[j-nsp] IPv6 Router Guard
Chris Evans
chrisccnpspam2 at gmail.com
Fri Jul 29 09:35:41 EDT 2011
I definitely want ipv6 but am researching how to implement RA guard on
juniper devices.
On Jul 29, 2011 9:19 AM, "Chuck Anderson" <cra at wpi.edu> wrote:
> On Thu, Jul 28, 2011 at 09:40:21PM -0500, Chris Adams wrote:
>> Once upon a time, Chris Evans <chrisccnpspam2 at gmail.com> said:
>> > I'm trying to implement a firewall filter to implement IPv6 RA guard on
an
>> > EX4200. I have the ACL written to block DHCP and icmp
router-advertisements.
>> > However it appears that the EX4200 only supports IPv4 at this time for
>> > PACLs? I have applied the filter ingress to my interfaces and RA
>> > advertisements are still passing.
>> >
>> > This is on 11.1 code. Anyone else tried this??
>> >
>> > EX4200-1> show configuration firewall
>> > family ethernet-switching {
>> > term RA-GUARD-ICMP-RA {
>> > from {
>> > protocol icmp;
>> > icmp-type router-advertisement;
>>
>> You are filtering the (unused) IPv4 ICMP RAs, not IPv6 ICMPv6 RAs. You
>> can match protocol icmpv6, but I don't think there is a corresponding
>> icmpv6-type, so I don't think you can do this right now.
>
> Right. As a workaround if you don't want any IPv6 packets to pass at
> all, you can block by Ethertype:
>
> firewall {
> family ethernet-switching {
> filter DROP-IPv6 {
> term DROP-IPv6 {
> from {
> ether-type 0x86dd;
> }
> then {
> discard;
> count DROP-IPv6;
> }
> }
> term ACCEPT {
> then accept;
> }
> }
> }
> }
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list