Ethernet Switching
Highlighted
Ethernet Switching

loopback filter policy not working in IPv6

‎12-17-2014 01:58 PM

I have a EX4200 switch with multiple vlan l3 interfaces and i want to permit the management only through one of them, so I have the interfaces:

 

root# show interfaces vlan 
interfaces {
    vlan {
        unit 0 {
            family inet {
                address 192.168.80.100/24;
            }
            family inet6 {
                address 2001:fefe:abab:8080::2f1b/64;
            }
        }
        unit 1 { ... }
    }
}

I wrote two firewall filters (IPv4 and IPv6):

root# show firewall | no-more 
family inet {
    filter management {
        term ok_to_80 {
            from {
                destination-address {
                    192.168.80.0/24;
                }
            }
            then accept;
        }
        term ok_icmp {
            from {
                protocol icmp;
            }
            then accept;
        }
        term ok_ospf {
            from {
                protocol ospf;
            }
            then accept;
        }
        term deny_other {
            then {
                discard;
            }
        }
    }
}
family inet6 {
    filter management6 {
        term ok_to_80 {
            from {
                destination-address {
                    2001:fefe:abab:8080::/64;
                }
            }
            then accept;
        }
        term ok_icmp {
            from {
                next-header [ icmp icmpv6 icmp6 ];
            }
            then accept;
        }
        term ok_ospf {
            from {
                next-header ospf;
            }
            then accept;
        }
        term deny_other {
            then discard;
        }
    }
}

 and add them to the lo0.0 input policy

root# show interfaces lo0 unit 0 
family inet {
    filter {
        input management;
    }
}
family inet6 {
    filter {
        input management6;
    }
}

 

This works as I expect for IPv4 (i can manage the router using 192.168.80.100 but not using the other addresses), but I can't manage the router using IPv6, in fact connecting via ssh to the IPv6 times out.

 

Changing the term deny_other in the management6 filter to "then accept" solves the problem (but, of course, it enables management on the other addresses)

5 REPLIES 5
Highlighted
Ethernet Switching

Re: loopback filter policy not working in IPv6

‎12-18-2014 05:02 PM

The IPv6 address are different
family inet6 {
    filter management6 {
        term ok_to_80 {
            from {
                destination-address {
                    2001:fefe:abab:8080::/64;

interfaces {
    vlan {
        unit 0 {
            family inet {
                address 192.168.80.100/24;
            }
            family inet6 {
                address 2001:fefe:abab:8080::2f1b/64;

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Highlighted
Ethernet Switching

Re: loopback filter policy not working in IPv6

‎12-19-2014 09:29 AM

I double checked my configuration and the networks are the same.

 

I also modified the configuration with

 

root# show policy-options 
prefix-list managementIPv4 {
    apply-path "interfaces vlan unit 0 family inet address <*>";
}
prefix-list managementIPv6 {
    apply-path "interfaces vlan unit 0 family inet6 address <*>";
}




root# show firewall 
family inet {
    filter management {
        term ok_to_99 {
            from {
                destination-prefix-list {
                    managementIPv4;
                }
            }
            then accept;
        }
        term ok_icmp {
            from {
                protocol icmp;
            }
            then accept;
        }
        term ok_ospf {
            from {
                protocol ospf;
            }
            then accept;
        }
        term deny_other {
            then {
                discard;
            }
        }
    }
}
family inet6 {
    filter management6 {
        term ok_to_99 {
            from {
                destination-prefix-list {
                    managementIPv6;
                }
            }
            then accept;
        }
        term ok_icmp {
            from {
                next-header [ icmp icmpv6 icmp6 ];
            }
            then accept;
        }
        term ok_ospf {
            from {
                next-header ospf;
            }
            then accept;
        }
        term deny_other {
            then discard;
        }
    }
}

 

so now I'm 100% sure the networks are the same. But it works only for IPv4 and not for IPv6.

Highlighted
Ethernet Switching

Re: loopback filter policy not working in IPv6

‎12-30-2014 01:15 AM

I have been pondering this for a few days...I just did a quick mock-up using your config as a template.

 

I have a EX4200 running 10.4R5.5, with a vlan configured and a specific port in that vlan, vlan has an IPv6 address. I configured an IPv6 only firewall rule based on your config example.

 

However, I used 'source-address' instead of your use of 'destimation-adress, I didn't test for ospfv6, and I don't have the lo0 intf configured. I can only access the EX4200 via its single vlan interface (on or off net).

 

Here is what I configured:

firewall {
    family inet6 {
        filter mgmt6 {
            term restict-ssh {
                from {
                    source-address {
                        2001:db8:1234:11::/64;
                        2001:db8:5678:22::/64;
                    }
                }
                then accept;
            }
            term ok-icmp {
                from {
                    next-header [ icmp icmp6 icmpv6 ];
                }
                then accept;
            }
            term deny-other {
                then discard;
            }
        }
    }
}

 

---

 

I applied the filter to the vlan which is 2001:db8:5678:22::1/64. I was already ssh'd from a client in the 2001:db8:1234:11::/64 network and the ssh session stayed active. Initially I didn't have the 2001;db8;5678:22::/64 address in the config, when I tried to ssh from a client in that network, access failed. When I added 2001;db8;5678:22::/64 address in the config, ssh from a client in that network succeeded.

 

It seems to me that when you apply the filter to the lo0 intf, the IPv6 address test should be for "source" and not "destination"...although as you say it works for IPv4...I don't know why.

 

Perhaps try the IPv6 addr test as 'source-address' and see what happens?

 

hth...Jeff

Highlighted
Ethernet Switching

Re: loopback filter policy not working in IPv6

‎01-07-2015 06:01 AM

My intent is to restrict the address that can be used to manage the switch, i.e. if the switch has four interfaces with addresses 1.1.1.1/24,1.1.2.1/24,1.1.3.1/24,192.168.80.100/24 i would like to manage the switch only through the address 192.168.80.100.

 

So I'm looking for a "destination" rule, not a "source" rule. In fact the switch can be managed from any IP address.

 

BTW, thank you for the tip, I've tried the configuration you suggested but it doesn't work as I would like to.

Highlighted
Ethernet Switching

Re: loopback filter policy not working in IPv6

‎01-07-2015 06:41 AM

What happens if you add the 'from payload-protocol tcp' to your first term? 

Feedback