[j-nsp] Helo Juniper, your docs need work..

Phil Mayers p.mayers at imperial.ac.uk
Fri Feb 13 05:15:47 EST 2015


On 13/02/2015 00:08, Olivier Benghozi wrote:
> By the way in current JunOS 12.3 it looks there's at least one fix; in:
> http://www.juniper.net/documentation/en_US/junos12.3/topics/concept/firewall-filter-ex-series-overview.html <http://www.juniper.net/documentation/en_US/junos12.3/topics/concept/firewall-filter-ex-series-overview.html>
>
> they write that "You can apply port, VLAN, or router firewall filters to both IPv4 and IPv6 traffic on these switches:"
> [...]
> 	• EX3300 switch
> 	• EX6200 switch
> [...]

That's an extremely misleading bit of text that I had a very grumpy 
conversation with Juniper about.

You can indeed apply the firewall filters to IPv6 traffic. But you can't 
specify any IPv6 protocols fields as matches.

So w00t a default deny or ethertype deny will apply to IPv6 as opposed 
to skipping it entirely.

EX3300 apparently has no IPv6 field matching capability in hardware. 
Which is almost unbelievable for a current-gen switch, but that's what 
Juniper told us, repeatedly.

Cheers,
Phil


More information about the juniper-nsp mailing list