[j-nsp] EX3300 IPv6 filtering
Phil Mayers
p.mayers at imperial.ac.uk
Mon Jun 23 07:08:57 EDT 2014
All,
tl;dr - don't be misled by the release notes item for 12.3R6, EX 3300
*still* cannot match IPv6 fields in ethernet-switching filters.
Some of you may have spotted the following:
http://www.juniper.net/techpubs/en_US/junos12.3/topics/concept/firewall-filter-ex-series-overview.html
"""
You can apply port, VLAN, or router firewall filters to both IPv4 and
IPv6 traffic on these switches:
...
EX3300 switch
"""
...and also the 12.3R6 release notes which mention PR954496 and say:
"""
Starting with Junos OS Release 12.3R6, you can configure new match
conditions, actions, and action modifiers for IPv6 firewall filters on
EX2200 and EX3300 switches
"""
For the avoidance of doubt; it is NOT possible to write an
ethernet-switching firewall filter which matches IPv6 header fields on
12.3R6.6, and this is confirmed as expected behaviour by JTAC.
The above release notes item (according to JTAC) refers to loopback
firewall filters, and the aforementioned URL apparently means "filters
you write will apply to IPv6 packets", not "you can write filters
matching on IPv6 fields".
So you can block IPv6 packets by MAC address... w00t...
JTAC were not forthcoming on whether this is a current or "forever"
limitation, and our account team have not yet been able to give us an
answer.
2014 and it can't match an IPv6 address. Great going Juniper! </sarcasm>
More information about the juniper-nsp
mailing list