Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[MX] When CGNAT and Dual Stack are in the same VRF, Dual Stack does not work

0

0

Article ID: KB32911 KB Last Updated: 02 Feb 2019Version: 1.0
Summary:

Unable to connect Dual Stack subscriber when using BNG CGNAT and Dual stack in the same VRF.

Symptoms:

Dual Stack subscribers under a VRF with CGNAT will not connect.

Cause:

The RPF-check for IPv6 does not allow dual subscribers to connect.

Solution:
  1. Configure a firewall filter for IPv6 allowing destination IPv6 address ff02::1:2/128 and port 547.

    [MASTER]
    lab@MXtest1> show configuration firewall family inet6 filter rpf-pass-dhcpv6                  
    term allow-dhcp {
        from {
            destination-address {
                ff02::1:2/128;
            }
            destination-port 547;
        }
        then {
            count rpf-dhcp-traffic;
            accept;
        }
    }
    term default {
        then discard;
    }
  2. Then apply this IPv6 firewall filter to the rpf-check under the corresponding dynamic-profile.

    [MASTER]
    lab@MXtest1> show configuration dynamic-profiles CGNAT_DS interfaces 
    pp0 {
        unit "$junos-interface-unit" {
            no-traps;
            ppp-options {
                pap;
            }
            pppoe-options {
                underlying-interface "$junos-underlying-interface";
                server;
            }
            keepalives interval 30;
            family inet {
                rpf-check;
                unnumbered-address lo0.1;
            }
            family inet6 {
                rpf-check fail-filter rpf-pass-dhcpv6;   
                address $junos-ipv6-address;
            }
        }
    }
  3. Subscribers will now connect on a VRF with CGNAT and Dual-stack.

    [MASTER]
    lab@MXtest1> show subscribers    
    Interface           IP Address/VLAN ID          User Name             LS:RI
    pp0.3221225479      10.100.100.6                CGN-DS           default:NAT-44D      
    *                   2001:1208:ffff:5::/64
    *                   fdff:ffff:0:3::/64
    pp0.3221225479      2001:1208:ffff:5::/64                        default:NAT-44D    
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search