Tag Archives: IP Addressing

Configuring IPv4 DHCP Juniper SRX

Reading Time: 1 minute

After configuring a Dual Stacked DHCP server and DHCPv6 on Juniper SRX, it’s only right that I did something on Configuring DCHPv4 on a Juniper SRX.

This wont be a long or detailed post, as the configuration is very much the same as my previous post on how to configure DHCPv6 on a SRX, and I’ve went thought quite a lot before about how DHCP works etc.

First, under the system services dhcp-local-server stanza, you will need to create group and set a physical or logical interface that will have DHCP enabled

[email protected]# show system services dhcp-local-server    
group dhcpv4-group {
    interface vlan.3407;
}

Next, under the access address-assignment stanza, you will need to set the network, the DHCP range and set the IP address that the router will be using within the DCHP pool. The propagate-settings will take configuration from the client DHCP on vlan.3407, if not otherwise specified, most importantly name-server which changes from ISP to ISP and is very important otherwise name resolutions on the LAN won’t work.

[email protected]# show access   
address-assignment {
    pool v4 {
        family inet {
            network 172.31.106.16/29;
            range v4-range {
                low 172.31.106.18;
                high 172.31.106.22;
            }
            dhcp-attributes {
                router {
                    172.31.106.17;
                }
                propagate-settings vlan.3407;
            }
        }
    }
}

This will be all configuration needed to have DHCPv4 on Juniper SRX220. For troubleshooting DHCP you will be able to use the commands below:

[email protected]> show dhcp ? 
Possible completions:
  client               Show DHCP client information
  relay                Show DHCP relay information
  server               Show DHCP server information
  snooping             Show DHCP snooping information
  statistics           Show DHCP service statistics

As I said, this is the quick post :p

I have included the set commands used in my example below:

DHCP Set Commands
set system services dhcp-local-server group dhcpv4-group interface vlan.3407
set access address-assignment pool v4 family inet network 172.31.106.16/29
set access address-assignment pool v4 family inet range v4-range low 172.31.106.18
set access address-assignment pool v4 family inet range v4-range high 172.31.106.22
set access address-assignment pool v4 family inet dhcp-attributes router 172.31.106.17
set access address-assignment pool v4 family inet dhcp-attributes propagate-settings vlan.3407
Share this:
Share

IPv6 and Junos – Stateful Auto-configuration with DHCPv6

Reading Time: 4 minutes

As part of my on-going IPv6 testing, I was asked to look into stateful auto-configuration for devices and host using DHCPv6. I had already looked into Stateless Address Auto configuration and looked into another method of providing stateful auto-configuration using a Dual Stacked DHCP server. This time I’ll be looking into how this could be done using Juniper hardware, to be specific Juniper SRX series routers. If you haven’t used DHCP before my other DHCP related post gave an explanation on what DHCP is and how DHCPv6 communications work slightly different to DHCPv4. With that in mind, I won’t be going over what DHCP is again, but instead I’ll be going straight into the good stuff!

Lets get cracking 😀

For this test I had simple topology; I used a Juniper SRX220 as the DHCP server and a single ESXi Ubuntu 14.04LTS hosts connected on port ge-0/0/0 as the client.

Firstly, with the SRX, I had to enabled IPv6 flow mode. By default, IPv6 IS NOT enabled. You enable IPv6 flow mode by running the command set security forwarding-options family inet6 mode flow-based, once committed you’ll need to reboot the device for the change to take effect. When the SRX is finished booting you can confirm IPv6 flows will be able to be permitted by using show security flow status:

[email protected]> show security flow status 
  Flow forwarding mode:
    Inet forwarding mode: flow based
    Inet6 forwarding mode: flow based
    MPLS forwarding mode: drop
    ISO forwarding mode: drop
  Flow trace status
    Flow tracing status: off
  Flow session distribution
    Distribution mode: RR-based
  Flow ipsec performance acceleration: off
  Flow packet ordering
    Ordering mode: Hardware

Now that we know we can actually get stateful IPv6 flows traversing the SRX, we can start with enabling the SRX as a DHCPv6 server.

Under the system services dhcp-local-server stanza, we will need to confirm that we’ll be using DHCPv6 and set the interface(s) that will be requesting addresses. Additionally there are a few optional commands. For my example I’ve set the max limit of DHCP clients to 100 by using the interface-client-limit statement, and by default there are no limits on amount of clients that can request an address.

[email protected]# show system services 
dhcp-local-server {
    dhcpv6 {
        overrides {
            interface-client-limit 100;
        }
        group v6 {
            interface vlan.100;
        }
    }
}

Next, under the access address-assignment stanza is where we’ll set the prefix pool that will be advertised to host, and your IP range. In addition, within this stanza you’re able to set other DHCP details such as lease time, grace period and dns-server under dhcp-attributes. The attributes are optional however they should be looked into and configured according to your own requirements.

[email protected]# show access   
address-assignment {
    pool v6 {
        family inet6 {
            prefix 2001:192:168:1::/64;
            range dhcpv6-range {
                low 2001:192:168:1::200/128;
                high 2001:192:168:1::299/128;
            }
            dhcp-attributes {
                maximum-lease-time 120;
                grace-period 3600;
            }
        }
    }
}

We need to set the SRX so that the router advertises our IPv6 prefix on the correct interface, and in addition, by adding the statement managed-configuration, the router will be both stateful (DHCP) and stateless (SLAAC) address assignments. Finally, in order for the DHCPv6 server to allow DHCPv6 requests, a security policy is needed to enable DHCPv6 traffic.

ProtocolsSecurity Zone
[email protected]# show protocols 
router-advertisement {
    interface vlan.100 {
        managed-configuration;
        prefix 2001:192:168:1::/64;
    }
}
[email protected]# show security zone security-zone internal {
    tcp-rst;
    interfaces {
        vlan.100 {
            host-inbound-traffic {
                system-services {
                    dhcpv6;
                }
            }
        }
    }
}

With SRX configured, we can now check the client side to make sure it’s enabled for DHCP. On the client, we have to set its interface to listening for DHCP packets. For IPv6 we’ll need to set the interface to DHCP under /etc/network/interfaces.

[email protected]:~$ cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
{...}
auto eth1
iface eth1 inet dhcp

# This is an autoconfigured IPv6 interface
iface eth0 inet6 auto

auto eth1
iface eth1 inet6 dhcp

Now that we have both the SRX and the client configured, we can bring it all together and run some tests!

Verification Testing

On the client, we’ll request an IP address from the SRX by running dhclient eth1 -6 -v and can confirm that an address has been successful assigned by doing an ifconfig

Requesting an addressifconfig eth1
[email protected]:~$ sudo dhclient eth1 -6 -v 
Internet Systems Consortium DHCP Client 4.2.4
Copyright 2004-2012 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/

Bound to *:546
Listening on Socket/eth1
Sending on   Socket/eth1
PRC: Soliciting for leases (INIT).
XMT: Forming Solicit, 0 ms elapsed.
XMT:  X-- IA_NA 29:4f:26:c5
XMT:  | X-- Request renew in  +3600
XMT:  | X-- Request rebind in +5400
XMT:  | X-- Request address 2001:192:168:1::111.
XMT:  | | X-- Request preferred in +7200
XMT:  | | X-- Request valid in     +10800
XMT:  | X-- Request address 2001:192:168:1::200.
XMT:  | | X-- Request preferred in +7200
XMT:  | | X-- Request valid in     +10800
XMT: Solicit on eth1, interval 1060ms.
RCV: Advertise message on eth1 from fe80::120e:7eff:fe4e:2e88.
RCV:  X-- IA_NA 29:4f:26:c5
RCV:  | X-- starts 1452250973
RCV:  | X-- t1 - renew  +60
RCV:  | X-- t2 - rebind +96
RCV:  | X-- [Options]
RCV:  | | X-- IAADDR 2001:192:168:1::200
RCV:  | | | X-- Preferred lifetime 120.
RCV:  | | | X-- Max lifetime 120.
RCV:  X-- Server ID: 00:02:00:00:05:83:43:46:34:37:31:33:41:4b:30:32:38
RCV:  Advertisement recorded.
PRC: Selecting best advertised lease.
PRC: Considering best lease.
PRC:  X-- Initial candidate 00:02:00:00:05:83:43:46:34:37:31:33:41:4b:30:32 (s: 153, p: 0).
XMT: Forming Request, 0 ms elapsed.
XMT:  X-- IA_NA 29:4f:26:c5
XMT:  | X-- Requested renew  +3600
XMT:  | X-- Requested rebind +5400
XMT:  | | X-- IAADDR 2001:192:168:1::200
XMT:  | | | X-- Preferred lifetime +7200
XMT:  | | | X-- Max lifetime +7500
XMT:  V IA_NA appended.
XMT: Request on eth1, interval 930ms.
RCV: Reply message on eth1 from fe80::120e:7eff:fe4e:2e88.
RCV:  X-- IA_NA 29:4f:26:c5
RCV:  | X-- starts 1452250974
RCV:  | X-- t1 - renew  +60
RCV:  | X-- t2 - rebind +96
RCV:  | X-- [Options]
RCV:  | | X-- IAADDR 2001:192:168:1::200
RCV:  | | | X-- Preferred lifetime 120.
RCV:  | | | X-- Max lifetime 120.
RCV:  X-- Server ID: 00:02:00:00:05:83:43:46:34:37:31:33:41:4b:30:32:38
PRC: Bound to lease 00:02:00:00:05:83:43:46:34:37:31:33:41:4b:30:32:38:31.
[email protected]:~$ ifconfig eth1
eth1      Link encap:Ethernet  HWaddr 00:0c:29:4f:26:c5  
          inet6 addr: fe80::20c:29ff:fe4f:26c5/64 Scope:Link
          inet6 addr: 2001:192:168:1::200/64 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:12342 errors:0 dropped:0 overruns:0 frame:0
          TX packets:11980 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:4052626 (4.0 MB)  TX bytes:3303461 (3.3 MB)

Having confirmed that an IP address from DHCP pool has been assigned on the client, we can now look on SRX to see what has happened there!

Firstly, I checked to see if I could see the session flow from the client to SRX by running show security flow session. As the output below shows, as per RFC3315, DHCPv6 communications are done on UDP ports 546 (clients) and 547 (server/relay) and via link-local addresses.

[email protected]> show security flow session       
Session ID: 1, Policy name: self-traffic-policy/1, Timeout: 1800, Valid
  In: 10.1.0.17/46789 --> 10.1.0.158/22;tcp, If: ge-0/0/7.0, Pkts: 5631, Bytes: 416401
  Out: 10.1.0.158/22 --> 10.1.0.17/46789;tcp, If: .local..0, Pkts: 3109, Bytes: 389005

Session ID: 9, Policy name: self-traffic-policy/1, Timeout: 54, Valid
  In: fe80::120e:7eff:fe4e:2e88/547 --> fe80::20c:29ff:fe4f:26c5/546;udp, If: .local..0, Pkts: 2, Bytes: 288
  Out: fe80::20c:29ff:fe4f:26c5/546 --> fe80::120e:7eff:fe4e:2e88/547;udp, If: vlan.100, Pkts: 0, Bytes: 0
Total sessions: 2

We only get two show commands with a DHCP server, whether it’s v4 or v6, show dhcpv6 server binding and show dhcpv6 server statistics.

  • show dhcpv6 server binding provides details on the address that has been assigned to a client, which including; MAC address, Prefix, Lease time, current state and interface.
  • show dhcpv6 server statistics, as the name suggests, provides figures on sent and receive messages between the server and clients.
DHCPv6 BindingsDHCPv6 Statistics
[email protected]> show dhcpv6 server binding        
Prefix                  Session Id  Expires  State    Interface    Client DUID
2001:192:168:1::200/128 2           74       BOUND    vlan.100     LL_TIME0x1-0x1ddd0462-00:0c:29:4f:26:c5
[email protected]> show dhcpv6 server statistics 
Dhcpv6 Packets dropped:
    Total               0

Messages received:
    DHCPV6_DECLINE             0
    DHCPV6_SOLICIT             1
    DHCPV6_INFORMATION_REQUEST 0
    DHCPV6_RELEASE             0
    DHCPV6_REQUEST             1
    DHCPV6_CONFIRM             0
    DHCPV6_RENEW               0
    DHCPV6_REBIND              0
    DHCPV6_RELAY_FORW          0
    DHCPV6_RELAY_REPL          0

Messages sent:
    DHCPV6_ADVERTISE           1
    DHCPV6_REPLY               1
    DHCPV6_RECONFIGURE         0
    DHCPV6_RELAY_REPL          0

For completeness, I had the client release the assigned address to check the statistics, just to make sure I did see an increment change.

Releasing Assigned AddressDHCPv6 Statistics
[email protected]:~$ sudo dhclient -6 -v -r eth1
Internet Systems Consortium DHCP Client 4.2.4
Copyright 2004-2012 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/

Bound to *:546
Listening on Socket/eth1
Sending on   Socket/eth1
XMT: Forming Release, 0 ms elapsed.
XMT:  X-- IA_NA 29:4f:26:c5
XMT:  | X-- Release Address 2001:192:168:1::200
XMT:  V IA_NA appended.
XMT: Release on eth1, interval 1070ms.
RCV: Reply message on eth1 from fe80::120e:7eff:fe4e:2e88.
RCV:  X-- Server ID: 00:02:00:00:05:83:43:46:34:37:31:33:41:4b:30:32:38
[email protected]> show dhcpv6 server statistics    
Dhcpv6 Packets dropped:
    Total               0

Messages received:
    DHCPV6_DECLINE             0
    DHCPV6_SOLICIT             1
    DHCPV6_INFORMATION_REQUEST 0
    DHCPV6_RELEASE             1
    DHCPV6_REQUEST             1
    DHCPV6_CONFIRM             0
    DHCPV6_RENEW               1
    DHCPV6_REBIND              0
    DHCPV6_RELAY_FORW          0
    DHCPV6_RELAY_REPL          0

Messages sent:
    DHCPV6_ADVERTISE           1
    DHCPV6_REPLY               3
    DHCPV6_RECONFIGURE         0
    DHCPV6_RELAY_REPL          0

And with that a DHCPv6 Server has been configured using a Juniper SRX series router!

I’ve included a useful show command and the set commands that I used in my example below 🙂

Operational CommandsSet Commands
show security flow session
show dhcpv6 server binding
show dhcpv6 server statistics
clear dhcpv6 server binding
clear dhcpv6 server statistics
set security forwarding-options family inet6 mode flow-based

set system services dhcp-local-server dhcpv6 overrides interface-client-limit 200
set system services dhcp-local-server dhcpv6 group v6 interface vlan.100

set protocols router-advertisement interface vlan.100 prefix 2001:192:168:1::/64

set access address-assignment pool v6 family inet6 prefix 2001:192:168:1::/64
set access address-assignment pool v6 family inet6 range dhcpv6-range low 2001:192:168:1::200/128
set access address-assignment pool v6 family inet6 range dhcpv6-range high 2001:192:168:1::299/128
set access address-assignment pool v6 family inet6 dhcp-attributes maximum-lease-time 120
set access address-assignment pool v6 family inet6 dhcp-attributes grace-period 3600

set security zones security-zone internal interfaces vlan.100 host-inbound-traffic system-services dhcpv6

More in-depth detailed information can be found on Juniper’s TechLibrary pages

Share this:
Share

IPv6 and Junos – Firewall Filter (ACLs)

Reading Time: 4 minutes

For IPv6 testing I’ve been asked to do one of the more noddy things to test Firewall Filters; these are Stateless Firewall Filters and are what Cisco call Access Control Lists (ACL). Unlike Stateful Firewall Filters, Stateless Filters do not inspect traffic flows, pattern or keep a record of network connections, as such TCP streams and/or UDP communication. Instead, these filters evaluate packet contents statically against a set of packet-matching rules that either permit or deny packets transiting the switch.

Firewall Filter (ACL) is an important feature for a switch to have as it provides some (although limited) protection for devices and host directly connected. I said that this was one of the more noddy things as there’s only one difference between creating a Firewall Filter for IPv4 and IPv6. However, as they say, better to be safe than sorry! With all that said and done, this post will be to show how you’d configure and implement a Stateless Firewall Filter within Junos.

Let’s get cracking 🙂

I had a pretty simple topology, using a Juniper EX Series 4200 switch configured with two Layer-3 vlans, and I’ve set up two Ubuntu 14.04LTS ESXi host; 1 of the host will be configured as a webserver (km-vm1) and the other as a client trying to access the server (km-vm3)

Firewall Filter Topology

Firstly, I created all of the physical and logical connections were expected, by running show ipv6 neighbors and show lldp neighbors

IPv6 SubnetsServers
[email protected]> show ipv6 neighbors 
IPv6 Address                 Linklayer Address  State       Exp Rtr Secure Interface
2001:123:212:1::2            00:0c:29:fc:d5:de  stale       202 no  no      vlan.300       
2001:192:168:2::2            00:0c:29:4f:26:c5  stale       1197 no no      vlan.200
[email protected]> show lldp neighbors 
Local Interface    Parent Interface    Chassis Id          Port info          System Name
ge-0/0/0.0         -                   00:0c:29:4f:26:bb   eth1               km-vm1                          
xe-0/1/0.0         -                   00:0c:29:fc:d5:d4   eth1               km-vm3

The goal of this test is ensure that KM-VM3 can ONLY access KM-VM1 on TCP ports 80 and 443, as these are well-known and IANA defined ports for unsecured (HTTP) and secured (HTTPS) web traffic, and ICMP traffic (ie. ping and traceroute).

Before configuring the Firewall Filter I wanted to see what was accessible for KM-VM3, so I ran a very useful open source utility for network discovery and a security auditing tool called nmap , to produce a port scan of the webserver. From the output we can see that not only are HTTP and HTTPS accessible, but the Port 22 Secure Shell (SSH) is open. As KM-VM1 doesn’t have any firewalling configured on the server level via iptables, KM-VM3 could be used to try and hack KM-VM1 by attacking the SSH port to gain access to the server, which is never good!

Port ScanSSH access
[email protected]:~$ nmap -6 2001:192:168:2::2

Starting Nmap 6.40 ( http://nmap.org ) at 2015-11-11 14:17 GMT
Nmap scan report for 2001:192:168:2::2
Host is up (0.0017s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https
[email protected]:~$ ssh 2001:192:168:2::2
The authenticity of host '2001:192:168:2::2 (2001:192:168:2::2)' can't be established.
ECDSA key fingerprint is e3:e3:f7:91:c0:30:a3:02:f9:1f:fd:aa:b7:0d:9c:9d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '2001:192:168:2::2' (ECDSA) to the list of known hosts.
[email protected]:192:168:2::2's password:

With that security risk in mind, lets add a Firewall Filter that will only allow access to ports 80, 443 and ICMP traffic. I created a prefix-list, webservers, that would list all the prefixes (IP addresses) for the webservers. Although in this example I’ll only have the one prefix, I was always taught to use prefix-lists for ease of configuration. This was configured under edit policy-options prefix-list stanza:

[email protected]# show policy-options       
prefix-list webservers {
    2001:192:168:2::2/128;
}

Now, for the Filter you’ll need to be under firewall family inet6 filter stanza, (for an IPv4 filter; firewall family inet filter). You can name your filter anything however, it can’t be more than 64 characters and if you have any spaces you’ll need to use ” ” marks. The same goes with naming your rules, which Junos calls terms. The Filter must have at least one term and the term(s) must have from or then statement. The from and then statements provide the actions of the term.

As you can see below, the Firewall Filter is named ALLOW-HTTP/HTTPS and has 3 terms:

{master:0}[edit firewall family inet6 filter ALLOW-HTTP/HTTPS]
[email protected]# show 
term allow-http/https {
    from {
        source-address {
            ::/0;
        }
        destination-prefix-list {
            webservers;
        }
        destination-port [ 80 443 ];
    }
    then accept;
}
term allow-icmp {
    from {
        icmp-type [ echo-reply echo-request neighbor-advertisement packet-too-big destination-unreachable neighbor-solicit ];
    }
    then accept;
}
term deny-all {
    then {
        count deny-all;
        log;
        discard;
    }
}

Lets break down each aspect of this Firewall Filter:

  • The first term allow-http/https states from source-address ::/0, for IPv6 is any address to the destination of the webservers, which has been defined in the prefix-list to ports 80 and 443 (HTTP and HTTPS) to then accept those packets
  • The second term allow-icmp states the different type of icmp packets that I want allowed and then those are accepted
  • The final term deny-all states that any other packets should be counted under deny-all, logged and discarded. By using the action discard, this will silently drop all packets without sending an ICMP reply back to the requestor
Note
With Junos, it is important to remember that when creating a Firewall Filter:

  • They works as Top-Down List, so the order of your rules is very significant, because once a rule has been matched, any rules below WILL NOT be checked.
  • Additionally just like with Cisco Firewall Filters come with an Implicit Deny at the end. If any packets don’t match any of the previous terms then they will be dropped automatically. Although this Implicit Deny is there, best practice to add a deny-all term at the end any Firewall Filter or ACL.
  • Finally, you can have only one input and one output filter per interface however have as many terms as you like. You can find all the guidelines that come with Firewall Filters here on Juniper’s TechLibrary page

Having created the filter, it will an input filter, as it is configured to filter traffic coming into the switch. Additionally, it will be place on the outside-facing interface, in this example, that has KM-VM3 in (vlan.300). This is because with any Filter, ACL or Firewall Policy, you want to stop any unnecessary traffic traversing your network at the furthest possible point, which is normally the edge of your network.

So under interface vlan unit 300 family inet6 filter stanza the Firewall Filter is placed as an input filter:

{master:0}[edit interfaces vlan unit 300]
[email protected]# show 
family inet6 {
    filter {
        input ALLOW-HTTP/HTTPS;
    }
    address 2001:123:212:1::1/64;
}

Having committed the configuration, if we go back onto KM-VM3 and do some testing we’ll be able to see the effect of the Firewall Filter. As we can see below, when the port scan was run again, only ports 80 and 433 are in an OPEN STATE and SSH port 22 isn’t shown at all now, and we’re able to ping. When we try SSH we get nothing, which shows that this filter is working as expected.

Port ScanICMP PingSSH access
[email protected]:~$ nmap -6 2001:192:168:2::2

Starting Nmap 6.40 ( http://nmap.org ) at 2015-11-11 15:30 GMT
Nmap scan report for 2001:192:168:2::2
Host is up (0.00072s latency).
Not shown: 998 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https
[email protected]:~$ ping6 2001:192:168:2::2
PING 2001:192:168:2::2(2001:192:168:2::2) 56 data bytes
9 packets transmitted, 9 received, 0% packet loss, time 7999ms
rtt min/avg/max/mdev = 0.464/0.545/0.662/0.066 ms
[email protected]:~$ ssh 2001:192:168:2::2
^C

For further verification, we can check the counter that was set under the deny-all term to see how many packets have been dropped. By running the command show firewall counter filter ALLOW-HTTP/HTTPS deny-all we’re able to see the counters at that time.

[email protected]> show firewall counter filter ALLOW-HTTP/HTTPS deny-all 

Filter: ALLOW-HTTP/HTTPS                                       
Counters:
Name                                                Bytes              Packets
deny-all                                              490                    5

As I said, when I started this post, the method of applying a Firewall Filter is exactly same in IPv6 world as it is in IPv4, with the exception of the filter location. Firewall Filters are extremely important in giving protection to hosts and devices connected to the switch if a stateful firewall such as a Juniper SRX or Cisco ASA isn’t suitable and/or available in your network design.

Share this:
Share

IPv6 and Junos – Stateless Address Autoconfiguration (SLAAC)

Reading Time: 3 minutes

From my research and testing, I’ve notice there are a few ways you can set IPv6 addresses to hosts. Essentially you have 3 methods; manually setting a Static IP address, Using Stateful Dynamic Address allocation via a DHCPv6 server, or by using Stateless Dynamic Address allocation. The first two methods are pretty standard as addressing with IPv4 is done this way however, the last method is new method that comes with IPv6 and this is actually known as Stateless Address Autoconfiguration (SLAAC). SLAAC, as its name suggestions, allows a host to auto configure itself without any manual intervention.

RFC4862 describe the SLAAC as

The IPv6 stateless autoconfiguration mechanism requires no manual configuration of hosts, minimal (if any) configuration of routers, and no additional servers. The stateless mechanism allows a host to generate its own addresses using a combination of locally available information and information advertised by routers. Routers advertise prefixes that identify the subnet(s) associated with a link, while hosts generate an “interface identifier” that uniquely identifies an interface on a subnet. An address is formed by combining the two. In the absence of routers, a host can only generate link-local addresses. However, link-local addresses are sufficient for allowing communication among nodes attached to the same link.

In essence, when using SLAAC to get the full 128-bit IPv6 address, it uses the 64-bit prefix that is advertised by the host or router for the first half, then in conjunction with the EUI-64 process, is able to allocation the second 64-bit of the address.

Note
The EUI-64 process in a nutshell, is the method of extending the 48-bit MAC Address and making it into a 64-bit value. This is done by splitting the 48-bit address into two 24-bit halves and adding the 16-bit hex value 0xFFFE in middle to create the last 64-bits

Configuring SLAAC

Enabling SLAAC with Junos is pretty straightforward. For my example, I’ve got an EX4200 connected to an Ubuntu 14.04LTS ESXi host in Vlan 200.

Before enabling the switch, the host’s interface has to be set to auto

[email protected]:~$ cat /etc/network/interfaces
{...}
# This is an autoconfigured IPv6 interface
iface eth0 inet6 auto

auto eth1
iface eth1 inet6 auto

Once that’s done, to make sure no address was learnt as I configured the switch, the interface was disabled using ifdown.

With the switch configuration, under the protocol router-advertisement stanza, the interface and the prefix (first 64-bits) that will be advertised need to be set. Additionally I enabled a traceoption to see the process from the switch’s perspective.

Interface ConfigurationEnabling SLAAC
{master:0}[edit]
[email protected]# show interfaces vlan unit 200 
family inet6 {
    address 2001:192:168:2::1/64;
}
{master:0}[edit protocols router-advertisement]
[email protected]# show 
traceoptions {
    file RA.log;
    flag all;
}
interface vlan.200 {
    prefix 2001:192:168:2::/64;
}

Verification

With that SLAAC has been enabled, simple isn’t it 🙂

Now, back on the host, I re-enabled the interface using ifup. By using ifconfig we can see that the IPv6 address has been auto configured onto the host.

[email protected]:~$ ifconfig -a eth1
eth1      Link encap:Ethernet  HWaddr 00:0c:29:4f:26:c5  
          inet addr:192.31.1.2  Bcast:192.31.1.255  Mask:255.255.255.0
          inet6 addr: 2001:192:168:2:20c:29ff:fe4f:26c5/64 Scope:Global
          inet6 addr: fe80::20c:29ff:fe4f:26c5/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4 errors:0 dropped:0 overruns:0 frame:0
          TX packets:40 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:563 (563.0 B)  TX bytes:2334 (2.3 KB)

By looking closer at the ifconfig output, we can see how the EUI-64 process has been used to allocate the IPv6 address, as well as its link-local address:

eth1      Link encap:Ethernet  HWaddr 00:0c:29:4f:26:c5  
          inet6 addr: 2001:192:168:2:20c:29ff:fe4f:26c5/64 Scope:Global
          inet6 addr: fe80::20c:29ff:fe4f:26c5/64 Scope:Link

On the switch, by running the commands: show ipv6 neighbours, we can see the hosts’ link-local and SLAAC allocated addresses, both discovered by the Neighbour Discovery Protocol (NDP). And show ipv6 router-advertisement, which shows how many RA’s and RS’ have been sent and received by the switch.

IPv6 NeighborsRouter Advertisements
{master:0}
[email protected]> show ipv6 neighbors 
IPv6 Address                 Linklayer Address  State       Exp Rtr Secure Interface
2001:192:168:2:20c:29ff:fe4f:26c5
                             00:0c:29:4f:26:c5  stale       1110 no no      vlan.200    
fe80::20c:29ff:fe4f:26c5     00:0c:29:4f:26:c5  stale       1039 no no      vlan.200
{master:0}
[email protected]> show ipv6 router-advertisement 
Interface: vlan.200
  Advertisements sent: 4, last sent 00:04:45 ago
  Solicits received: 2, last received 00:04:46 ago
  Advertisements received: 0

When we look further at the traceoption, we can see the request from the host sent out Router Solicitation (RS) via its link-local address, to the destination of ff02::2 for the presence of routers (in this case a switch) on the link. The switch replies by sending a Router Advertisement (RA) to ff02::1 with the Router’s presence and link prefixes, MTU, and hop limits.

{Apr  7 06:29:13.002388 background dispatch running job ipv6_ra_delete_interface_config_job for task Router-Advertisement
Apr  7 06:29:13.002436 task_job_delete: delete background job ipv6_ra_delete_interface_config_job for task Router-Advertisement
Apr  7 06:29:13.002473 background dispatch completed job ipv6_ra_delete_interface_config_job for task Router-Advertisement
Apr  7 06:29:48.645889 ipv6_ra_receive_solicit: received solicit from fe80::20c:29ff:fe4f:26c5
Apr  7 06:29:48.646013 ipv6_ra_receive_solicit: task Router-Advertisement src fe80::20c:29ff:fe4f:26c5 dst ff02::2 hdr 0x26fc000 count 16 intf 0x283c0e8
Apr  7 06:29:48.646086 task_timer_reset: reset Router-Advertisement_ipv6ra
Apr  7 06:29:48.646137 task_timer_set_oneshot_latest: timer Router-Advertisement_ipv6ra interval set to 0.426219
Apr  7 06:29:49.073743 task_job_create_foreground: create job ipv6 ra for task Router-Advertisement
Apr  7 06:29:49.073857 foreground dispatch running job ipv6 ra for task Router-Advertisement
Apr  7 06:29:49.073978 ipv6_ra_send_advertisement: sending advertisement for ifl 73 to ff02::1
Apr  7 06:29:49.074018 (519322) sending advertisement for ifl 73
Apr  7 06:29:49.074106 	ifa 0x28383f0 2001:192:168:2::1/64
Apr  7 06:29:49.074942 	--> sent 56 bytes
Note
The ff02::1 and ff02::2 addresses are well-known IPv6 Multicast addresses that a host sends out to a RS, to all devices within the all-host multicast group for ff02::2, and for a router, the address ff02::1 is used to reply RS with RA. Although this process could be compared to the IPv4 broadcast address 255.255.255.255, its important to remember that broadcasts are not accepted by any IPv6 protocol.

SLAAC is a really useful way of easily enabling IPv6 across your network and let the host and devices auto configure themselves. In addition, as the EUI-64 process is key to SLAAC, as long as you keep a record of the MAC Addresses of each device, you’ll always be able to know what address goes with what device. Of course, there will be situations where Static or DHCP addressing will be more suitable however; if you need to quickly enable your network with IPv6 then SLAAC is the way to go!

Share this:
Share

Adding a Default & Static Route Ubuntu

Reading Time: 2 minutes

I’m doing some testing using some Ubuntu server and I wasn’t able to ping across from other server I’ve got. I checked the network and it was fine, so I can checked the server and saw that the routing on the server was acting unexpcted :/

Checked the network file /etc/network/interfaces and that was fine

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet dhcp

auto eth1
iface eth1 inet static
address 192.31.3.2
netmask 255.255.255.0
gateway 192.31.3.1

However when I checked the routing table the default gateway was going via the management subnet

[email protected]:~$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.1.0.1        0.0.0.0         UG    0      0        0 eth0
10.1.0.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.31.3.0      0.0.0.0         255.255.255.0   U     0      0        0 eth1

[email protected]:~$ ip route 
default via 10.1.0.1 dev eth0 
10.1.0.0/24 dev eth0  proto kernel  scope link  src 10.1.0.140 
192.31.3.0/24 dev eth1  proto kernel  scope link  src 192.31.3.2

Needed to change this, to have the default gateway as 192.31.3.1. Firstly, I had to remove the current default gateway:

[email protected]:~$ sudo route del default

Verified that the route was removed, using ip route

[email protected]:~$ ip route
10.1.0.0/24 dev eth0  proto kernel  scope link  src 10.1.0.140 
192.31.3.0/24 via 192.31.3.1 dev eth1 
192.31.3.0/24 dev eth1  proto kernel  scope link  src 192.31.3.2

To add the new default route, I had to run the command route add default gw {IP address}

[email protected]:~$ sudo route add default gw 192.31.3.1

Then verified with ip route again

[email protected]:~$ ip route 
default via 192.31.3.1 dev eth1 
10.1.0.0/24 dev eth0  proto kernel  scope link  src 10.1.0.140 
192.31.3.0/24 via 192.31.3.1 dev eth1 
192.31.3.0/24 dev eth1  proto kernel  scope link  src 192.31.3.2

Now when I did a mtr to my other test server, routing is working as expected 🙂

                            My traceroute  [v0.85]
km-vm3 (0.0.0.0)                                       Mon Aug  3 10:37:15 2015
Resolver: Received error response 2. (server failure)er of fields   quit
                                       Packets               Pings
 Host                                Loss%   Snt   Last   Avg  Best  Wrst StDev
 1. 192.31.3.1                        0.0%     9    1.0   0.9   0.8   1.0   0.0
 2. 172.31.1.2                        0.0%     9    0.9   1.0   0.9   1.1   0.0
 3. 192.31.1.2                        0.0%     9    0.7   0.5   0.4   0.7   0.0

Throughout the troubleshooting (as I’m not a server man!) I did also figure out how to make add a static route as well! This is done by use the command: route add -net [subnet/mask] gw [IP address] dev [interface]

[email protected]:~$ sudo route add -net 192.31.3.0/24 gw 192.31.3.1 dev eth1

As you see the static route was added.

[email protected]:~$ ip route
default via 10.1.0.1 dev eth0 
10.1.0.0/24 dev eth0  proto kernel  scope link  src 10.1.0.140 
192.31.3.0/24 via 192.31.3.1 dev eth1 
192.31.3.0/24 dev eth1  proto kernel  scope link  src 192.31.3.2

Although this didn’t fix my issue, it was a useful thing to come across as it could be helpful in the future!!

Share this:
Share