[j-nsp] IPv6 firewall filter for Route-Engine protection
Harry Reynolds
harry at juniper.net
Mon Jan 23 17:26:03 EST 2012
You want to use next-header keyword matches for v6. Note, you can opnly match on one/the first next-header.
From:
http://tools.ietf.org/html/rfc6192#appendix-A.2
family inet6 {
filter protect-router-control-plane-v6 {
term fragv6 {
from {
next-header fragment;
}
then {
count frag-v6-discards;
log;
discard;
}
}
Dugal, et al. Informational [Page 21]
RFC 6192 Protect Router Control Plane March 2011
term icmpv6 {
from {
next-header icmpv6;
}
then {
policer 500kbps;
accept;
}
}
term ospfv3 {
from {
source-address {
FE80::/10;
}
next-header ospf;
}
then accept;
}
term ibgpv6-connect {
from {
source-prefix-list {
IBGPv6-NEIGHBORS;
}
next-header tcp;
destination-port bgp;
}
then accept;
}
term ibgpv6-reply {
from {
source-prefix-list {
IBGPv6-NEIGHBORS;
}
next-header tcp;
port bgp;
}
then accept;
}
term ebgpv6-connect {
from {
source-prefix-list {
EBGPv6-NEIGHBORS;
}
next-header tcp;
destination-port bgp;
}
then accept;
}
HTHs
-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Alex D.
Sent: Monday, January 23, 2012 2:22 PM
To: Juniper-Nsp
Subject: [j-nsp] IPv6 firewall filter for Route-Engine protection
Hello guys,
i try to build a basic inet6 firewall filter for Route-Engine protection
on Juniper MX80 running JUNOS 10.4R8.5.
It seems that there is no support for protocol match in "from" statement.
Is there actually no possibility for protocol match (e.g. tcp, udp,
ospf3) or do i forget something ?
Can someone give me a hint for a basic filter ?
Regards,
Alex
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list