[j-nsp] Helo Juniper, your docs need work..
Phil Mayers
p.mayers at imperial.ac.uk
Fri Feb 13 05:15:47 EST 2015
On 13/02/2015 00:08, Olivier Benghozi wrote:
> By the way in current JunOS 12.3 it looks there's at least one fix; in:
> http://www.juniper.net/documentation/en_US/junos12.3/topics/concept/firewall-filter-ex-series-overview.html <http://www.juniper.net/documentation/en_US/junos12.3/topics/concept/firewall-filter-ex-series-overview.html>
>
> they write that "You can apply port, VLAN, or router firewall filters to both IPv4 and IPv6 traffic on these switches:"
> [...]
> • EX3300 switch
> • EX6200 switch
> [...]
That's an extremely misleading bit of text that I had a very grumpy
conversation with Juniper about.
You can indeed apply the firewall filters to IPv6 traffic. But you can't
specify any IPv6 protocols fields as matches.
So w00t a default deny or ethertype deny will apply to IPv6 as opposed
to skipping it entirely.
EX3300 apparently has no IPv6 field matching capability in hardware.
Which is almost unbelievable for a current-gen switch, but that's what
Juniper told us, repeatedly.
Cheers,
Phil
More information about the juniper-nsp
mailing list