Configuring IPv6 DHCP on Juniper SRX Branch Series Firewalls

Firstly, let’s go ahead and enable IPv6 on our branch series Juniper SRX Firewall by setting the following syntax under configuration mode: 

SRX-240# set security forwarding-options family inet6 mode
SRX-240# commit and-quit

Upon commit, the SRX will prompt to reboot the device. Once the SRX has rebooted, check the flow status by issuing the following command:

SRX-240> show security flow status
  Flow forwarding mode:
    Inet forwarding mode: flow based
    Inet6 forwarding mode: flow based
    MPLS forwarding mode: drop
    ISO forwarding mode: drop
    Advanced services data-plane memory mode: Default
  Flow trace status
    Flow tracing status: off
  Flow session distribution
    Distribution mode: RR-based
  Flow ipsec performance acceleration: off
  Flow packet ordering
    Ordering mode: Hardware

All looks good. Let’s now create a test Trust Security Zone using interface ge-0/0/0:

SRX-240# set interfaces ge-0/0/0 unit 0 family inet6 address fd65:4654:6546:1010::1/64
SRX-240# set security zones security-zone Trust-DHCP-Test
SRX-240# set security zones security-zone Trust-DHCP-Test interfaces ge-0/0/0.0
SRX-240# set security zones security-zone Trust-DHCP-Test host-inbound-traffic system-services dhcpv6

SRX-240# show security zones security-zone Trust-DHCP-Test
host-inbound-traffic {
    system-services {
        dhcpv6;
    }
}
interfaces {
    ge-0/0/0.0;
}

Under host-inbound-traffic, dhcpv6 must be added to allow the SRX’s routing-engine to respond to IPv6 DHCP requests.

Now we need to create an address assignment which allows us to specify a scope and the client facing interface along with DHCP attributes such as DNS Servers. We do this by configuring a pool under the access stanza:

set access address-assignment pool TEST_POOL-v6 family inet6 prefix fd65:4654:6546:1010::/64
set access address-assignment pool TEST_POOL-v6 family inet6 range TEST_RANGE-v6 low fd65:4654:6546:1010:fffa::/64
set access address-assignment pool TEST_POOL-v6 family inet6 range TEST_RANGE-v6 high fd65:4654:6546:1010:ffff::/64
set access address-assignment pool TEST_POOL-v6 family inet6 dhcp-attributes dns-server 2001:4860:4860::8888
set access address-assignment pool TEST_POOL-v6 family inet6 dhcp-attributes dns-server 2001:4860:4860::8844
set access address-assignment pool TEST_POOL-v6 family inet6 dhcp-attributes propagate-settings ge-0/0/0.0

The above is fairly self-explanatory. A small scope has been configured between fd65:4654:6546:1010:fffa - fd65:4654:6546:1010:ffff::/64 to propagate to network clients sitting behind interface ge-0/0/0.0 which we configured earlier. For simplicity, Google’s DNS Servers are being used in the above example which we can replaced with your own internal or external DNS servers.

The last step is to enable the IPv6 local server on the SRX. We do this by configuring the system service and adding the ‘TEST_POOL-v6’ pool we configured:

SRX-240# set system services dhcp-local-server dhcpv6 group TEST_POOL-v6
SRX-240# commit and-quit

To verify the IPv6 DHCP server is working as expected, run the following command:

SRX-240# run show dhcpv6 server statistics
Dhcpv6 Packets dropped:
    Total               0

Messages received:
    DHCPV6_DECLINE             0
    DHCPV6_SOLICIT             2
    DHCPV6_INFORMATION_REQUEST 30
    DHCPV6_RELEASE             0
    DHCPV6_REQUEST             9
    DHCPV6_CONFIRM             0
    DHCPV6_RENEW               0
    DHCPV6_REBIND              0
    DHCPV6_RELAY_FORW          0
    DHCPV6_RELAY_REPL          0

Messages sent:
    DHCPV6_ADVERTISE           2
    DHCPV6_REPLY               3
    DHCPV6_RECONFIGURE         0
    DHCPV6_RELAY_REPL          0

As we can see from the above output, a number of requests have been received. We can also take a look at the IPv6 neighbours similar to ARP in IPv4 by running the command ‘show ipv6 neighbors’

Parth Kundariya on 06/03/2019 at 07:24 ( first published )

Justin Anstes on 06/03/2019 at 07:44 ( last updated )