IPv6 and Junos - Stateful Auto-configuration with DHCPv6
Table of Contents
As part of my on-going IPv6 testing, I was asked to look into stateful auto-configuration for devices and host using DHCPv6. I had already looked into Stateless Address Auto configuration and looked into another method of providing stateful auto-configuration using a Dual Stacked DHCP server. This time I’ll be looking into how this could be done using Juniper hardware, to be specific Juniper SRX series routers. If you haven’t used DHCP before my other DHCP related post gave an explanation on what DHCP is and how DHCPv6 communications work slightly different to DHCPv4. With that in mind, I won’t be going over what DHCP is again, but instead I’ll be going straight into the good stuff!
Lets get cracking :D
For this test I had simple topology; I used a Juniper SRX220 as the DHCP server and a single ESXi Ubuntu 14.04LTS hosts connected on port ge-0/0/0 as the client.
Junos Configuration⌗
Firstly, with the SRX, I had to enabled IPv6 flow mode. By default, IPv6 IS NOT enabled. You enable IPv6 flow mode by running the command set security forwarding-options family inet6 mode flow-based, once committed you’ll need to reboot the device for the change to take effect. When the SRX is finished booting you can confirm IPv6 flows will be able to be permitted by using show security flow status:
marquk01@v6-testing> show security flow status
Flow forwarding mode:
Inet forwarding mode: flow based
Inet6 forwarding mode: flow based
MPLS forwarding mode: drop
ISO forwarding mode: drop
Flow trace status
Flow tracing status: off
Flow session distribution
Distribution mode: RR-based
Flow ipsec performance acceleration: off
Flow packet ordering
Ordering mode: Hardware
Now that we know we can actually get stateful IPv6 flows traversing the SRX, we can start with enabling the SRX as a DHCPv6 server.
Under the system services dhcp-local-server stanza, we will need to confirm that we’ll be using DHCPv6 and set the interface(s) that will be requesting addresses. Additionally there are a few optional commands. For my example I’ve set the max limit of DHCP clients to 100 by using the interface-client-limit statement, and by default there are no limits on amount of clients that can request an address.
marquk01@v6-testing# show system services
dhcp-local-server {
dhcpv6 {
overrides {
interface-client-limit 100;
}
group v6 {
interface vlan.100;
}
}
}
Next, under the access address-assignment stanza is where we’ll set the prefix pool that will be advertised to host, and your IP range. In addition, within this stanza you’re able to set other DHCP details such as lease time, grace period and dns-server under dhcp-attributes. The attributes are optional however they should be looked into and configured according to your own requirements.
marquk01@v6-testing# show access
address-assignment {
pool v6 {
family inet6 {
prefix 2001:192:168:1::/64;
range dhcpv6-range {
low 2001:192:168:1::200/128;
high 2001:192:168:1::299/128;
}
dhcp-attributes {
maximum-lease-time 120;
grace-period 3600;
}
}
}
}
We need to set the SRX so that the router advertises our IPv6 prefix on the correct interface, and in addition, by adding the statement managed-configuration, the router will be both stateful (DHCP) and stateless (SLAAC) address assignments. Finally, in order for the DHCPv6 server to allow DHCPv6 requests, a security policy is needed to enable DHCPv6 traffic.
Protocols Stanza⌗
marquk01@v6-testing# show protocols
router-advertisement {
interface vlan.100 {
managed-configuration;
prefix 2001:192:168:1::/64;
}
}
Security Zone Stanza⌗
marquk01@v6-testing# show security zone security-zone internal {
tcp-rst;
interfaces {
vlan.100 {
host-inbound-traffic {
system-services {
dhcpv6;
}
}
}
}
}
With SRX configured, we can now check the client side to make sure it’s enabled for DHCP. On the client, we have to set its interface to listening for DHCP packets. For IPv6 we’ll need to set the interface to DHCP under /etc/network/interfaces.
marquk01@km-vm1:~$ cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
{...}
auto eth1
iface eth1 inet dhcp
# This is an autoconfigured IPv6 interface
iface eth0 inet6 auto
auto eth1
iface eth1 inet6 dhcp
Now that we have both the SRX and the client configured, we can bring it all together and run some tests!
Verification Testing⌗
On the client, we’ll request an IP address from the SRX by running dhclient eth1 -6 -v and can confirm that an address has been successful assigned by doing an ifconfig
Requesting an address⌗
marquk01@km-vm1:~$ sudo dhclient eth1 -6 -v
Internet Systems Consortium DHCP Client 4.2.4
Copyright 2004-2012 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
Bound to \*:546
Listening on Socket/eth1
Sending on Socket/eth1
PRC: Soliciting for leases (INIT).
XMT: Forming Solicit, 0 ms elapsed.
XMT: X-- IA_NA 29:4f:26:c5
XMT: | X-- Request renew in +3600
XMT: | X-- Request rebind in +5400
XMT: | X-- Request address 2001:192:168:1::111.
XMT: | | X-- Request preferred in +7200
XMT: | | X-- Request valid in +10800
XMT: | X-- Request address 2001:192:168:1::200.
XMT: | | X-- Request preferred in +7200
XMT: | | X-- Request valid in +10800
XMT: Solicit on eth1, interval 1060ms.
RCV: Advertise message on eth1 from fe80::120e:7eff:fe4e:2e88.
RCV: X-- IA_NA 29:4f:26:c5
RCV: | X-- starts 1452250973
RCV: | X-- t1 - renew +60
RCV: | X-- t2 - rebind +96
RCV: | X-- \[Options\]
RCV: | | X-- IAADDR 2001:192:168:1::200
RCV: | | | X-- Preferred lifetime 120.
RCV: | | | X-- Max lifetime 120.
RCV: X-- Server ID: 00:02:00:00:05:83:43:46:34:37:31:33:41:4b:30:32:38
RCV: Advertisement recorded.
PRC: Selecting best advertised lease.
PRC: Considering best lease.
PRC: X-- Initial candidate 00:02:00:00:05:83:43:46:34:37:31:33:41:4b:30:32 (s: 153, p: 0).
XMT: Forming Request, 0 ms elapsed.
XMT: X-- IA_NA 29:4f:26:c5
XMT: | X-- Requested renew +3600
XMT: | X-- Requested rebind +5400
XMT: | | X-- IAADDR 2001:192:168:1::200
XMT: | | | X-- Preferred lifetime +7200
XMT: | | | X-- Max lifetime +7500
XMT: V IA_NA appended.
XMT: Request on eth1, interval 930ms.
RCV: Reply message on eth1 from fe80::120e:7eff:fe4e:2e88.
RCV: X-- IA_NA 29:4f:26:c5
RCV: | X-- starts 1452250974
RCV: | X-- t1 - renew +60
RCV: | X-- t2 - rebind +96
RCV: | X-- \[Options\]
RCV: | | X-- IAADDR 2001:192:168:1::200
RCV: | | | X-- Preferred lifetime 120.
RCV: | | | X-- Max lifetime 120.
RCV: X-- Server ID: 00:02:00:00:05:83:43:46:34:37:31:33:41:4b:30:32:38
PRC: Bound to lease 00:02:00:00:05:83:43:46:34:37:31:33:41:4b:30:32:38:31.
ifconfig eth1⌗
marquk01@km-vm1:~$ ifconfig eth1
eth1 Link encap:Ethernet HWaddr 00:0c:29:4f:26:c5
inet6 addr: fe80::20c:29ff:fe4f:26c5/64 Scope:Link
inet6 addr: 2001:192:168:1::200/64 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:12342 errors:0 dropped:0 overruns:0 frame:0
TX packets:11980 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4052626 (4.0 MB) TX bytes:3303461 (3.3 MB)
Having confirmed that an IP address from DHCP pool has been assigned on the client, we can now look on SRX to see what has happened there!
Firstly, I checked to see if I could see the session flow from the client to SRX by running show security flow session. As the output below shows, as per RFC3315, DHCPv6 communications are done on UDP ports 546 (clients) and 547 (server/relay) and via link-local addresses.
marquk01@v6-testing> show security flow session
Session ID: 1, Policy name: self-traffic-policy/1, Timeout: 1800, Valid
In: 10.1.0.17/46789 --> 10.1.0.158/22;tcp, If: ge-0/0/7.0, Pkts: 5631, Bytes: 416401
Out: 10.1.0.158/22 --> 10.1.0.17/46789;tcp, If: .local..0, Pkts: 3109, Bytes: 389005
Session ID: 9, Policy name: self-traffic-policy/1, Timeout: 54, Valid
In: fe80::120e:7eff:fe4e:2e88/547 --> fe80::20c:29ff:fe4f:26c5/546;udp, If: .local..0, Pkts: 2, Bytes: 288
Out: fe80::20c:29ff:fe4f:26c5/546 --> fe80::120e:7eff:fe4e:2e88/547;udp, If: vlan.100, Pkts: 0, Bytes: 0
Total sessions: 2
We only get two show commands with a DHCP server, whether it’s v4 or v6, show dhcpv6 server binding and show dhcpv6 server statistics.
show dhcpv6 server bindingprovides details on the address that has been assigned to a client, which including; MAC address, Prefix, Lease time, current state and interface.
marquk01@v6-testing> show dhcpv6 server binding
Prefix Session Id Expires State Interface Client DUID
2001:192:168:1::200/128 2 74 BOUND vlan.100 LL_TIME0x1-0x1ddd0462-00:0c:29:4f:26:c5
show dhcpv6 server statistics, as the name suggests, provides figures on sent and receive messages between the server and clients.
marquk01@v6-testing> show dhcpv6 server statistics
Dhcpv6 Packets dropped:
Total 0
Messages received:
DHCPV6_DECLINE 0
DHCPV6_SOLICIT 1
DHCPV6_INFORMATION_REQUEST 0
DHCPV6_RELEASE 0
DHCPV6_REQUEST 1
DHCPV6_CONFIRM 0
DHCPV6_RENEW 0
DHCPV6_REBIND 0
DHCPV6_RELAY_FORW 0
DHCPV6_RELAY_REPL 0
Messages sent:
DHCPV6_ADVERTISE 1
DHCPV6_REPLY 1
DHCPV6_RECONFIGURE 0
DHCPV6_RELAY_REPL 0
For completeness, I had the client release the assigned address to check the statistics, just to make sure I did see an increment change.
Releasing Assigned Address⌗
marquk01@km-vm1:~$ sudo dhclient -6 -v -r eth1
Internet Systems Consortium DHCP Client 4.2.4
Copyright 2004-2012 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
Bound to \*:546
Listening on Socket/eth1
Sending on Socket/eth1
XMT: Forming Release, 0 ms elapsed.
XMT: X-- IA_NA 29:4f:26:c5
XMT: | X-- Release Address 2001:192:168:1::200
XMT: V IA_NA appended.
XMT: Release on eth1, interval 1070ms.
RCV: Reply message on eth1 from fe80::120e:7eff:fe4e:2e88.
RCV: X-- Server ID: 00:02:00:00:05:83:43:46:34:37:31:33:41:4b:30:32:38
DHCPv6 Statistics⌗
marquk01@v6-testing> show dhcpv6 server statistics
Dhcpv6 Packets dropped:
Total 0
Messages received:
DHCPV6_DECLINE 0
DHCPV6_SOLICIT 1
DHCPV6_INFORMATION_REQUEST 0
DHCPV6_RELEASE 1
DHCPV6_REQUEST 1
DHCPV6_CONFIRM 0
DHCPV6_RENEW 1
DHCPV6_REBIND 0
DHCPV6_RELAY_FORW 0
DHCPV6_RELAY_REPL 0
Messages sent:
DHCPV6_ADVERTISE 1
DHCPV6_REPLY 3
DHCPV6_RECONFIGURE 0
DHCPV6_RELAY_REPL 0
And with that a DHCPv6 Server has been configured using a Juniper SRX series router!
I’ve included a useful show command and the set commands that I used in my example below :)
Operational Commands⌗
show security flow session
show dhcpv6 server binding
show dhcpv6 server statistics
clear dhcpv6 server binding
clear dhcpv6 server statistics
Set Commands⌗
set security forwarding-options family inet6 mode flow-based
set system services dhcp-local-server dhcpv6 overrides interface-client-limit 200
set system services dhcp-local-server dhcpv6 group v6 interface vlan.100
set protocols router-advertisement interface vlan.100 prefix 2001:192:168:1::/64
set access address-assignment pool v6 family inet6 prefix 2001:192:168:1::/64
set access address-assignment pool v6 family inet6 range dhcpv6-range low 2001:192:168:1::200/128
set access address-assignment pool v6 family inet6 range dhcpv6-range high 2001:192:168:1::299/128
set access address-assignment pool v6 family inet6 dhcp-attributes maximum-lease-time 120
set access address-assignment pool v6 family inet6 dhcp-attributes grace-period 3600
set security zones security-zone internal interfaces vlan.100 host-inbound-traffic system-services dhcpv6
More in-depth detailed information can be found on Juniper’s TechLibrary pages