Juniper ScreenOS: DHCPv6 Prefix Delegation

The Juniper ScreenOS firewall is one of the seldom firewalls that implements DHCPv6 Prefix Delegation (DHCPv6-PD). It therefore fits for testing my dual stack ISP connection from Deutsche Telekom, Germany. (Refer to this post for details about this dual stack procedure.)

It was *really* hard to get the correct configuration in place. I was not able to do this by myself at all. Also Google did not help that much. Finally, I opened a case by Juniper to help me finding the configuration error. After four weeks of the opened case, I was told which command was wrong. Now it’s working. ;) Here we go.

Note that this post is one of many related to IPv6. Click here for a structured list.

Note that I will not explain how DHCPv6 prefix delegation works at all. I will only go into details on how to configure it on a Juniper ScreenOS SSG firewall. My Google results for this case brought me to this and that page. But none of them correctly revealed the working configuration commands.

The basic idea is to receive a /56 IPv6 prefix from the ISP and to hand out /64 subnets/prefixes to the client networks.

Configuration

This picture shows the main parts on how the SSG should be configured:

Juniper DHCPv6-PD

This involves the following steps:

  1. Enable IPv6 on upstream interface (mode “Host”, accept router advertisement).
  2. Enable IPv6 on client interfaces (mode “Router”, send router advertisements).
  3. Configure DHCPv6 server on client interfaces (for delivering DNS entries).
  4. Configure DHCPv6 client on upstream interface (to receive and delegated prefix).

These are the configuration steps in the GUI. Read the descriptions under the screenshots for more information:

One special note on the prefix distribution settings: There are two field called “SLA” and “SLA length”. It took me a while to catch what this means:

  • SLA: This is the subnet ID in decimal notation (WTF?). For example, if you want to use the IPv6 subnet “42”, you must convert this value to decimal, which is “66”.
  • SLA length: This is the length of the subnet ID. In my case, since I am getting a /56 but want to hand out /64 prefixes, its 8 bit in length.

The following listing presents all relevant CLI commands for the just configured DHCPv6-PD scenario (especially lines 30-32):

 

Monitoring

This is how the GUI looks like after a received and delegated prefix:

I tested the two configured subnets with my mobile devices, one in the bgroup1 network, while the other one in the wireless0/2 network. (Called my http://ip.webernetz.net script that shows the IP, refer to here.)

And, of course, the SSG can list many details of the learned/delegated prefixes via the CLI:

 

Any questions? ;)

Featured image “Wegweiser” by lorenzwalthert is licensed under CC BY-ND 2.0.

Leave a Reply

Your email address will not be published. Required fields are marked *