Junos
Highlighted
Junos

EX IPv6 control plane protection

‎09-15-2015 06:17 AM

Hello,

We are trying to protect switch's control plane by configuring filters on lo0 interface.
While it works great with IPv4, the IPv6 traffic just doesn't get impacted with any filters we create.

 

The configuration we have:

> show configuration interfaces lo0 
unit 0 {
    family inet {
        filter {
            input control-plane;
        }
    }
    family inet6 {
        filter {
            input control-plane-v6;
        }
    }
}

> show configuration firewall family inet filter control-plane 
term bgp {
    from {
        source-prefix-list {
            bgp_peers;
        }
        protocol tcp;
        destination-port 179;
    }
    then accept;
}
term established {
    from {
        protocol tcp;
        tcp-established;
    }
    then accept;
}
term whitelist {
    from {
        source-prefix-list {
            whitelist;
        }
    }
    then accept;
}
term DiscardAll {
    then {
        discard;
    }
}

term icmp {
    from {
        icmp-type [ neighbor-advertisement neighbor-solicit ];
    }
    then {
        count icmp_v6;
        accept;
    }
}
term bgp {
    from {
        source-prefix-list {
            bgp_peers_v6;
        }
        next-header tcp;
        payload-protocol tcp;
        destination-port 179;
    }
    then accept;
}
term established {
    from {
        next-header tcp;
        payload-protocol tcp;
        tcp-established;
    }
    then {
        count accept_estab_v6;
        accept;
    }
}
term DiscardAll {
    then {
        count discard_v6;
        discard;
    }
}

All of the counters set in IPv6 filter don't have any packets.

Please advise what are we doing wrong and how can we filter the IPv6 traffic to control plane?

Thank you very much!

 

3 REPLIES 3
Junos

Re: EX IPv6 control plane protection

‎09-15-2015 07:09 AM

Hello,

 

Family inet is for ipv4.

 

Can you configure filter under family inet6? 

 

http://www.juniper.net/documentation/en_US/junos13.2/topics/concept/firewall-filter-ex-series-overvi...

 

Regards,

 

Rush I

 

Junos

Re: EX IPv6 control plane protection

‎09-15-2015 08:13 AM

I am sorry, the inet6 family configuration must has been lost while copy-pasting the config.

 

Of course, the inet6 filter is defined in inet6 family.

Junos

Re: EX IPv6 control plane protection

[ Edited ]
‎04-12-2016 10:35 AM

I came across this post and would like to say thank you so much.

 

It really annoys me when OPs respond by stating "oh i knew that bla bla bla.." and don't have the courtesy of saying thank you - a real shame and ultimately a loss for the OP. good luck to you pal whoever you are.

 

and thank you rtilak.

Ajaz Nawaz
JNCIE-SEC#254 CCIE#15721
JNCIA-FWV | JNCIS-FWV
JNCIA-JUNOS | JNCIS-SEC
JNCIP-SEC | JNCIE-SEC
CCNP-Collaboration