[j-nsp] Helo Juniper, your docs need work..

Olivier Benghozi olivier.benghozi at wifirst.fr
Fri Feb 13 09:14:48 EST 2015

Well, they write in http://www.juniper.net/techpubs/en_US/junos12.3/topics/reference/general/firewall-filter-ex-series-match-conditions-support.html#jd0e2022 <http://www.juniper.net/techpubs/en_US/junos12.3/topics/reference/general/firewall-filter-ex-series-match-conditions-support.html#jd0e2022> that you could use next-header on EX including 3300, but only on layer3 interfaces, not port or vlan...

By the way next-header is crappy, payload-protocol on MX Trio platform is the only proper way to go, if only it wasn't so buggy (like logs "match on payload protocol is not supported on ae0").

> On 13/02/2015  at 11:15, Phil Mayers <p.mayers at imperial.ac.uk> wrote :
> That's an extremely misleading bit of text that I had a very grumpy conversation with Juniper about.
> You can indeed apply the firewall filters to IPv6 traffic. But you can't specify any IPv6 protocols fields as matches.
> So w00t a default deny or ethertype deny will apply to IPv6 as opposed to skipping it entirely.
> EX3300 apparently has no IPv6 field matching capability in hardware. Which is almost unbelievable for a current-gen switch, but that's what Juniper told us, repeatedly.

More information about the juniper-nsp mailing list