[j-nsp] blocking IPv6 RAs on EX2200/3200/4200
Chuck Anderson
cra at WPI.EDU
Thu Apr 28 09:20:47 EDT 2011
On Wed, Apr 27, 2011 at 10:21:31PM +0200, martin papik wrote:
> can I block (drop) router advertisemet (RA) only on specific ports in
> EX2400 (EX2200) configuration.
> The problem is in security, because when any station (PC, notebook)
> connected to LAN, starts own (but not official!!!) RA, I thing that this unoffical RA
> will pass throught switch. RA is using icmpv6 port 134. For example some PCs with
> Windows OS should generate own unoffical RA.Maybe I can use firewall filter, but this
> will generate CPU higher load :-(. Is possible to use another specific conf. command?
> Did anyone solve this type of problem in past?
No, not today. There is no firewall filter match condition for ICMPv6
types on EX2200/3200/4200, but I've asked for this feature to be
added. Firewall filters on EX will not cause higher CPU load as far
as I know since they are processed in hardware.
The best I've been able to do so far is block all native IPv6 ethernet
frames based on ethertype, which only works until we start to deploy
IPv6 officially. Here is an example that blocks IPv6 on a specific
list of ports:
[edit firewall]
family ethernet-switching {
filter DROP-IPv6 {
term DROP-IPv6 {
from {
ether-type 0x86dd;
}
then {
discard;
inactive: log;
count DROP-IPv6;
}
}
term ACCEPT {
then accept;
}
}
}
[edit interfaces]
interface-range EDGE {
member "ge-0/0/[14-46]";
member "ge-1/0/[0-6]";
member "ge-1/0/[8-12]";
member "ge-1/0/[14-47]";
member "ge-2/0/[0-1]";
member "ge-2/0/[3-7]";
member "ge-2/0/[9-47]";
member "ge-0/0/[0-7]";
member "ge-0/0/[9-12]";
unit 0 {
family ethernet-switching {
filter {
input DROP-IPv6;
output DROP-IPv6;
}
}
}
}
More information about the juniper-nsp
mailing list