[j-nsp] DHCP IPv6
Tom Storey
tom at snnap.net
Mon Oct 10 18:50:40 EDT 2011
Its not DHCPv6, as last time I looked (which admittedly was a while ago)
there were still a lot of OS's/devices lacking (decent) DHCPv6 support, but
heres a working SLAAC config that I use on my SRX100 at home (10.4R4.5)
hanging off a HE.net tunnel:
interfaces {
ip-0/0/0 {
unit 0 {
tunnel {
source me.me.me.me;
destination 216.66.80.26;
}
family inet6 {
address 2001:470:1f08:me::2/64;
}
}
}
pp0 {
unit 0 {
family inet {
filter {
input FIX-V6V4-TUNNEL;
}
}
}
}
vlan {
unit 10 {
family inet {
address 172.25.144.65/26;
}
family inet6 {
address 2001:470:me:1::/64 {
eui-64;
}
}
}
}
}
routing-options {
rib inet6.0 {
static {
route ::/0 next-hop 2001:470:1f08:me::1;
}
}
}
protocols {
router-advertisement {
interface vlan.10 {
prefix 2001:470:me:1::/64 {
on-link;
autonomous;
}
}
}
}
firewall {
family inet {
filter FIX-V6V4-TUNNEL {
term OUTPUT {
from {
destination-address {
216.66.80.26/32;
}
protocol 41;
}
then packet-mode;
}
term INPUT {
from {
source-address {
216.66.80.26/32;
}
protocol 41;
}
then packet-mode;
}
term OTHERWISE {
then accept;
}
}
}
}
IPv6 has some issues on the SRX series still, meant to be fixed in 11.4
IIRC, so theres a simple fix required to make it work in the mean time with
the firewall rule.
Someone may find this useful. :-)
On 10 October 2011 16:26, Mark Tinka <mtinka at globaltransit.net> wrote:
> On Saturday, October 08, 2011 02:54:40 AM Paul Stewart
> wrote:
>
> > Thank you Amos, Robert, Jared, and Scott for the on-list
> > and off-list replies.
>
> > Got it up and running – appreciate the responses…
>
> You also want to look out for rogue RA's on the network,
> typical of conference or enterprise setups where v6 is
> involved.
>
> Common cases have been Windows Vista hosts making themselves
> routers and spewing 6-to-4 on the network. Suffice it to
> say, DRP implementation in routers (sort of meant to thwart
> this) on the subnet is pretty useless.
>
> As you likely know, Rogue RA support is lacking today
> (although specs. are already out), as is DHCPv6 Snooping.
> Our only solution was to filter at the MAC layer. Hectic,
> but luckily, we used few switches and were able to deploy
> filters quite rapidly.
>
> Mark.
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list