As part of my on-going IPv6 testing, I was asked to look into stateful auto-configuration for devices and host using DHCPv6. I had already looked into Stateless Address Auto configuration and looked into another method of providing stateful auto-configuration using a Dual Stacked DHCP server. This time I’ll be looking into how this could be done using Juniper hardware, to be specific Juniper SRX series routers. If you haven’t used DHCP before my other DHCP related post gave an explanation on what DHCP is and how DHCPv6 communications work slightly different to DHCPv4. With that in mind, I won’t be going over what DHCP is again, but instead I’ll be going straight into the good stuff!
Lets get cracking 😀
For this test I had simple topology; I used a Juniper SRX220 as the DHCP server and a single ESXi Ubuntu 14.04LTS hosts connected on port ge-0/0/0 as the client.
Firstly, with the SRX, I had to enabled IPv6 flow mode. By default, IPv6 IS NOT enabled. You enable IPv6 flow mode by running the command set security forwarding-options family inet6 mode flow-based, once committed you’ll need to reboot the device for the change to take effect. When the SRX is finished booting you can confirm IPv6 flows will be able to be permitted by using show security flow status:
[email protected]> show security flow status Flow forwarding mode: Inet forwarding mode: flow based Inet6 forwarding mode: flow based MPLS forwarding mode: drop ISO forwarding mode: drop Flow trace status Flow tracing status: off Flow session distribution Distribution mode: RR-based Flow ipsec performance acceleration: off Flow packet ordering Ordering mode: Hardware
Now that we know we can actually get stateful IPv6 flows traversing the SRX, we can start with enabling the SRX as a DHCPv6 server.
Under the system services dhcp-local-server stanza, we will need to confirm that we’ll be using DHCPv6 and set the interface(s) that will be requesting addresses. Additionally there are a few optional commands. For my example I’ve set the max limit of DHCP clients to 100 by using the interface-client-limit statement, and by default there are no limits on amount of clients that can request an address.
[email protected]# show system services dhcp-local-server { dhcpv6 { overrides { interface-client-limit 100; } group v6 { interface vlan.100; } } }
Next, under the access address-assignment stanza is where we’ll set the prefix pool that will be advertised to host, and your IP range. In addition, within this stanza you’re able to set other DHCP details such as lease time, grace period and dns-server under dhcp-attributes. The attributes are optional however they should be looked into and configured according to your own requirements.
[email protected]# show access address-assignment { pool v6 { family inet6 { prefix 2001:192:168:1::/64; range dhcpv6-range { low 2001:192:168:1::200/128; high 2001:192:168:1::299/128; } dhcp-attributes { maximum-lease-time 120; grace-period 3600; } } } }
We need to set the SRX so that the router advertises our IPv6 prefix on the correct interface, and in addition, by adding the statement managed-configuration, the router will be both stateful (DHCP) and stateless (SLAAC) address assignments. Finally, in order for the DHCPv6 server to allow DHCPv6 requests, a security policy is needed to enable DHCPv6 traffic.
[email protected]# show protocols router-advertisement { interface vlan.100 { managed-configuration; prefix 2001:192:168:1::/64; } }
[email protected]# show security zone security-zone internal { tcp-rst; interfaces { vlan.100 { host-inbound-traffic { system-services { dhcpv6; } } } } }
With SRX configured, we can now check the client side to make sure it’s enabled for DHCP. On the client, we have to set its interface to listening for DHCP packets. For IPv6 we’ll need to set the interface to DHCP under /etc/network/interfaces.
[email protected]:~$ cat /etc/network/interfaces # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). {...} auto eth1 iface eth1 inet dhcp # This is an autoconfigured IPv6 interface iface eth0 inet6 auto auto eth1 iface eth1 inet6 dhcp
Now that we have both the SRX and the client configured, we can bring it all together and run some tests!
Verification Testing
On the client, we’ll request an IP address from the SRX by running dhclient eth1 -6 -v and can confirm that an address has been successful assigned by doing an ifconfig
[email protected]:~$ sudo dhclient eth1 -6 -v Internet Systems Consortium DHCP Client 4.2.4 Copyright 2004-2012 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Bound to *:546 Listening on Socket/eth1 Sending on Socket/eth1 PRC: Soliciting for leases (INIT). XMT: Forming Solicit, 0 ms elapsed. XMT: X-- IA_NA 29:4f:26:c5 XMT: | X-- Request renew in +3600 XMT: | X-- Request rebind in +5400 XMT: | X-- Request address 2001:192:168:1::111. XMT: | | X-- Request preferred in +7200 XMT: | | X-- Request valid in +10800 XMT: | X-- Request address 2001:192:168:1::200. XMT: | | X-- Request preferred in +7200 XMT: | | X-- Request valid in +10800 XMT: Solicit on eth1, interval 1060ms. RCV: Advertise message on eth1 from fe80::120e:7eff:fe4e:2e88. RCV: X-- IA_NA 29:4f:26:c5 RCV: | X-- starts 1452250973 RCV: | X-- t1 - renew +60 RCV: | X-- t2 - rebind +96 RCV: | X-- [Options] RCV: | | X-- IAADDR 2001:192:168:1::200 RCV: | | | X-- Preferred lifetime 120. RCV: | | | X-- Max lifetime 120. RCV: X-- Server ID: 00:02:00:00:05:83:43:46:34:37:31:33:41:4b:30:32:38 RCV: Advertisement recorded. PRC: Selecting best advertised lease. PRC: Considering best lease. PRC: X-- Initial candidate 00:02:00:00:05:83:43:46:34:37:31:33:41:4b:30:32 (s: 153, p: 0). XMT: Forming Request, 0 ms elapsed. XMT: X-- IA_NA 29:4f:26:c5 XMT: | X-- Requested renew +3600 XMT: | X-- Requested rebind +5400 XMT: | | X-- IAADDR 2001:192:168:1::200 XMT: | | | X-- Preferred lifetime +7200 XMT: | | | X-- Max lifetime +7500 XMT: V IA_NA appended. XMT: Request on eth1, interval 930ms. RCV: Reply message on eth1 from fe80::120e:7eff:fe4e:2e88. RCV: X-- IA_NA 29:4f:26:c5 RCV: | X-- starts 1452250974 RCV: | X-- t1 - renew +60 RCV: | X-- t2 - rebind +96 RCV: | X-- [Options] RCV: | | X-- IAADDR 2001:192:168:1::200 RCV: | | | X-- Preferred lifetime 120. RCV: | | | X-- Max lifetime 120. RCV: X-- Server ID: 00:02:00:00:05:83:43:46:34:37:31:33:41:4b:30:32:38 PRC: Bound to lease 00:02:00:00:05:83:43:46:34:37:31:33:41:4b:30:32:38:31.
[email protected]:~$ ifconfig eth1 eth1 Link encap:Ethernet HWaddr 00:0c:29:4f:26:c5 inet6 addr: fe80::20c:29ff:fe4f:26c5/64 Scope:Link inet6 addr: 2001:192:168:1::200/64 Scope:Global UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:12342 errors:0 dropped:0 overruns:0 frame:0 TX packets:11980 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:4052626 (4.0 MB) TX bytes:3303461 (3.3 MB)
Having confirmed that an IP address from DHCP pool has been assigned on the client, we can now look on SRX to see what has happened there!
Firstly, I checked to see if I could see the session flow from the client to SRX by running show security flow session. As the output below shows, as per RFC3315, DHCPv6 communications are done on UDP ports 546 (clients) and 547 (server/relay) and via link-local addresses.
[email protected]> show security flow session Session ID: 1, Policy name: self-traffic-policy/1, Timeout: 1800, Valid In: 10.1.0.17/46789 --> 10.1.0.158/22;tcp, If: ge-0/0/7.0, Pkts: 5631, Bytes: 416401 Out: 10.1.0.158/22 --> 10.1.0.17/46789;tcp, If: .local..0, Pkts: 3109, Bytes: 389005 Session ID: 9, Policy name: self-traffic-policy/1, Timeout: 54, Valid In: fe80::120e:7eff:fe4e:2e88/547 --> fe80::20c:29ff:fe4f:26c5/546;udp, If: .local..0, Pkts: 2, Bytes: 288 Out: fe80::20c:29ff:fe4f:26c5/546 --> fe80::120e:7eff:fe4e:2e88/547;udp, If: vlan.100, Pkts: 0, Bytes: 0 Total sessions: 2
We only get two show commands with a DHCP server, whether it’s v4 or v6, show dhcpv6 server binding and show dhcpv6 server statistics.
- show dhcpv6 server binding provides details on the address that has been assigned to a client, which including; MAC address, Prefix, Lease time, current state and interface.
- show dhcpv6 server statistics, as the name suggests, provides figures on sent and receive messages between the server and clients.
[email protected]> show dhcpv6 server binding Prefix Session Id Expires State Interface Client DUID 2001:192:168:1::200/128 2 74 BOUND vlan.100 LL_TIME0x1-0x1ddd0462-00:0c:29:4f:26:c5
[email protected]> show dhcpv6 server statistics Dhcpv6 Packets dropped: Total 0 Messages received: DHCPV6_DECLINE 0 DHCPV6_SOLICIT 1 DHCPV6_INFORMATION_REQUEST 0 DHCPV6_RELEASE 0 DHCPV6_REQUEST 1 DHCPV6_CONFIRM 0 DHCPV6_RENEW 0 DHCPV6_REBIND 0 DHCPV6_RELAY_FORW 0 DHCPV6_RELAY_REPL 0 Messages sent: DHCPV6_ADVERTISE 1 DHCPV6_REPLY 1 DHCPV6_RECONFIGURE 0 DHCPV6_RELAY_REPL 0
For completeness, I had the client release the assigned address to check the statistics, just to make sure I did see an increment change.
[email protected]:~$ sudo dhclient -6 -v -r eth1 Internet Systems Consortium DHCP Client 4.2.4 Copyright 2004-2012 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Bound to *:546 Listening on Socket/eth1 Sending on Socket/eth1 XMT: Forming Release, 0 ms elapsed. XMT: X-- IA_NA 29:4f:26:c5 XMT: | X-- Release Address 2001:192:168:1::200 XMT: V IA_NA appended. XMT: Release on eth1, interval 1070ms. RCV: Reply message on eth1 from fe80::120e:7eff:fe4e:2e88. RCV: X-- Server ID: 00:02:00:00:05:83:43:46:34:37:31:33:41:4b:30:32:38
[email protected]> show dhcpv6 server statistics Dhcpv6 Packets dropped: Total 0 Messages received: DHCPV6_DECLINE 0 DHCPV6_SOLICIT 1 DHCPV6_INFORMATION_REQUEST 0 DHCPV6_RELEASE 1 DHCPV6_REQUEST 1 DHCPV6_CONFIRM 0 DHCPV6_RENEW 1 DHCPV6_REBIND 0 DHCPV6_RELAY_FORW 0 DHCPV6_RELAY_REPL 0 Messages sent: DHCPV6_ADVERTISE 1 DHCPV6_REPLY 3 DHCPV6_RECONFIGURE 0 DHCPV6_RELAY_REPL 0
And with that a DHCPv6 Server has been configured using a Juniper SRX series router!
I’ve included a useful show command and the set commands that I used in my example below 🙂
show security flow session show dhcpv6 server binding show dhcpv6 server statistics clear dhcpv6 server binding clear dhcpv6 server statistics
set security forwarding-options family inet6 mode flow-based set system services dhcp-local-server dhcpv6 overrides interface-client-limit 200 set system services dhcp-local-server dhcpv6 group v6 interface vlan.100 set protocols router-advertisement interface vlan.100 prefix 2001:192:168:1::/64 set access address-assignment pool v6 family inet6 prefix 2001:192:168:1::/64 set access address-assignment pool v6 family inet6 range dhcpv6-range low 2001:192:168:1::200/128 set access address-assignment pool v6 family inet6 range dhcpv6-range high 2001:192:168:1::299/128 set access address-assignment pool v6 family inet6 dhcp-attributes maximum-lease-time 120 set access address-assignment pool v6 family inet6 dhcp-attributes grace-period 3600 set security zones security-zone internal interfaces vlan.100 host-inbound-traffic system-services dhcpv6
More in-depth detailed information can be found on Juniper’s TechLibrary pages