[j-nsp] DHCPv6 routing instance to reach server, or fooling flow sessions with firewall filters
Mike Williams
mike.williams at comodo.com
Tue Apr 21 09:22:43 EDT 2015
Hey all,
Got a problem here I'm hoping someone can help with.
Client -> M-series (relay) -> (VLAN 2920) J-series (VLAN 100) -> Server
Server -> (VLAN 100) J-series (VLAN 2980) ....
inet6.0 on the M knows to reach the DHCPv6 server via VLAN 2920, the J-series
dutifully forwards the packets to the server and receives the response.
However, as the relayed request comes from the IP on the Client side of the M,
the J-series wants to route the answer via VLAN 2980 (because it has a /56
route that way for all the client networks).
If I add a /128 static route to the M via 2920 DHCPv6 works as expected.
That's not going to scale for even half a dozen networks, let alone 10s or
more.
The M has a routing instance (type forwarding) that would use VLAN 2980 to
reach the Server, but I haven't found a knob to make the dhcp-relay use a
routing instance to reach the server.
I've tried making a routing instance on the J-series (type virtual-router)
with a default route via VLAN 2920, and using a firewall filter to put DHCPv6
packets into it.
term dhcpv6 {
from {
source-address {
::/0;
}
next-header udp;
source-port [ 547 546 ];
}
then {
count stateless-dhcpv6;
log;
routing-instance stateless;
}
}
Seems the flow lookup doesn't respect that.
Does anyone have any ideas?
Thanks
--
Mike Williams
More information about the juniper-nsp
mailing list