[j-nsp] IPv6 Router Guard
Chuck Anderson
cra at WPI.EDU
Fri Jul 29 09:16:28 EDT 2011
On Thu, Jul 28, 2011 at 09:40:21PM -0500, Chris Adams wrote:
> Once upon a time, Chris Evans <chrisccnpspam2 at gmail.com> said:
> > I'm trying to implement a firewall filter to implement IPv6 RA guard on an
> > EX4200. I have the ACL written to block DHCP and icmp router-advertisements.
> > However it appears that the EX4200 only supports IPv4 at this time for
> > PACLs? I have applied the filter ingress to my interfaces and RA
> > advertisements are still passing.
> >
> > This is on 11.1 code. Anyone else tried this??
> >
> > EX4200-1> show configuration firewall
> > family ethernet-switching {
> > term RA-GUARD-ICMP-RA {
> > from {
> > protocol icmp;
> > icmp-type router-advertisement;
>
> You are filtering the (unused) IPv4 ICMP RAs, not IPv6 ICMPv6 RAs. You
> can match protocol icmpv6, but I don't think there is a corresponding
> icmpv6-type, so I don't think you can do this right now.
Right. As a workaround if you don't want any IPv6 packets to pass at
all, you can block by Ethertype:
firewall {
family ethernet-switching {
filter DROP-IPv6 {
term DROP-IPv6 {
from {
ether-type 0x86dd;
}
then {
discard;
count DROP-IPv6;
}
}
term ACCEPT {
then accept;
}
}
}
}
More information about the juniper-nsp
mailing list