Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

IPv6 for Logical Systems

IPv6 builds upon the functionality of IPv4, providing improvements to IP addressing, configuration and maintenance, and security. IPv6 supports extensions for authentication and data integrity, which enhance privacy and security. IPv6 uses 128-bit addresses and supports a virtually unlimited number of devices—2 to the 128th power. For more information, see the following topics:

IPv6 Addresses in Logical Systems Overview

IP version 6 (IPv6) increases the size of an IP address from the 32 bits that compose an IPv4 address to 128 bits. Each extra bit given to an address doubles the size of its address space. IPv6 has a much larger address space than the soon-to-be exhausted IPv4 address space.

IPv6 addresses can be configured in logical systems for the following features:

  • Interfaces

  • Firewall authentication

  • Flows

  • Routing (BGP only)

  • Zones and security policies

  • Screen options

  • Network Address Translation (except for interface NAT)

  • Administrative operations such as SSH, HTTPS, and other utilities

  • Chassis clusters

Note:

An IPv6 session consumes twice the memory of an IPv4 session. Therefore the number of sessions available for IPv6 is half the reserved and maximum quotas configured for the flow session resource in a security profile. Use the vty command show usp flow resource usage cp-session to check flow session usage.

Understanding IPv6 Dual-Stack Lite in Logical Systems

IPv6 dual-stack lite (DS-Lite) allows migration to an IPv6 access network without changing end-user software. IPv4 users can continue to access IPv4 internet content using their current hardware, while IPv6 users are able to access IPv6 content. A DS-Lite softwire initiator at the customer edge encapsulates IPv4 packets into IPv6 packets while a softwire concentrator decapsulates the IPv4-in-IPv6 packets and also performs IPv4 NAT translations.

A specific softwire concentrator and the set of softwire initiators that connect with that softwire concentrator can belong to only one logical system. The primary administrator configures the maximum and reserved numbers of softwire initiators that can be connected to a softwire concentrator in a logical system using the dslite-softwire-initiator configuration statement at the [edit system security-profile resources] hierarchy level. The default maximum value is the system maximum; the default reserved value is 0.

Note:

The primary administrator can configure a security profile for the primary logical system that specifies the maximum and reserved numbers of softwire initiators that can connect to a softwire concentrator configured for the primary logical system. The number of softwire initiators configured in the primary logical system count toward the maximum number of softwire initiators available on the device.

The user logical system administrator can configure softwire concentrators for their user logical system and the primary administrator can configure softwire concentrators for the primary logical system at the [edit security softwires] hierarchy level. The primary administrator can also configure softwire concentrators for a user logical system at the [edit logical-systems logical-system security softwires] hierarchy level.

Note:

The softwire concentrator IPv6 address can match an IPv6 address configured on either a physical interface or a loopback interface.

Example: Configuring IPv6 for the Primary, Interconnect, and User Logical Systems (Primary Administrators Only)

This topic covers configuration of IPv6 interfaces, static routes, and routing instances for the primary and interconnect logical systems. It also covers configuration of IPv6 logical tunnel interfaces for user logical systems.

Overview

This scenario shows how to configure interfaces for the logical systems on the device, including an interconnect logical system.

  • For the interconnect logical system, the example configures logical tunnel interfaces lt-0/0/0.0, lt-0/0/0.2, and lt-0/0/0.4. The example configures a routing instance called vr and assigns the interfaces to it.

    Because the interconnect logical system acts as a virtual switch, it is configured as a VPLS routing instance type. The interconnect logical system’s lt-0/0/0 interfaces are configured with ethernet-vpls as the encapsulation type. The corresponding peer lt-0/0/0 interfaces in the primary and user logical systems are configured with Ethernet as the encapsulation type.

    • lt-0/0/0.0 connects to lt-0/0/0.1 on the root logical system.

    • lt-0/0/0.2 connects to lt-0/0/0.3 on the LSYS1 logical system.

    • lt-0/0/0.4 connects to lt-0/0/0.5 on the LSYS2 logical system.

  • For the primary logical system, called root-logical-system, the example configures ge-5/0/0 and assigns it to the vr0 routing instance. The example configures lt-0/0/0.1 to connect to lt-0/0/0.0 on the interconnect logical system and assigns it to the vr0 routing instance. The example configures static routes to allow for communication with other logical systems and assigns them to the vr0 routing instance.

  • For the LSYS1 logical system, the example configures lt-0/0/0.3 to connect to lt-0/0/0.2 on the interconnect logical system.

  • For the LSYS2 logical system, the example configures lt-0/0/0.5 to connect to lt-0/0/0.4 on the interconnect logical system.

Figure 1 shows the topology for this deployment including virtual routers and their interfaces for all IPv6 logical systems.

Topology

Figure 1: Configuring IPv6 Logical Tunnel Interfaces, Logical Interfaces, and Virtual RoutersConfiguring IPv6 Logical Tunnel Interfaces, Logical Interfaces, and Virtual Routers

Configuration

This topic explains how to configure interfaces for logical systems.

Configuring Logical Tunnel Interfaces and a Routing Instance for the Interconnect Logical System

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure the interconnect system lt-0/0/0 interfaces and routing instances:

  1. Enable flow-based forwarding for IPv6 traffic.

  2. Configure the lt-0/0/0 interfaces.

  3. Configure the routing instance for the interconnect logical system and add its lt-0/0/0 interfaces to it.

Results

From configuration mode, confirm your configuration by entering the show logical-systems interconnect-logical-system command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.

Configuring Interfaces, a Routing Instance, and Static Routes for the Primary Logical System

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure the primary logical system interfaces:

  1. Configure the primary (root) logical system and lt-0/0/0.1 interfaces.

  2. Configure a routing instance for the primary logical system, assign its interfaces to it, and configure static routes for it.

Results

From configuration mode, confirm your configuration by entering the show interfaces and show routing-instances commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.

Configuring Logical Tunnel Interfaces for the User Logical Systems

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

  1. Configure the lt-0/0/0 interface for the first user logical system:

  2. Configure the lt-0/0/0 interface for the second user logical system.

Results

From configuration mode, confirm your configuration by entering the show logical-systems LSYS1 interfaces lt-0/0/0, and show logical-systems LSYS2 interfaces lt-0/0/0 commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying That the Static Routes Configured for the Primary Administrator Are Correct

Purpose

Confirm that the configuration is working properly. Verify if you can send data from the primary logical system to the other logical systems.

Action

From operational mode, use the ping command.

Example: Configuring IPv6 Zones for a User Logical Systems

This example shows how to configure IPv6 zones for a user logical system.

Requirements

Before you begin:

  • Log in to the user logical system as the user logical system administrator.

    See User Logical Systems Configuration Overview.

  • Ensure that forwarding options for inet6 is flow-based. Otherwise, you must configure it and reset the device.

    Use the show security forwarding-options command to check the configuration.

    Note:

    Only the user logical system administrator can configure the forwarding options.

Overview

This example configures the ls-product-design user logical system described in Example: Creating User Logical Systems, Their Administrators, Their Users, and an Interconnect Logical System

This example creates the IPv6 zones and address books described in Table 1.

Table 1: User Logical System Zone and Address Book Configuration

Feature

Name

Configuration Parameters

Zones

ls-product-design-trust

  • Bind to interface ge-0/0/5.1.

  • TCP reset enabled.

ls-product-design-untrust

  • Bind to interface lt-0/0/0.3.

Address books

product-design-internal

  • Address product-designers: 3002::1/96

  • Attach to zone ls-product-design-trust

product-design-external

  • Address marketing: 3003::1/24

  • Address accounting: 3004::1/24

  • Address others: 3002::2/24

  • Address set otherlsys: marketing, accounting

  • Attach to zone ls-product-design-untrust

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure IPv6 zones in a user logical system:

  1. Log in to the user logical system as the logical system administrator and enter configuration mode.

  2. Configure a security zone and assign it to an interface.

  3. Configure the TCP-Reset parameter for the zone.

  4. Configure a security zone and assign it to an interface.

  5. Create global address book entries.

  6. Attach address books to zones.

Results

From configuration mode, confirm your configuration by entering the show security zones command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Example: Configuring IPv6 Security Policies for a User Logical Systems

This example shows how to configure IPv6 security policies for a user logical system.

Requirements

Before you begin:

Overview

This example shows how to configure the security policies described in Table 2.

Table 2: User Logical System Security Policies Configuration

Policy Name

Configuration Parameters

permit-all-to-otherlsys

Permit the following traffic:

  • From zone: ls-product-design-trust

  • To zone: ls-product-design-untrust

  • Source address: product-designers

  • Destination address: otherlsys

  • Application: any

permit-all-from-otherlsys

Permit the following traffic:

  • From zone: ls-product-design-untrust

  • To zone: ls-product-design-trust

  • Source address: otherlsys

  • Destination address: product-designers

  • Application: any

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure IPv6 security policies for a user logical system:

  1. Log in to the user logical system as the logical system administrator and enter configuration mode.

  2. Configure a security policy that permits traffic from the ls-product-design-trust zone to the ls-product-design-untrust zone.

  3. Configure a security policy that permits traffic from the ls-product-design-untrust zone to the ls-product-design-trust zone.

Results

From configuration mode, confirm your configuration by entering the show security policies command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying Policy Configuration

Purpose

Verify information about policies and rules.

Action

From operational mode, enter the show security policies detail command to display a summary of all policies configured on the logical system.

Example: Configuring IPv6 Dual-Stack Lite for a User Logical Systems

This example shows how to configure a softwire concentrator for a user logical system.

Requirements

Before you begin:

  • Log in to the user logical system as the user logical system administrator. See User Logical Systems Configuration Overview.

  • Use the show system security-profile dslite-softwire-initiator command to see the number softwire initiators that can be connected to a softwire concentrator in the logical system.

Overview

This example shows how to configure a softwire concentrator to decapsulate IPv4-in-IPv6 packets in the ls-product-design user logical system shown in Example: Creating User Logical Systems, Their Administrators, Their Users, and an Interconnect Logical System. The IPv6 address of the softwire concentrator is 3000::1 and the name of the softwire configuration is sc_1.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure an IPv6 DS-Lite softwire concentrator:

  1. Log in to the user logical system as the logical system administrator and enter configuration mode.

  2. Specify the address of the softwire concentrator and the softwire type.

Results

From configuration mode, confirm your configuration by entering the show security softwires command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying the DS-Lite Configuration

Purpose

Verify that the softwire initiators can connect to the softwire concentrator configured in the user logical system.

Action

From operational mode, enter the show security softwires command.

If a softwire initiator is not connected, the operational output looks like this:

If a softwire initiator is connected, the operational output looks like this: