Re: [j-nsp] SRX IPv6 VRRP
On 12/08/2014 23:03, Eugeniu Patrascu wrote: On Tue, Aug 12, 2014 at 11:21 PM, Laurent CARON lca...@unix-scripts.info mailto:lca...@unix-scripts.info wrote: On 12/08/2014 22:15, Darren O'Connor wrote: You mean to say you're not using /64 on your subnet? Is it a crime ? ;) Is this fixed in any release? I'm planning on using a pair of SRX240 to do just that - IPv6 VRRP. Tried with latest release to no avail. Should you want to use it, you'd have to use promisc mode for the affected interfaces... ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX IPv6 VRRP
On 12/08/2014 23:36, ashish verma wrote: I don't have any details on the ETA. /64 is not bad if it solves your problem and I guess most of the people use /64 as minimum. Still, using VRRP is way quicker than using RA. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX IPv6 VRRP
Hi, Am 12.08.2014 um 23:36 schrieb ashish verma: /64 is not bad if it solves your problem and I guess most of the people use /64 as minimum. It might be really bad using /64 everywhere, for example have a look at http://inconcepts.biz/~jsw/IPv6_NDP_Exhaustion.pdf When talking about a security platform where everything is firewalled in the first place hopefully it will not come to any NDP actions at all (because the firewall killed all the inbound traffic before that), /64s might be a viable solution. But at least IPv6 VRRP (which also uses RAs, at least on Juniper) can work with prefixes /64 and will happily send RAs with smaller prefixes, so in theory you should be able to spread your default GW via RAs even with smaller prefixes. You will use the SLAAC capabilities, but depending on the deployment scenario it might be OK. That being said, i have no idea whether one can configure RAs on Juniper gear (besides from VRRPv6) which uses/announces smaller prefixes than /64. -- Kind Regards Tobias Heister ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] SRX IPv6 VRRP
Hi, I'm currently deploying SRX110/210/240. After having configured the IPv4 part, i'm willing to configure IPv6 VRRP. It however seems the functionnality is severely broken in many points: [1] states: - VRRP for IPv6 will not work if the Branch SRX platform is processing IPv6 in flow mode. - If the SRX is processing IPv6 in packet mode...However, even in this state, the SRX will not be able to process any packets, which are forwarded to the VIP address. This is quite not useful. The 'solution' offered on [1] is to set the interface in promisc mode...which: 1/ is not really a good advice since all packets will hit the PFE 2/ is not possible if you are using aggregated (ae) interfaces How did you guys solve this issue ? Thanks [1]: http://kb.juniper.net/InfoCenter/index?page=contentid=KB23988actp=searchviewlocale=en_USsearchid=1258894870731 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX IPv6 VRRP
There is an ER 057607 for this issue. Another option is to use IPv6 router advertisements instead of VRRP. On Tue, Aug 12, 2014 at 7:57 PM, Laurent CARON lca...@unix-scripts.info wrote: Hi, I'm currently deploying SRX110/210/240. After having configured the IPv4 part, i'm willing to configure IPv6 VRRP. It however seems the functionnality is severely broken in many points: [1] states: - VRRP for IPv6 will not work if the Branch SRX platform is processing IPv6 in flow mode. - If the SRX is processing IPv6 in packet mode...However, even in this state, the SRX will not be able to process any packets, which are forwarded to the VIP address. This is quite not useful. The 'solution' offered on [1] is to set the interface in promisc mode...which: 1/ is not really a good advice since all packets will hit the PFE 2/ is not possible if you are using aggregated (ae) interfaces How did you guys solve this issue ? Thanks [1]: http://kb.juniper.net/InfoCenter/index?page=content; id=KB23988actp=searchviewlocale=en_USsearchid=1258894870731 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX IPv6 VRRP
You mean to say you're not using /64 on your subnet? Thanks Darren http://www.mellowd.co.uk/ccie Date: Tue, 12 Aug 2014 21:45:03 +0200 From: lca...@unix-scripts.info To: ashish.s...@gmail.com CC: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] SRX IPv6 VRRP On 12/08/2014 14:49, ashish verma wrote: There is an ER 057607 for this issue. Another option is to use IPv6 router advertisements instead of VRRP. Hi, Thanks Do you have an ETA for this ? RA is a viable option only with a /64 netmask though. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX IPv6 VRRP
On 12/08/2014 22:15, Darren O'Connor wrote: You mean to say you're not using /64 on your subnet? Is it a crime ? ;) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX IPv6 VRRP
On Tue, Aug 12, 2014 at 11:21 PM, Laurent CARON lca...@unix-scripts.info wrote: On 12/08/2014 22:15, Darren O'Connor wrote: You mean to say you're not using /64 on your subnet? Is it a crime ? ;) Is this fixed in any release? I'm planning on using a pair of SRX240 to do just that - IPv6 VRRP. Thanks. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX IPv6 VRRP
I don't have any details on the ETA. /64 is not bad if it solves your problem and I guess most of the people use /64 as minimum. On Wed, Aug 13, 2014 at 7:03 AM, Eugeniu Patrascu eu...@imacandi.net wrote: On Tue, Aug 12, 2014 at 11:21 PM, Laurent CARON lca...@unix-scripts.info wrote: On 12/08/2014 22:15, Darren O'Connor wrote: You mean to say you're not using /64 on your subnet? Is it a crime ? ;) Is this fixed in any release? I'm planning on using a pair of SRX240 to do just that - IPv6 VRRP. Thanks. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp