GregLedet.net That dude writing stuff about that thing.

7Jul/177

IPv6, Time Warner / Spectrum, and the Juniper SRX.

I've had an IPv6 tunnel from HE.net for quite some time now. Back when I was running the ASA 5505 as my edge, I had to put a router behind it to create the tunnel. Then, when I replaced the ASA with an SRX 220 back in December 2015, I was able to build the tunnel natively on the SRX. Since that time, Time Warner has gotten around to providing IPv6 in my area and I've tried a couple different times to get it working with no luck. Now, I've finally decided that I wasn't going to stop working on it until I got it working, and I've done just that, so it's time to tell you guys how to do it yourself.

First a few caveats... Obviously, Time Warner (now Spectrum) needs to provide IPv6 in your area and that your modem supports it. I don't remember how I found out that they finally had it here, but it was probably a fellow network engineer at TWC that told me. Second, realize that you're going to have to reboot the SRX, so you're going to lose connectivity for a bit. The reason you'll need to reboot is that we need to enable IPv6 flow mode, otherwise the SRX will just drop IPv6 traffic. Let's start with that...

Obviously, ssh into the SRX and enter config mode. Then enter the following command:

set security forwarding-options family inet6 mode flow-based

Then you'll need to reboot with "request system reboot". Once it comes back up, you're ready to move on.

Your ge-0/0/0.0 interface probably looks something this at present:

greg@SRX220H# show interfaces ge-0/0/0.0

description "Uplink to Cable Modem";

family inet {

    dhcp;

}

We're going to need to change the dhcp daemon that you're using on that interface because if we were to continue on with what's coming, you'd get an error. Then we're going to add the ipv6 dhcpv6-client config to the same interface. Here's your commands:

delete interfaces ge-0/0/0 unit 0 family inet dhcp
set interfaces ge-0/0/0 unit 0 family inet dhcp-client
set interfaces ge-0/0/0 unit 0 family inet6 dad-disable
set interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client client-type statefull
set interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client client-ia-type ia-na
set interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client client-ia-type ia-pd
set interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client lient-identifier duid-type duid-ll
set interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client update-router-advertisement interface vlan.0

Now we need to set our firewall to allow some traffic:

set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcpv6
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic protocols router-discovery

That should be pretty self explanatory. You need to allow dhcpv6 through the firewall for all this to work, and we're going to use router-discovery to figure things out. Once you commit that, the SRX should ask TWC for an IPv6 address. Let's check to see if we got one...

greg@SRX220H# run show dhcpv6 client binding

IP/prefix                       Expires     State      ClientType    Interface       Client DUID

2607:fcc8:ffc0:5:14c9:b140:XXXX:XXXX/128 600553 BOUND  STATEFUL      ge-0/0/0.0      LL0x3-54:e0:32:ec:XX:XX

2605:a000:XXXX:XXXX::/64        600553      BOUND      STATEFUL      ge-0/0/0.0      LL0x3-54:e0:32:ec:XX:XX

It looks like we have an address! Now, we need to add a route... we'll find our next hop by running the previous command and adding detail:

greg@SRX220H# run show dhcpv6 client binding detail

Client Interface: ge-0/0/0.0

     Hardware Address:             54:e0:32:ec:XX:XX

     State:                        BOUND(DHCPV6_CLIENT_STATE_BOUND)

     ClientType:                   STATEFUL

     Lease Expires:                2017-07-14 08:01:52 EDT

     Lease Expires in:             600551 seconds

     Lease Start:                  2017-07-07 08:01:52 EDT

     Bind Type:                    IA_NA IA_PD

     Client DUID:                  LL0x3-54:e0:32:ec:XX:XX

     Rapid Commit:                 Off

     Server Ip Address:            fe80::201:5cff:fe78:XXXX

     Client IP Address:            2607:fcc8:ffc0:5:14c9:b140:XXXX:XXXX/128

     Client IP Prefix:             2605:a000:XXXX:XXXX::/64

DHCP options:

    Name: server-identifier, Value: LL_TIME0x1-0x1d7c50b0-00:50:56:XX:XX:XX

Yes, the lease started about an hour before I posted this. I was so excited that I had to post immediately! Anyway, we're looking for that Server IP Address. Once we have that, let's add a static route to it.

set routing-options rib inet6.0 static route ::/0 qualified-next-hop fe80::201:5cff:fe78:XXXX interface ge-0/0/0.0

The qualified-next-hop is going to give you a lot more control over a standard next-hop. Commit the config. Once everything is committed, it's time to test, so we'll ping Google's DNS server.

# run ping 2001:4860:4860::8888

You should get a response. IPv6 is now working! W00T! In order to get your network clients talking to the internet on IPv6, you'll have to configure them to use IPv6. As you can see up above in the dhcpv6 client binding detail, there's a "Client IP Prefix". That's the prefix assigned to you. If you do a "run show interfaces vlan.0 terse", you'll see that it now has an inet6 address that looks like 2605:a000:XXXX:XXXX:1::1/80. That's going to be your IPv6 router / gateway address. You can statically assign IP's by just counting up from that last ::1, so assign 2605:a000:XXXX:XXXX:1::2/80 to your workstation and try to ping 2001:4860:4860::8888. If you get a response, you're good to go.

So, that's the commands I had to enter to get IPv6 working on my SRX. YMMV depending on TWC's configuration in your area, but this should get you pretty damn close.

   
Seo wordpress plugin by www.seowizard.org.