[j-nsp] EX3200/4200 ipv6 match conditions in family ethernet-switching

Jason Healy jhealy at logn.net
Sun Apr 9 21:10:25 EDT 2017 

I've been burned plenty of times by the (lack of) IPv6 feature parity, so I'm hoping the list's collective wisdom can save me from a lot of extra testing and phone calls with JTAC...

TL;DR: are ANY layer 3 match conditions supported for IPv6 in family ethernet-switching on the EX3200/4200?  The documentation says no, but the config says yes (at least for certain special cases).

More info:

We're trying to do some multifield classification on inbound traffic, and while we're at it, drop some junk (unwanted multicast) at the edge.  We're a flat L2 network, so our edge devices don't do any routing.  For the most part, it's EX3200 and 4200 switches that our users connect to.

So, we're crufting up some 'family ethernet-switching' filter terms, and so far so good.  There are match terms like "protocol icmp6" and "destination-address" which seem to be accepting IPv6 addresses without complaint.

A little further in, I tried to match on "proto ipv6" and "source-port" and that wouldn't commit, claiming "source-port" is IPv4-only.  A little digging (including this list's archives) turned up:

http://www.juniper.net/techpubs/en_US/junos/topics/reference/general/firewall-filter-ex-series-match-conditions-support.html

Which says:

"On EX2200, EX2300/EX3400, EX3200/EX4200, EX3300, EX4500, and EX6200 switches port and VLAN filters on IPv6 traffic can match only layer 2 header fields."

Which is a funny way of saying "we basically can't match IPv6 at all".

And further down under "Platform Support for Match Conditions for IPv6 Traffic" only "layer 3" interfaces are listed as supporting IPv6 match conditions.

However, the documentation is in conflict with the configuration interface and with other documentation on Juniper's site.  For example, IPv6 filter-based forwarding is listed as supported in the Feature Explorer, but not on the page above.  Also, the "protocol icmp6" statement that I'm using isn't listed on the official docs, and it would be weird to go to all the trouble to add it as a new feature and not have it work (though Juniper has failed me before on this one).

So... is this a bug in the switch (it's accepting a config that will silently ignore IPv6 match conditions), or a bug in the documentation (match conditions that commit are supported)?

I plan to test as best I can, but if someone has first-hand experience or a KB/PR to share, that would save me a lot of time...

Thanks,

Jason

More information about the juniper-nsp mailing list