网络工程 - 未从 RA 安装 IPv6 默认路由 - 吾爱随笔录

未从 RA 安装 IPv6 默认路由

网络工程 ipv6 瞻博网络杜松-srx

2021-07-12 23:16:28

平台：瞻博网络 SRX300

版本：JUNOS 15.1X49-D160.2

ISP：Midco

我目前有一个问题，即未从 CMTS RA 安装 IPv6 默认路由。尽我所能，我无法让 SRX 选择并安装默认路由。我在链路上分配了 DHCPv6 的 GUA，分配了 DHCPv6-PD 的 /64 子网并安装在内部接口等上，只是没有默认路由。

接口图

ge-0/0/0 - 内部

ge-0/0/5 - ISP

目前show route...

2001:48f8:4029:0:d7b:f865:2051:f208/128
               *[Direct/0] 00:07:59
                > via ge-0/0/5.0
                [Local/0] 00:07:59
                  Local via ge-0/0/5.0
2001:48f8:402a:19b1::/64
               *[Direct/0] 00:07:50
                > via ge-0/0/0.6
2001:48f8:402a:19b1::1/128
               *[Local/0] 00:08:01
                  Local via ge-0/0/0.6
fe80::ee13:db00:6d8:b300/128
               *[Local/0] 13:43:00
                  Local via ge-0/0/0.6
fe80::ee13:dbff:fed8:b305/128
               *[Local/0] 00:08:12
                  Local via ge-0/0/5.0

请注意明显缺少默认路由。 show ipv6 router-advertisement...

Interface: ge-0/0/5.0
  Advertisements sent: 429, last sent 00:00:08 ago
  Solicits received: 430, last received 00:00:00 ago
  Advertisements received: 898
  Solicited router advertisement unicast: Disable
  Advertisement from fe80::242:5aff:fe1d:b019, heard 00:00:01 ago
    Managed: 1
    Other configuration: 1
    Link MTU: 1500 bytes
    Reachable time: 3600000 ms
    Default lifetime: 1800 sec
    Retransmit timer: 0 ms
    Current hop limit: 64

目前show interfaces terse（简称）...

Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
ge-0/0/0.6              up    up   inet6    2001:48f8:402a:19b1::1/64
                                            fe80::ee13:db00:6d8:b300/64
ge-0/0/5                up    up
ge-0/0/5.0              up    up   inet6    2001:48f8:4029:0:d7b:f865:2051:f208
                                            fe80::ee13:dbff:fed8:b305/64

配置...

show configuration interfaces
ge-0/0/0 {
    flexible-vlan-tagging;
    native-vlan-id 1;
    unit 6 {
        vlan-id 6;
        family inet6;
    }
}
ge-0/0/5 {
    unit 0 {
        family inet6 {
            dad-disable;
            dhcpv6-client {
                client-type stateful;
                client-ia-type ia-pd;
                client-ia-type ia-na;
                update-router-advertisement {
                    interface ge-0/0/0.6 {
                        managed-configuration;
                        other-stateful-configuration;
                    }
                }
                client-identifier duid-type duid-ll;
                update-server;
                retransmission-attempt 6;
            }
        }
    }
}

show configuration protocols
router-advertisement {
    interface ge-0/0/5.0 {
        managed-configuration;
        other-stateful-configuration;
    }
}

show configuration security
forwarding-options {
    family {
        inet6 {
            mode flow-based;
        }
    }
}
policies {
    from-zone trust to-zone trust {
        policy trust-to-trust {
            match {
                source-address any;
                destination-address any;
                application any;
            }
            then {
                permit;
            }
        }
    }
    from-zone trust to-zone untrust {
        policy trust-to-untrust {
            match {
                source-address any;
                destination-address any;
                application any;
            }
            then {
                permit;
            }
        }
    }
    from-zone untrust to-zone trust {
        policy untrust-to-trust {
            match {
                source-address any;
                destination-address any;
                application junos-icmp6-all;
            }
            then {
                permit;
            }
        }
    }
}
zones {
    security-zone trust {
        host-inbound-traffic {
            system-services {
                all;
            }
            protocols {
                all;
            }
        }
        interfaces {
            ge-0/0/0.1 {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
            }
            ge-0/0/0.6 {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
            }
        }
    }
    security-zone untrust {
        interfaces {
            ge-0/0/5.0 {
                host-inbound-traffic {
                    system-services {
                        dhcpv6;
                        ping;
                        traceroute;
                    }
                    protocols {
                        router-discovery;
                    }
                }
            }
        }
    }
}

任何帮助/想法将不胜感激。

更新了下面的附加输出...

show dhcpv6 client binding interface ge-0/0/5.0 detail 

Client Interface/Id: ge-0/0/5.0
     Hardware Address:             ec:13:db:d8:b3:05
     State:                        BOUND(DHCPV6_CLIENT_STATE_BOUND)
     ClientType:                   STATEFUL
     Lease Expires:                2019-04-19 14:04:10 UTC
     Lease Expires in:             2555595 seconds
     Lease Start:                  2019-03-20 14:04:10 UTC
     Bind Type:                    IA_NA IA_PD
     Preferred prefix length       0
     Sub prefix length             0
     Client DUID:                  LL0x3-ec:13:db:d8:b3:05
     Rapid Commit:                 Off
     Server Identifier:            ::
     Update Server                 Yes
     Client IP Address:            2001:48f8:4029:0:d7b:f865:2051:f208/128
     Client IP Prefix:             2001:48f8:402a:19b1::/64

DHCP options:
    Name: server-identifier, Value: LL_TIME0x1-0x5694c708-00:1a:64:99:79:e4
    Name: dns-recursive-server, Value: 2001:48f8:11::10,2001:48f8:11::11

Update RA interfaces:
     Interface: ge-0/0/0.6
            RA Prefix:      2001:48f8:402a:19b1::/64

更新了 JTAC 建议的附加输出...

monitor traffic interface ge-0/0/5.0 matching "icmp6 or (udp port 546 or 547)" no-resolve extensive 
Address resolution is OFF.
Listening on ge-0/0/5.0, capture size 1514 bytes

01:03:01.746789  In 
        Juniper PCAP Flags [Ext, no-L2, In], PCAP Extension(s) total length 16
          Device Media Type Extension TLV #3, length 1, value: Ethernet (1)
          Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14)
          Device Interface Index Extension TLV #1, length 2, value: 36096
          Logical Interface Index Extension TLV #4, length 4, value: 76
        -----original packet-----
        PFE proto 6 (ipv6): (class 0xe0, hlim 255, next-header: ICMPv6 (58), length: 32) fe80::242:5aff:fe1d:b019 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 32
        hop limit 64, Flags [managed, other stateful], pref medium, router lifetime 1800s, reachable time 3600000ms, retrans time 0ms
          source link-address option (1), length 8 (1): 00:42:5a:1d:b0:19
            0x0000: 0042 5a1d b019 
          mtu option (5), length 8 (1):  1500
            0x0000: 0000 0000 05dc 

show ipv6 neighbors 
IPv6 Address                 Linklayer Address  State       Exp Rtr Secure Interface 
fe80::242:5aff:fe1d:b019     00:42:5a:1d:b0:19  stale       792 yes no      ge-0/0/5.0

1个回答

从 JTAC...

您面临的问题在内部公关中有所描述。

解决方法

手动配置 IPv6 默认路由。

向发送的 RA 添加前缀信息

已知问题将在：

朱诺：15.1X49-D180

朱诺：17.4R3

朱诺：18.1R4

朱诺：18.2R3

朱诺：18.3R2

朱诺：18.4R2

朱诺：19.1R2

朱诺：19.2R1

15.1x49-D180 的暂定发布时间为 5 月底。

我不得不手动配置默认路由作为解决方法，因为我无法控制 ISP 的 CMTS。这是通过侦听 RA via 检索邻居 LLAshow ipv6 router-advertisements并通过以下命令将其用作默认的合格下一跳来实现的...

set routing-options rib inet6.0 static route ::/0 qualified-next-hop fe80::242:5aff:fe1d:b019 interface ge-0/0/5.0

其它你可能感兴趣的问题

上一篇使用瞻博网络 SRX 防火墙在路由实例上转储流量下一篇将新交换机添加到 C9300 堆栈