I heard you want to run dual stack on your cpe.

“Hey Brandon, how about something networky for a change?”

First- Shut up, I don’t even like you (just kidding, you’re probably very pleasant).

Second- I think I have a tendancy to write about solving problems, and creative tool use/fabrication interests me more than ‘switchport trunk vlan add 666’ (<– although there are plenty of fun stories behind remembering to use this command correctly, amirite?)

Third- Fine, you wore me down, this one’s about networking.

Just the other day, in my lab, I was working on some cool IPv6 translation tools (DNS64/NAT64), and wanted to really see them start to work.  My home network has historically been all IPv4 with some IPv6 in the lab, so this obviously presented some interesting obstacles.  So to solve the short term need I spun up a dual stack apache/bind server and handled my tests that way.  However that gets pretty boring fast, and I wanted to test out DNS64 against something more real-life, like the internet.

My home firewall is an SRX100 which receives a DHCP address from Comcast (Relevant).  Currently it only does this with IPv4, so I figured, what the hell?  Let’s turn on the dhcp client for IPv6 on this bad boy- how hard can it be?

Hubris, Brandon, hubris…

The summarized version of the story is:

  1. Get the software
    1. JUNOS 11.whatever doesn’t support the IPv6 dhcp client
    2. Hey, JUNOS start providing support for that in 12.something lets upgrade!
    3. Commence upgrade
    4. Fail upgrade and make the box unbootable
    5. Shit.
    6. Find out that I ran out of memory on the device (this can be a problem on the smaller boxes, but seriously, WTF there’s no free space check?)
    7. Run a manual install from a USB
    8. Find out that config managed to be saved (not a big deal, I have backups, but nice nonetheless)
    9. Box now back and running
  2. Configure the software
    1. Well this should be easy, we’ll just turn the client on
    2. Realize, ‘hey IPv6 is a protocol for adults, its not just turn it on’
    3. Get the various configurations in place
         vlan {
         unit 666 {
             description "Internet Facing VLAN";
             family inet {
                 dhcp-client;
             }
             family inet6 {
                 dhcpv6-client {
                     client-type statefull;
                     client-ia-type ia-na;
                     client-identifier duid-type duid-ll;
                 }
             }
         }
         }
      
      • Try to commit
      • Read commit errors about ‘dhcpv6-client configured not compatible’ (WTF?)
      • Look at base minimum configuration from Juniper (here)
      • Apply base minimum configuration
      • Try to commit
      • More goddamn commit errors
      • Do more digging
      • Find this gem (here) about the dhcpv6-client and dhcp server (which I’m running for the home network) being incompatible
      • Migrate to new dhcp server config
      • Delete old dhcp server config
      • Commit
      • Shit works (details summarized/anonymized)
         root@Home_FW> show dhcpv6 client binding detail
        
        Client Interface: vlan.666
            Hardware Address:             00:26:88:ff:ff:ff
            State:                        BOUND(DHCPV6_CLIENT_STATE_BOUND)
            ClientType:                   STATEFUL
            Lease Expires:                2015-11-06 15:18:18 PST
            Lease Expires in:             188809 seconds
            Lease Start:                  2015-11-02 16:02:34 PST
            Bind Type:                    IA_NA
            Client Interface Vlan Id:     666
            Client DUID:                  LL0xd-00:26:88:ff:ff:ff
            Rapid Commit:                 Off
            Server Ip Address:            fe80::21d:ffff:ffff:ffff
            Client IP Address:            2001:558:600a:30:6944:ffff:ffff:ffff/128
        
        DHCP options:
            Name: server-identifier, Value: LL_TIME0x1-0x17323d31-14:fe:b5:ff:ff:ff
        
        root@Home_FW> show route
        
        inet.0: 31 destinations, 31 routes (31 active, 0 holddown, 0 hidden)
        + = Active Route, - = Last Active, * = Both
        
        0.0.0.0/0          *[Access-internal/12] 1d 18:52:13
                            > to 50.159.80.1 via vlan.666
        inet6.0: 10 destinations, 12 routes (10 active, 0 holddown, 0 hidden)
        + = Active Route, - = Last Active, * = Both
        
        ::/0               *[Access-internal/12] 1d 18:50:47
                            > to fe80::21d:70ff:fecc:62e2 via vlan.666
        
        • Okay, now I’ve got dual stack running on the firewall, now we just need to extend it to the lab

          1. Add an IPv6 address SRX facing my lab router
            vlan {
             unit 255 {
                 description "Lab Facing Transit VLAN";
                 family inet {
                     address 192.168.255.1/24;
                 }
                 family inet6 {
                     address fdff::1/64;
                 }
             }
            }
            
          2. Add an IPv6 address to my lab router that faces my SRX
              interface Vlan255
             description LAB_TRANSIT_VLAN
             ip address 192.168.255.2 255.255.255.0
             ipv6 address FDFF::2/64
            
          3. And on the other interface of the lab router that faces all of my vyos vRouters
            interface Vlan254
            description Connection to lab vRouters
            ip address 192.168.254.1 255.255.255.0
            ipv6 address FDFF:1::1/64
            
          4. Set up BGP on the SRX to peer with the lab router over IPv6
            protocols {
             bgp {
                 group LAB_PEERS_V6 {
                     type external;
                     local-address fdff::1;
                     import RECEIVE_BGP;
                     family inet6 {
                         unicast;
                     }
                     export [ DISTRIBUTE_CONNECTED DISTRIBUTE_STATIC DISTRIBUTE_DEFAULT ];
                     local-as 65000;
                     neighbor fdff::2 {
                         family inet6 {
                             unicast;
                         }
                         peer-as 65001;
                     }
                 }
             }
            }
            policy-statement DISTRIBUTE_CONNECTED {
             term 1 {
                 from protocol direct;
                 then accept;
             }
            }
            

            ####This one is important if you are going to try to redistribute a default route that you learned via DHCP#####

             policy-statement DISTRIBUTE_DEFAULT {
                 term 1 {
                     from route-type internal;
                     then accept;
                 }
             }
             policy-statement DISTRIBUTE_STATIC {
                 term 1 {
                     from protocol static;
                     then accept;
                 }
             }
             policy-statement RECEIVE_BGP {
                 term 1 {
                     from protocol bgp;
                     then accept;
                 }
             }
            
          5. Set up BGP on the lab router to peer with the SRX over IPv6 (and while we’re at it, we’ll configure the lab router for peering with the vyos vRouter that sits in front of this particular lab
              router bgp 65001
             bgp log-neighbor-changes
             neighbor FDFF::1 remote-as 65000
             neighbor FDFF:1::30 remote-as 65300
             !
             address-family ipv4
             no neighbor FDFF::1 activate
             no neighbor FDFF:1::30 activate
             exit-address-family
             !
             address-family ipv6
             network FDFF:1::/64
             neighbor FDFF::1 activate
             neighbor FDFF:1::30 activate
             exit-address-family
            
          6. Add an IPv6 address to the vyos vRouter
            ethernet eth0 {
             address 192.168.254.30/24
             address fdff:0001::30/64
             duplex auto
             hw-id 00:50:56:a4:61:8b
             smp_affinity auto
             speed auto
            }
            
          7. Then configure the vyos vRouter to do BGP upstream over IPv6
            protocols {
             bgp 65300 {
                 address-family {
                     ipv6-unicast {
                         aggregate-address fd03::/16 {
                             summary-only
                         }
                     }
                 }
                 neighbor fdff:0001::1 {
                     address-family {
                         ipv6-unicast {
                         }
                     }
                     remote-as 65001
                 }
             }
            }
            
          8. Commit and save your stuff

          9. If everything is working you should see something like this:
            vyos@Lab3-vRouter# run show ipv6 route
             Codes: K - kernel route, C - connected, S - static, R - RIPng, O - OSPFv3,
                 I - ISIS, B - BGP, * - FIB route.
            
             B>* ::/0 [20/0] via fe80::fe99:47ff:fe47:cf82, eth0, 1d20h02m
             C>* ::1/128 is directly connected, lo
             C>* fdff:1::/64 is directly connected, eth0
             C * fe80::/64 is directly connected, eth3
             C * fe80::/64 is directly connected, eth1
             C * fe80::/64 is directly connected, eth0
             C>* fe80::/64 is directly connected, eth2
            
          10. To verify that is actually what we want, lets verify the AS path of the route
             vyos@Lab3-vRouter# run show ipv6 bgp ::/0
            BGP routing table entry for ::/0
            Paths: (1 available, best #1, table Default-IP-Routing-Table)
            Advertised to non peer-group peers:
            fd03:1::2 fd03:2::2
            65001 65000
                fdff:1::1 from fdff:1::1 (192.168.255.2)
                (fe80::fe99:47ff:fe47:cf82)
                Origin IGP, localpref 100, valid, external, best
                Last update: Mon Nov  2 23:23:37 2015
            
          11. Hot damn.
            • Oh, you actually want IPv6 Internet?
          12. Since IA-PD doesn’t work correctly, and I’d prefer to keep my IPv6 labs static (since they’re using private addressing) we’re going to do something a little gross here, 6 to 6 NAT.  To accomplish this, we’ll simply create another rule for source NAT on the SRX (its not pretty, but it works and does what I need for now):
              nat {
            source {
                rule-set trust-to-untrust {
                    from zone trust;
                    to zone untrust;
                    rule source-nat-rule {
                        match {
                            source-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                    rule source-nat-ipv6-rule {
                        match {
                            source-address ::/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            }
            
          13. Now enjoy all that is IPv6 Internet
          14. Just kidding.  After all this you still notice problems.  You need to enable IPv6 on all of your intermediary devices as it may not be enable by default
          15. On our SRX we need to do this:
            security {
            forwarding-options {
                family {
                    inet6 {
                        mode flow-based;
                    }
                }
            }
            }
            
          16. And on our Cisco device we need to do this:
            ipv6 unicast-routing
            ipv6 cef
            
          17. Now it works.  For realzies.

            Its a good thing that I work at home most of the time, as the (not-so)little snafu with the SRX took down my home internet for most of the day.

            I can also configure the SRX for prefix delegation, however the problem is that the SRX doesn’t have the ability (as of 12.X46-D40.2) to configure the length of the prefix you would like delegation for, so it grabs the /64 and starts handing out /80s which is pretty ghetto (and I know that Comcast will hand out a /48 for delegation if your client requests it).

            Where did I put the scotch?

Tagged #BGP, #Cisco, #IPv6, #Juniper, #JUNOS, #NAT, #SRX

2021

Back to top ↑

2020

Self Service with Satellite

less than 1 minute read

Recently I had a customer who was running into some legacy infrastructure challenges with VM consistency, meeting (internal) customer expectations, and gener...

Winning with Soft Tokens

2 minute read

Well, I’d call that a sabbatical, but I think that would mean I was relaxing. Time to revive this thing (again).

Back to top ↑

2018

Back to top ↑

2017

Using Powershell and Posh-SSH to GSD.

5 minute read

I’m a guy who thinks you should use the right tool for the job. For instance, if you’re in a Windows environment, and you need to script something, installi...

iDrac, RACADM, sshpass, and BASH

8 minute read

If it were up to me, I suppose that the only thing that I’d really be responsible for would be core networking infrastructure (and consumption of craft brews...

Dynamic DNS and you

3 minute read

Okay, so I know the popular thing with network engineers is to remember the IP of EVERYTHING.  I’m pretty good at it too.  But having a lab at home and needi...

Back to top ↑