[j-nsp] EX3300 family ethernet-switching IPv6 matches?

Chuck Anderson cra at WPI.EDU
Wed Jan 8 14:33:43 EST 2014 

On Wed, Jan 08, 2014 at 06:07:39PM +0000, Phil Mayers wrote:
> All,
> 
> The release notes for the EX3300 are a little vague on this, but
> strongly imply that as of Junos 12.3, IPv6 firewall filters are
> supported. However:
> 
> [edit firewall family ethernet-switching filter FPP term deny-ra]
> admin at sh-299y# set from ip-version ?
> Possible completions:
> + apply-groups         Groups from which to inherit configuration data
> + apply-groups-except  Don't inherit configuration data from these groups
> > ipv4                 Define L3/L4 match items to match IPv4 packets
> 
> Note: no IPv6.
> 
> I can match on the IPv6 ether-type, but not any L3/L4 items:
> 
> [edit firewall family ethernet-switching filter FPP term deny-ra from]
>   'protocol'
>     ipv4 match item not allowed when ether-type is ipv6
> [edit firewall family ethernet-switching filter FPP term deny-ra from]
>   'icmp-type'
>     ipv4 match item not allowed when ether-type is ipv6
> 
> Is this expected to work? Or is the "ipv6 support" for routed
> packets only, and not for ethernet-switching?

See:

http://www.juniper.net/techpubs/en_US/junos12.3/topics/reference/general/firewall-filter-ex-series-match-conditions-description.html

and:

http://www.juniper.net/techpubs/en_US/junos12.3/topics/reference/general/firewall-filter-ex-series-match-conditions-support.html

and likewise for 13.2, and you'll notice that your last statement is
correct.

Platform Support for Match Conditions for IPv6 Traffic

icmp-type number
	  EX2200		Layer 3 interfaces	Layer 3 interfaces
	  EX3200 and EX4200	Layer 3 interfaces	Layer 3 interfaces
	  EX3300     		Layer 3 interfaces	Layer 3 interfaces
	  EX4500 		Layer 3 interfaces	Layer 3 interfaces

ip-version version match_condition(s)
	  EX2200		Not supported		Not supported
	  EX3200 and EX4200	Not supported		Not supported
	  EX3300		Not supported		Not supported
	  EX4500		Not supported		Not supported

If Juniper is listening, please prioritize at least these two match
conditions on Ports (and less importantly, VLANs) for the EX platforms
so your customers can block Rogue RAs.  Cisco has this support
already, and you said you would support this here:

http://www.juniper.net/us/en/local/pdf/whitepapers/2000418-en.pdf

Thanks.

More information about the juniper-nsp mailing list