[j-nsp] Helo Juniper, your docs need work..
Olivier Benghozi
olivier.benghozi at wifirst.fr
Fri Feb 13 09:14:48 EST 2015
Well, they write in http://www.juniper.net/techpubs/en_US/junos12.3/topics/reference/general/firewall-filter-ex-series-match-conditions-support.html#jd0e2022 <http://www.juniper.net/techpubs/en_US/junos12.3/topics/reference/general/firewall-filter-ex-series-match-conditions-support.html#jd0e2022> that you could use next-header on EX including 3300, but only on layer3 interfaces, not port or vlan...
By the way next-header is crappy, payload-protocol on MX Trio platform is the only proper way to go, if only it wasn't so buggy (like logs "match on payload protocol is not supported on ae0").
> On 13/02/2015 at 11:15, Phil Mayers <p.mayers at imperial.ac.uk> wrote :
>
> That's an extremely misleading bit of text that I had a very grumpy conversation with Juniper about.
>
> You can indeed apply the firewall filters to IPv6 traffic. But you can't specify any IPv6 protocols fields as matches.
>
> So w00t a default deny or ethertype deny will apply to IPv6 as opposed to skipping it entirely.
>
> EX3300 apparently has no IPv6 field matching capability in hardware. Which is almost unbelievable for a current-gen switch, but that's what Juniper told us, repeatedly.
More information about the juniper-nsp
mailing list