Router - Juniper SRX: Difference between revisions

From AAISP Support Site
No edit summary
m (clean up)
 
(19 intermediate revisions by 4 users not shown)
Line 1: Line 1:
The Juniper SRX range of routers are high-performance routers, intended for small business and branch networks.
The Juniper SRX range of routers are high-performance routers, intended for small business and branch networks.
The can often be bought cheaply on [http://www.ebay.co.uk/bhp/juniper-srx eBay].


== Known working setups ==
== Known working setups ==
Line 8: Line 9:
! Modem
! Modem
! Who
! Who
! IPv6
! Status
! Status
|-
|[http://www.juniper.net/uk/en/products-services/security/srx-series/srx100/ SRX100B]
|12.1X44-D40.2
|ZyXEL P660R in bridge mode
|[[User:Nhumfrey|Nhumfrey]]
|✗
|✗ PADI sent but no PADO response
|-
|-
|[http://www.juniper.net/uk/en/products-services/security/srx-series/srx100/ SRX100B]
|[http://www.juniper.net/uk/en/products-services/security/srx-series/srx100/ SRX100B]
Line 14: Line 23:
|BT Provided Huawei HG612 [[FTTC Modem]]
|BT Provided Huawei HG612 [[FTTC Modem]]
|[[User:Nhumfrey|Nhumfrey]]
|[[User:Nhumfrey|Nhumfrey]]
|✗
|✓ Working 2015-01-13
|✓ Working 2015-01-13
|-
|[http://www.juniper.net/uk/en/products-services/security/srx-series/srx100/ SRX100B]
|12.1X46-D30.2
|BT Provided Huawei HG612 [[FTTC Modem]]
|[[User:Nhumfrey|Nhumfrey]]
|✓
|✓ Working 2015-03-22
|-
|[http://www.juniper.net/uk/en/products-services/security/srx-series/srx210/ SRX210H]
|12.1X46-D35.1
|Vigor 130 modem
|
|✓
|✓ Working 2015-09-20
|-
|[http://www.juniper.net/uk/en/products-services/security/srx-series/srx110/ SRX110H-VA]
|12.1X46-D40.2
|Internal VDSL2/ADSL-POTS
|
|✓
|✓ Working 2016-02-19
|-
|-
|}
|}

== Steps for Configuring IPv6 over PPPoE on an SRX router ==

There is very limited information on the internet on how to configure a Juniper SRX router use IPv6 over PPPoE, so I have written out these steps, which I have found to work. But there may be other/better ways to configure it. Where you see XXXX in the configuration, insert your own IPv6 subnet block, as allocated to you.

1. Add an IPv6 address for your router to the local loopback interface ('''lo0''')

<pre>set interfaces lo0 unit 0 family inet6 address 2001:8b0:XXXX::1/128</pre>

2. Enable IPv6 on the '''pp0''' interface. I did this by specifying a MTU value:

<pre>set interfaces pp0 unit 0 family inet6 mtu 1492</pre>

3. Add an IPv6 address to the LAN/trust interface. I match my IPv6 subnet number to my VLAN number, and give the router host address 1:

<pre>set interfaces vlan unit 3 family inet6 address 2001:8b0:XXXX:3::1/64</pre>

4. Set '''pp0''' to be the default next hop in the IPv6 routing table:

<pre>set routing-options rib inet6.0 static route 0::0/0 next-hop pp0.0</pre>

5. Enable forwarding/routing of IPv6 packets on the router. Flow based means it will use stateful firewall rules.

<pre>set security forwarding-options family inet6 mode flow-based</pre>

6. If you want machines on your internal subnet to automatically discover the IPv6 router, then enable Router Advertisements ('''RA'''). You could alternatively configure a DHCPv6 server or use static routing.

<pre>set protocols router-advertisement interface vlan.3 prefix 2001:8b0:XXXX:3::/64</pre>

7. Finally, if you want to be able to ping hosts on your internal network, then see the '''ping6-to-trust''' policy in the example config below.

Note that the first time you enable IPv6 based routing (the '''security forwarding-options'''), you will have to reboot the router.

== Dual-stack Example Config ==

* Statically configured IPv4 and IPv6 for a single AAISP line
* Trust VLAN on Ethernet Port 0-6
* PPPoE configured on Ethernet Port 7
* Pinging (ICMPv6) from untrusted to trusted hosts is enabled

<pre>
## Last changed: 2015-03-29 17:42:36 BST
version 12.1X46-D30.2;
system {
host-name dsl-router;
domain-name aa.net.uk;
time-zone Europe/London;
root-authentication {
encrypted-password "XXXX";
}
name-server {
217.169.20.20;
217.169.20.21;
}
services {
ssh;
xnm-clear-text;
web-management {
http {
interface vlan.3;
}
https {
system-generated-certificate;
interface vlan.3;
}
}
dhcp {
name-server {
217.169.20.20;
217.169.20.21;
}
pool 192.168.1.0/24 {
address-range low 192.168.1.100 high 192.168.1.250;
router {
192.168.1.1;
}
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server 90.155.53.94;
server 90.155.53.93;
}
}
interfaces {
interface-range interfaces-trust {
member fe-0/0/0;
member fe-0/0/1;
member fe-0/0/2;
member fe-0/0/3;
member fe-0/0/4;
member fe-0/0/5;
member fe-0/0/6;
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/7 {
description "PPPoE Port";
unit 0 {
encapsulation ppp-over-ether;
}
}
lo0 {
unit 0 {
family inet6 {
address 2001:8b0:XXXX::1/128;
}
}
}
pp0 {
unit 0 {
description AAISP;
point-to-point;
ppp-options {
chap {
default-chap-secret "XXXX";
local-name "XXXX@a";
no-rfc2486;
passive;
}
}
pppoe-options {
underlying-interface fe-0/0/7.0;
idle-timeout 0;
auto-reconnect 5;
client;
}
family inet {
mtu 1492;
negotiate-address;
}
family inet6 {
mtu 1492;
}
}
}
vlan {
unit 3 {
family inet {
address 192.168.1.1/24;
}
family inet6 {
address 2001:8b0:XXXX:3::1/64;
}
}
}
}
routing-options {
rib inet6.0 {
static {
route 0::0/0 next-hop pp0.0;
}
}
static {
route 0.0.0.0/0 next-hop pp0.0;
}
}
protocols {
router-advertisement {
interface vlan.3 {
prefix 2001:8b0:XXXX:3::/64;
}
}
}
security {
forwarding-options {
family {
inet6 {
mode flow-based;
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy ping6-to-trust {
match {
source-address any-ipv6;
destination-address any-ipv6;
application junos-pingv6;
}
then {
permit;
}
}
policy reject-untrust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
reject;
}
}
}
default-policy {
deny-all;
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.3;
lo0.0;
}
}
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
ping;
}
}
interfaces {
pp0.0;
}
}
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.3;
}
}
</pre>

== Native IPv6 dual stack SRX110H-VA configuration ==

The following is an example of a Juniper SRX110H-VA native IPv6 configuration using the inbuilt modem for VDSL connectivity, PPPoE, DHCPv6, & IPv4.

'''Please note:'''

* You must use Junos version 12.1X46-D10.2 or greater for DHCPv6 support. (The example configuration used 12.1X46-D40.2)
* IPv6 routing is controlled via the https://control.aa.net.uk/ pages. This example only shows one /64 address. You can route multiple /64 address spaces, and I assume you can probably route the entire /48 you have been designated
* WAN address for IPv4 is auto-negotiated
* IPv4 does not include NAT configuration which in this example will be required for WAN connectivity
<pre>
interfaces {
fe-0/0/0 {
unit 0 {
family inet {
mtu 1492;
address 10.X.X.X/8;
}
family inet6 {
address 2001:8b0:X:X::1/64;
}
}
}
}
pt-1/0/0 {
vlan-tagging;
vdsl-options {
vdsl-profile auto;
}
unit 0 {
encapsulation ppp-over-ether;
vlan-id 101;
}
}
pp0 {
traceoptions {
flag all;
}
unit 0 {
ppp-options {
chap {
default-chap-secret "PASSWORD"; ## SECRET-DATA
local-name "USERNAME";
passive;
}
}
pppoe-options {
underlying-interface pt-1/0/0.0;
client;
}
family inet {
negotiate-address;
}
family inet6 {
dhcpv6-client {
client-type statefull;
client-ia-type ia-pd;
rapid-commit;
client-identifier duid-type duid-ll;
req-option domain;
req-option dns-server;
}
}
}
}
}
routing-options {
rib inet6.0 {
static {
route ::/0 next-hop pp0.0;
route 2001:8b0:X::/48 next-hop 2001:8b0:X:X::X;
}
}
}
protocols {
router-advertisement {
interface fe-0/0/0.0 {
prefix 2001:8b0:X:X::/64;
}
}
}
security {
forwarding-options {
family {
inet6 {
mode flow-based;
}
}
}
zones {
security-zone untrust {
screen untrust-screen;
interfaces {
pt-1/0/0.0 {
host-inbound-traffic {
system-services {
dhcpv6;
}
}
}
pp0.0 {
host-inbound-traffic {
system-services {
dhcpv6;
ping;
}
}
}
}
}
}
</pre>

To check DHCPv6 binding from operational mode run the command

<pre>show dhcpv6 client binding detail</pre>

Output:
<pre>
Client Interface: pp0.0
Hardware Address: 54:e0:32:d2:39:20
State: BOUND(DHCPV6_CLIENT_STATE_BOUND)
ClientType: STATEFUL
Lease Expires: 2016-02-19 13:27:25 GMT
Lease Expires in: 1839 seconds
Lease Start: 2016-02-19 12:27:25 GMT
Bind Type: IA_PD
Client DUID: LL0x29-54:e0:32:d2:39:20
Rapid Commit: On
Server Ip Address: ::
Client IP Prefix: 2001:8b0:X:X::/64

DHCP options:
Name: server-identifier, Value: LL0x1-00:03:97:16:80:00
Name: dns-recursive-server, Value: 2001:8b0::2020,2001:8b0::2021

</pre>

== Higher MTU values ==

It does look like the SRX ethernet interface supports Baby Jumbo Frames, however I asked about using an MTU of 1500 on the PPP link and received the following response from Danilo Quesada – Juniper SRX Support:

<blockquote>
Increasing the MTU on the PPPoE interface to a value greater that 1492 would go against RFC2516 A Method for Transmitting PPP Over Ethernet (PPPoE).
RFC4638 is currently not supported on any SRX Junos code. Junos enforces RFCs, so there is no way round this but to wait until is implemented. Currently there is no roadmap information available. Please submit a product enhancement request through your Juniper Account Team or sales Representative.
</blockquote>




[[Category:Juniper]] [[Category:Router]]
[[Category:3rd Party Routers|Juniper]]

Latest revision as of 00:03, 15 March 2017

The Juniper SRX range of routers are high-performance routers, intended for small business and branch networks. The can often be bought cheaply on eBay.

Known working setups

Router JunOS Version Modem Who IPv6 Status
SRX100B 12.1X44-D40.2 ZyXEL P660R in bridge mode Nhumfrey ✗ PADI sent but no PADO response
SRX100B 12.1X44-D40.2 BT Provided Huawei HG612 FTTC Modem Nhumfrey ✓ Working 2015-01-13
SRX100B 12.1X46-D30.2 BT Provided Huawei HG612 FTTC Modem Nhumfrey ✓ Working 2015-03-22
SRX210H 12.1X46-D35.1 Vigor 130 modem ✓ Working 2015-09-20
SRX110H-VA 12.1X46-D40.2 Internal VDSL2/ADSL-POTS ✓ Working 2016-02-19

Steps for Configuring IPv6 over PPPoE on an SRX router

There is very limited information on the internet on how to configure a Juniper SRX router use IPv6 over PPPoE, so I have written out these steps, which I have found to work. But there may be other/better ways to configure it. Where you see XXXX in the configuration, insert your own IPv6 subnet block, as allocated to you.

1. Add an IPv6 address for your router to the local loopback interface (lo0)

set interfaces lo0 unit 0 family inet6 address 2001:8b0:XXXX::1/128

2. Enable IPv6 on the pp0 interface. I did this by specifying a MTU value:

set interfaces pp0 unit 0 family inet6 mtu 1492

3. Add an IPv6 address to the LAN/trust interface. I match my IPv6 subnet number to my VLAN number, and give the router host address 1:

set interfaces vlan unit 3 family inet6 address 2001:8b0:XXXX:3::1/64

4. Set pp0 to be the default next hop in the IPv6 routing table:

set routing-options rib inet6.0 static route 0::0/0 next-hop pp0.0

5. Enable forwarding/routing of IPv6 packets on the router. Flow based means it will use stateful firewall rules.

set security forwarding-options family inet6 mode flow-based

6. If you want machines on your internal subnet to automatically discover the IPv6 router, then enable Router Advertisements (RA). You could alternatively configure a DHCPv6 server or use static routing.

set protocols router-advertisement interface vlan.3 prefix 2001:8b0:XXXX:3::/64

7. Finally, if you want to be able to ping hosts on your internal network, then see the ping6-to-trust policy in the example config below.

Note that the first time you enable IPv6 based routing (the security forwarding-options), you will have to reboot the router.

Dual-stack Example Config

  • Statically configured IPv4 and IPv6 for a single AAISP line
  • Trust VLAN on Ethernet Port 0-6
  • PPPoE configured on Ethernet Port 7
  • Pinging (ICMPv6) from untrusted to trusted hosts is enabled
## Last changed: 2015-03-29 17:42:36 BST
version 12.1X46-D30.2;
system {
    host-name dsl-router;
    domain-name aa.net.uk;
    time-zone Europe/London;
    root-authentication {
        encrypted-password "XXXX";
    }
    name-server {
        217.169.20.20;
        217.169.20.21;
    }
    services {
        ssh;
        xnm-clear-text;
        web-management {
            http {
                interface vlan.3;
            }
            https {
                system-generated-certificate;
                interface vlan.3;
            }
        }
        dhcp {
            name-server {
                217.169.20.20;
                217.169.20.21;
            }
            pool 192.168.1.0/24 {
                address-range low 192.168.1.100 high 192.168.1.250;
                router {
                    192.168.1.1;
                }
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        server 90.155.53.94;
        server 90.155.53.93;
    }
}
interfaces {
    interface-range interfaces-trust {
        member fe-0/0/0;
        member fe-0/0/1;
        member fe-0/0/2;
        member fe-0/0/3;
        member fe-0/0/4;
        member fe-0/0/5;
        member fe-0/0/6;
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/7 {
        description "PPPoE Port";
        unit 0 {
            encapsulation ppp-over-ether;
        }
    }
    lo0 {
        unit 0 {
            family inet6 {
                address 2001:8b0:XXXX::1/128;
            }
        }
    }
    pp0 {
        unit 0 {
            description AAISP;
            point-to-point;
            ppp-options {
                chap {
                    default-chap-secret "XXXX";
                    local-name "XXXX@a";
                    no-rfc2486;
                    passive;
                }
            }
            pppoe-options {
                underlying-interface fe-0/0/7.0;
                idle-timeout 0;
                auto-reconnect 5;
                client;
            }
            family inet {
                mtu 1492;
                negotiate-address;
            }
            family inet6 {
                mtu 1492;
            }
        }
    }
    vlan {
        unit 3 {
            family inet {
                address 192.168.1.1/24;
            }
            family inet6 {
                address 2001:8b0:XXXX:3::1/64;
            }
        }
    }
}
routing-options {
    rib inet6.0 {
        static {
            route 0::0/0 next-hop pp0.0;
        }
    }
    static {
        route 0.0.0.0/0 next-hop pp0.0;
    }
}
protocols {
    router-advertisement {
        interface vlan.3 {
            prefix 2001:8b0:XXXX:3::/64;
        }
    }
}
security {
    forwarding-options {
        family {
            inet6 {
                mode flow-based;
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy ping6-to-trust {
                match {
                    source-address any-ipv6;
                    destination-address any-ipv6;
                    application junos-pingv6;
                }
                then {
                    permit;
                }
            }
            policy reject-untrust-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    reject;
                }
            }
        }
        default-policy {
            deny-all;
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.3;
                lo0.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    ping;
                }
            }
            interfaces {
                pp0.0;
            }
        }
    }
}
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.3;
    }
}

Native IPv6 dual stack SRX110H-VA configuration

The following is an example of a Juniper SRX110H-VA native IPv6 configuration using the inbuilt modem for VDSL connectivity, PPPoE, DHCPv6, & IPv4.

Please note:

  • You must use Junos version 12.1X46-D10.2 or greater for DHCPv6 support. (The example configuration used 12.1X46-D40.2)
  • IPv6 routing is controlled via the https://control.aa.net.uk/ pages. This example only shows one /64 address. You can route multiple /64 address spaces, and I assume you can probably route the entire /48 you have been designated
  • WAN address for IPv4 is auto-negotiated
  • IPv4 does not include NAT configuration which in this example will be required for WAN connectivity
interfaces {
    fe-0/0/0 {
        unit 0 {
            family inet {
                mtu 1492;
                address 10.X.X.X/8;
            }
            family inet6 {
                address 2001:8b0:X:X::1/64;
                }
            }
        }
    }
    pt-1/0/0 {
        vlan-tagging;
        vdsl-options {
            vdsl-profile auto;
        }
        unit 0 {
            encapsulation ppp-over-ether;
            vlan-id 101;
        }
    }
    pp0 {
        traceoptions {
            flag all;
        }
        unit 0 {
            ppp-options {
                chap {
                    default-chap-secret "PASSWORD"; ## SECRET-DATA
                    local-name "USERNAME";
                    passive;
                }
            }
            pppoe-options {
                underlying-interface pt-1/0/0.0;
                client;
            }
            family inet {
                negotiate-address;
            }
            family inet6 {
                dhcpv6-client {
                    client-type statefull;
                    client-ia-type ia-pd;
                    rapid-commit;
                    client-identifier duid-type duid-ll;
                    req-option domain;
                    req-option dns-server;
                }
            }
        }
    }
}
routing-options {
    rib inet6.0 {
        static {
            route ::/0 next-hop pp0.0;
            route 2001:8b0:X::/48 next-hop 2001:8b0:X:X::X;
        }
    }
}
protocols {
    router-advertisement {
        interface fe-0/0/0.0 {
            prefix 2001:8b0:X:X::/64;
        }
    }
}
security {
    forwarding-options {
        family {
            inet6 {
                mode flow-based;
            }
        }
    }
    zones {
        security-zone untrust {
            screen untrust-screen;
            interfaces {
                pt-1/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcpv6;
                        }
                    }
                }
                pp0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcpv6;
                            ping;
                        }
                    }
                }
            }
        }
    }

To check DHCPv6 binding from operational mode run the command

show dhcpv6 client binding detail

Output:

Client Interface: pp0.0
     Hardware Address:             54:e0:32:d2:39:20
     State:                        BOUND(DHCPV6_CLIENT_STATE_BOUND)
     ClientType:                   STATEFUL
     Lease Expires:                2016-02-19 13:27:25 GMT
     Lease Expires in:             1839 seconds
     Lease Start:                  2016-02-19 12:27:25 GMT
     Bind Type:                    IA_PD
     Client DUID:                  LL0x29-54:e0:32:d2:39:20
     Rapid Commit:                 On
     Server Ip Address:            ::
     Client IP Prefix:             2001:8b0:X:X::/64

DHCP options:
    Name: server-identifier, Value: LL0x1-00:03:97:16:80:00
    Name: dns-recursive-server, Value: 2001:8b0::2020,2001:8b0::2021

Higher MTU values

It does look like the SRX ethernet interface supports Baby Jumbo Frames, however I asked about using an MTU of 1500 on the PPP link and received the following response from Danilo Quesada – Juniper SRX Support:

Increasing the MTU on the PPPoE interface to a value greater that 1492 would go against RFC2516 A Method for Transmitting PPP Over Ethernet (PPPoE).

RFC4638 is currently not supported on any SRX Junos code. Junos enforces RFCs, so there is no way round this but to wait until is implemented. Currently there is no roadmap information available. Please submit a product enhancement request through your Juniper Account Team or sales Representative.