SRX

Hi,

Another question regarding the SRX300 Series.

If I have 1 interface that is routed to the CPE (SRX as NTE) and the other interface configured for ethernet-switching (VLAN to the core) and it works fine with IPv4, how can I configure this for IPv6?

For example:

I could configure an IPv6 address on the CPE facing interface and use this as the IPv6 gateway address but can I do the same on the irb to the core? 

I know this seems a basic question and it is. I will test this while I wait for an answer 🙂

See who gets there first 🙂

Not sure I understand the question so sorry if this is off track.

Any layer 3 interface you would add ipv6 by adding the family inet5 address to the desired unit.

If the connection to the core or other device is layer 2 than no other interface configuration is needed.

Perfect answer thank you spuluka (other than the inet5 bit, I'm sure that a case of "typo" 🙂  ) ....

Perfect answer thank you spuluka (other than the inet5 bit, I'm sure that a case of "typo" 🙂  ) ....

Okay. Here is the problem, I think.... 

CPE (IPv6) --> NTE (IPv6 - ge-0/0/4) -- NTE ---> Core

The part that says NTE to Core has a vlan tag assigned but it also uses an IRB interface to allow layer 3 traffic over the link. The IRB interface is in the trust zone. IPv4 works fine and I can ping over to the core. So, I have place the following configuration on the irb and the physical so you can see what I have completed:

NTE:

set interfaces irb unit 10 family inet address 10.10.1.2/30
set interfaces irb unit 10 family inet6 address 2d05:d840:0070::1/126

set interfaces ge-0/0/15 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/15 unit 0 family ethernet-switching vlan members v10
set interfaces ge-0/0/15 unit 0 family ethernet-switching vlan members vlan-trust

Core:

set interfaces xe-1/2/4 unit 10 vlan-id 10
set interfaces xe-1/2/4 unit 10 family inet address 10.10.1.1/30
set interfaces xe-1/2/4 unit 10 family inet6 address 2d05:d840:0070::2/126

So, I configure the static route on the NTE to point to the Core as follows:

2d05:d840:70::1/128*[Local/0] 16:23:20
Local via irb.10

set routing-options rib inet6 static route 2d05:d840:0070::2/128 next-hop 2d05:d840:0070::1   and this is accepted with no problem.

Now I do the same on the core and I get the follwoing error on commit check:

set routing-options rib inet6.0 static route 2d05:d840:0070::1/128 next-hop 2d05:d840:0070::2

RT: DEST: 2d05:d840:70::1 MASK: ffff:ffff:ffff:ffff:ffff:ffff:ffff:fffc mask too short

Any ideas please? Thought /128 would be fine as this is the actual address I want to go to

In order to use the irb interface for this you would have to create the vlan with the desired id, add the irb as the l3 interface and also assign that vlan by name to the port.

But the simpiler way is to change your port from ethernet switching to flexible-vlan-tagging

Then you can have the inet and inet6 addresses assigned to your layer 3 port directly along with the vlan-id

I've configured the following on the SRX340:

set interfaces ge-0/0/15 flexible-vlan-tagging
set interfaces ge-0/0/15 unit 10 vlan-id 10
set interfaces ge-0/0/15 unit 10 family inet address 10.10.1.2/30
set interfaces ge-0/0/15 unit 10 family inet6 address 2d05:d840:0070::1/126

Routing table shows the static route to the core:

2d05:d840:70::2/128       *[Local/0] 00:02:25
Local via ge-0/0/15.10

But I cannot ping the Core IPv6 address. IPv4 connectivity is good. No problem at all.

Static route on Core and on SRX340 for the opposing IPv6 addresses.

Any ideas?

As an add on, when I try and complete a "traceroute" the echo response is "!A" which is a prohibited response. Normally caused by an access-list or some form of filter, but there none assigned to the Core interface and there is nothing I can see on the SRX.....

So, not sure if this helps with the resolution. The ping packets reach the interface on the core, so there is no problem with the routing.... Here is some output from:

monitor traffic interface xe-1/2/4.10 no-resolve size 1500 - command:

13:59:17.172845 In IP6 2d05:d840:70::1 > ff02::1:ff00:2: ICMP6, neighbor solicitation, who has 2d05:d840:70::2, length 32
13:59:17.172906 Out IP6 2d05:d840:70::2 > 2d05:d840:70::1: ICMP6, neighbor advertisement, tgt is 2d05:d840:70::2, length 32
13:59:17.589232 In IP6 2d05:d840:70::1 > ff02::1:ff00:2: ICMP6, neighbor solicitation, who has 2d05:d840:70::2, length 32
13:59:17.589285 Out IP6 2d05:d840:70::2 > 2d05:d840:70::1: ICMP6, neighbor advertisement, tgt is 2d05:d840:70::2, length 32
13:59:18.589200 In IP6 2d05:d840:70::1 > ff02::1:ff00:2: ICMP6, neighbor solicitation, who has 2d05:d840:70::2, length 32
13:59:18.589260 Out IP6 2d05:d840:70::2 > 2d05:d840:70::1: ICMP6, neighbor advertisement, tgt is 2d05:d840:70::2, length 32
13:59:21.136136 In IP6 2d05:d840:70::1 > ff02::1:ff00:2: ICMP6, neighbor solicitation, who has 2d05:d840:70::2, length 32
13:59:21.136200 Out IP6 2d05:d840:70::2 > 2d05:d840:70::1: ICMP6, neighbor advertisement, tgt is 2d05:d840:70::2, length 32
13:59:21.589148 In IP6 2d05:d840:70::1 > ff02::1:ff00:2: ICMP6, neighbor solicitation, who has 2d05:d840:70::2, length 32
13:59:21.589201 Out IP6 2d05:d840:70::2 > 2d05:d840:70::1: ICMP6, neighbor advertisement, tgt is 2d05:d840:70::2, length 32

I will investigate this a little further, but any help would be appreciated.

Another add on.....

On the core I see the following result from:

show ipv6 neighbor

IPv6 Address                 Linklayer Address         State       Exp     Rtr    Secure      Interface

2a05:d840:70::1                       none             unreachable  3        no       no          xe-1/2/4.10

Sometimes you can't see the wood for the trees.....

I thought that the following had been configured and therefore was not looking for it..... A double check has resolved the issue:

set security forwarding-options family inet6 mode flow-based

Apologies for wasting your valuable time