[j-nsp] ICMPv6 over GRE

Mohammad Khalil eng.mssk at gmail.com
Mon Dec 17 09:40:33 EST 2012


Hi all
I have configured a gre interface on m10i like the below

safezone at IGR02# show interfaces gre
unit 0 {
    tunnel {
        source 109.107.129.253;
        destination 217.69.21.156;
        path-mtu-discovery;
    }
    family inet6 {
        address 2001:4830:d4:6::2/64;
    }
}

safezone at IGR02# run show interfaces gre
Physical interface: gre, Enabled, Physical link is Up
  Interface index: 10, SNMP ifIndex: 8
  Type: GRE, Link-level type: GRE, MTU: Unlimited, Speed: Unlimited
  Device flags   : Present Running
  Interface flags: Point-To-Point SNMP-Traps
    Input packets : 0
    Output packets: 0

  Logical interface gre.0 (Index 77) (SNMP ifIndex 260)
    Description: OCCAID_GRE_TUNNEL
    Flags: Point-To-Point SNMP-Traps 0x4000 IP-Header
217.69.21.156:109.107.129.253:47:df:64:0000000000000000
Encapsulation: GRE-NULL
    Copy-tos-to-outer-ip-header: Off
    Input packets : 27
    Output packets: 48
    Protocol inet6, MTU: 1476
      Addresses, Flags: Is-Preferred Is-Primary
        Destination: 2001:4830:d4:6::/64, Local: 2001:4830:d4:6::2
      Addresses, Flags: Is-Preferred
        Destination: fe80::/64, Local: fe80::2a0:a5ff:fe64:4e03

My loopback interface has a filter
safezone at IGR02# show interfaces lo0
description IGR02_lo0_109.107.129.253;
unit 0 {
    family inet {
        filter {
            input RE-PROTECT;

When i remove my filter , the ping is working

The filter

safezone at IGR02# show firewall family inet filter RE-PROTECT | display
set
set firewall family inet filter RE-PROTECT term IP-OPTIONS_FILTER from
ip-options any
set firewall family inet filter RE-PROTECT term IP-OPTIONS_FILTER then
discard
set firewall family inet filter RE-PROTECT term ESTABLISHED from protocol
tcp
set firewall family inet filter RE-PROTECT term ESTABLISHED from protocol
gre
set firewall family inet filter RE-PROTECT term ESTABLISHED from protocol
ipv6
set firewall family inet filter RE-PROTECT term ESTABLISHED from protocol
icmpv6
set firewall family inet filter RE-PROTECT term ESTABLISHED from
tcp-established
set firewall family inet filter RE-PROTECT term ESTABLISHED then accept
set firewall family inet filter RE-PROTECT term BGP_FILTER from
source-prefix-list BGP_LIST
set firewall family inet filter RE-PROTECT term BGP_FILTER from
fragment-offset 0
set firewall family inet filter RE-PROTECT term BGP_FILTER from protocol tcp
set firewall family inet filter RE-PROTECT term BGP_FILTER from port bgp
set firewall family inet filter RE-PROTECT term BGP_FILTER then accept
set firewall family inet filter RE-PROTECT term MGMT_FILTER from
source-prefix-list MGMT_LIST
set firewall family inet filter RE-PROTECT term MGMT_FILTER from protocol
tcp
set firewall family inet filter RE-PROTECT term MGMT_FILTER from port ssh
set firewall family inet filter RE-PROTECT term MGMT_FILTER from port ftp
set firewall family inet filter RE-PROTECT term MGMT_FILTER from port
ftp-data
set firewall family inet filter RE-PROTECT term MGMT_FILTER then accept
set firewall family inet filter RE-PROTECT term SNMP_FILTER from
source-prefix-list SNMP_LIST
set firewall family inet filter RE-PROTECT term SNMP_FILTER from
fragment-offset 0
set firewall family inet filter RE-PROTECT term SNMP_FILTER from protocol
udp
set firewall family inet filter RE-PROTECT term SNMP_FILTER from
destination-port snmp
set firewall family inet filter RE-PROTECT term SNMP_FILTER then accept
set firewall family inet filter RE-PROTECT term DNS_FILTER from
source-prefix-list DNS_LIST
set firewall family inet filter RE-PROTECT term DNS_FILTER from
fragment-offset 0
set firewall family inet filter RE-PROTECT term DNS_FILTER from protocol udp
set firewall family inet filter RE-PROTECT term DNS_FILTER from source-port
domain
set firewall family inet filter RE-PROTECT term DNS_FILTER then accept
set firewall family inet filter RE-PROTECT term ICMP_FILTER from protocol
icmp
set firewall family inet filter RE-PROTECT term ICMP_FILTER from icmp-type
echo-request
set firewall family inet filter RE-PROTECT term ICMP_FILTER from icmp-type
echo-reply
set firewall family inet filter RE-PROTECT term ICMP_FILTER from icmp-type
time-exceeded
set firewall family inet filter RE-PROTECT term ICMP_FILTER from icmp-type
unreachable
set firewall family inet filter RE-PROTECT term ICMP_FILTER then policer
ICMP_POLICER

I added the gre and ipv6 protocol to the filter , but it did not work

Any ideas

BR,
Mohammad


More information about the juniper-nsp mailing list