[j-nsp] IPv6 firewall filter for Route-Engine protection
Alex D.
listensammler at gmx.de
Mon Jan 23 17:48:42 EST 2012
Many thanks.
i will take this as a starting point.
> You want to use next-header keyword matches for v6. Note, you can opnly match on one/the first next-header.
>
> From:
> http://tools.ietf.org/html/rfc6192#appendix-A.2
>
>
> family inet6 {
> filter protect-router-control-plane-v6 {
> term fragv6 {
> from {
> next-header fragment;
> }
> then {
> count frag-v6-discards;
> log;
> discard;
> }
> }
> term icmpv6 {
> from {
> next-header icmpv6;
> }
> then {
> policer 500kbps;
> accept;
> }
> }
> term ospfv3 {
> from {
> source-address {
> FE80::/10;
> }
> next-header ospf;
> }
> then accept;
> }
> term ibgpv6-connect {
> from {
> source-prefix-list {
> IBGPv6-NEIGHBORS;
> }
> next-header tcp;
> destination-port bgp;
> }
> then accept;
> }
> term ibgpv6-reply {
> from {
> source-prefix-list {
> IBGPv6-NEIGHBORS;
> }
> next-header tcp;
> port bgp;
> }
> then accept;
> }
> term ebgpv6-connect {
> from {
> source-prefix-list {
> EBGPv6-NEIGHBORS;
> }
> next-header tcp;
> destination-port bgp;
> }
> then accept;
> }
>
>
More information about the juniper-nsp
mailing list