUEST messages were received.

root@R1> show dhcpv6 server statistics
Dhcpv6 Packets dropped:
    Total               0

Messages received:
    DHCPV6_DECLINE              0
    DHCPV6_SOLICIT              0
    DHCPV6_INFORMATION_REQUEST  10
    DHCPV6_RELEASE              0
    DHCPV6_REQUEST              0
    DHCPV6_CONFIRM              0
    DHCPV6_RENEW                0
    DHCPV6_REBIND               2
    DHCPV6_RELAY_FORW           0
    DHCPV6_LEASEQUERY           0

Messages sent:
    DHCPV6_ADVERTISE            0
    DHCPV6_REPLY                0
    DHCPV6_RECONFIGURE          0
    DHCPV6_RELAY_REPL           0
    DHCPV6_LEASEQUERY_REPLY     0
    DHCPV6_LEASEQUERY_DATA      0
    DHCPV6_LEASEQUERY_DONE      0

Congratulations! You’ve now configured SLAAC and DHCPv6 on your Juniper vSRX. For more hands-on virtual labs, visit the APNIC Academy.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

3 Comments

  1. Illjuschin

    Hi Sheryl

    I’m working with a hardware appliance SRX300 and above and have searched a lot of sources for a suitable configuration for me and my IPv6 configuration on the SRX appliance. I thought thing should not be so much different when dealing with hardware or software appliances.

    But the very first command you mentioned in the article let me struggle. Why do you set the vSRX to packet mode instead flow mode?

    Is there a meaningful difference regarding IPv6 in leaving statefulness apart?

    Regards
    Illjuschin

    Reply
  2. HasiiAth

    Hi Sheryl,
    Thank you for your guidance on IPV6. I tried SLAAC and there were no issues. However, with stateless DHCPv6, my laptop did not receive DNS information which i configured. It showed as 8.8.8.8(Juniper device not connected to internet).

    Ethernet adapter Ethernet:

    Physical Address. . . . . . . . . : 14-58-D0-17-D8-82
    DHCP Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes
    IPv6 Address-2402:d000:1078:0:1658:d0ff:fe17:d882(Preferred)
    Temporary IPv6 Address-2402:d000:1078:0:590d:8dfe:90e1:a6ec(Preferred)
    Link-local IPv6 Address-fe80::1658:d0ff:fe17:d882%7(Preferred)
    Autoconfiguration IPv4 Address-169.254.142.73(Preferred)
    Subnet Mask-255.255.0.0
    Default Gateway-fe80::f6bf:a8ff:fe4f:e680%7
    DHCPv6 IAID . . . . . . . . . . . : 437541072
    DHCPv6 Client DUID-00-01-00-01-26-8F-37-84-14-58-D0-17-D8-82
    DNS Servers . . . . . . . . . . . : 8.8.8.8
    NetBIOS over Tcpip. . . . . . . . : Enabled

    Then i tried to troubleshoot with Wireshark and identified that, there is no reply for Information request from Juniper side. Client keeps send the Info-Req with contained “Requested Option code: DNS recursive name server (23)”

    fe80::1658:d0ff:fe17:d882 ff02::1:2 DHCPv6 120 Information-request XID: 0xa52d31 CID: 00010001268f37841458d017d882

    And dhcpv6 binding state also showing as “SELECTING” only.

    run show dhcpv6 server statistics
    Dhcpv6 Packets dropped:
    Total 7
    Bad Send 7

    Advertise Delay:
    DELAYED 0
    INPROGRESS 0
    TOTAL 0

    Messages received:
    DHCPV6_DECLINE 0
    DHCPV6_SOLICIT 7
    DHCPV6_INFORMATION_REQUEST 12
    DHCPV6_RELEASE 0
    DHCPV6_REQUEST 0
    DHCPV6_CONFIRM 0
    DHCPV6_RENEW 0
    DHCPV6_REBIND 0

    I tried to find solution for this, but i could not, appreciate if you can guide to fix this.

    Thank you very much.
    HasiiAth

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Top