Junos
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 19
Registered: ‎06-12-2017
0 Kudos

Firewall Filter IPV6

I have created the following FIREWALL FILTER to count IPV6 packets that arrive with no next header value but commit operation fails: WHY?

 

 

user@routers# show firewall

filter count-no-header {

    term 1 {

            from {

                protocol no-next-header;

            }

            then {

                count count-no-header;

                accept;

            }

    }

}

 

user@routers# show interface ge-0/0/0

unit 0 {

    family inet {

            address 10.10.10.3/24;

    }

    family inet6 {

            filter {

                input count-no-header;

    }

    address 2001::1/64

}

 

 

What do u think ? Firewall family is not corrent ?

Filter name must be different than the counter name ?

Firewall term does not include inet6 in the from statement ?

Highlighted
Super Contributor
Posts: 68
Registered: ‎06-21-2017
0 Kudos

Re: Firewall Filter IPV6

Hi,

 

Family inet6 must be defined for an IPv6 filter like below. You can configure any match condition under the below heirarchy:

 

[edit firewall family inet6 filter filter-name term term-name from] hierarchy level.

 

 

Below is the link for reference:

https://www.juniper.net/documentation/en_US/junos/topics/reference/general/firewall-filter-match-con...

 

 

 

Regards,

Rahul

Please mark my solution as accepted if it helped.

 

 

 

Distinguished Expert
Posts: 575
Registered: ‎08-15-2012
0 Kudos

Re: Firewall Filter IPV6

Hi, 

 

If firewall family is not defined, it defaults to family inet.

Also, "protocol no-next-header" is not a valid condition in inet6 filter. You could change to:

 

[edit firewall family inet6 filter count-no-header]
root@r1# show 
term 1 {
    from {
        next-header no-next-header;
    }
    then {
        count count-no-header;
        accept;
    }
}

Filter-name & counter-name can be anything and not validated for syntax.

 

Cheers,

Ashvin