Routing

last person joined: 3 days ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.

  • 1.  IPv6 Firewall Filters

    Posted 02-18-2010 12:31

    Hi all

     

    we are preparing for a dual stack deployment of IPv4/IPv6 and are in the process of converting some IPv4 firewall filters into their IPv6 equivilent.

     

    my question is how do I do something like:

     

    term T1{

      match {

         source-address x/x;

         protocol tcp;

         port 22;

      }

      then{

        permit;

      }

    }

     

    The protocol keyword doesnt seem to be available in the IPv6 filter?  Yet as far as I am aware TCP and UDP both run as normal on top of IPv6?

     

    ideas?


    #IPv6
    #firewall
    #filters


  • 2.  RE: IPv6 Firewall Filters
    Best Answer

    Posted 02-18-2010 13:56

    This is because there isn't a protocol identifier in the IP part of IPv6, just a next-header pointer.  Therefore the firewall filter operates on looking for the appropriate next-header:
    term ssh {
        from {
            source-prefix-list {
                inet6-mgmt-hosts;
            }
            next-header tcp;
            port ssh;
        }
        then accept;
    }
    Hope that helps!
    David

     

     

    This is because there isn't a protocol identifier in the IP part of IPv6, just a next-header pointer.  Therefore the firewall filter operates on looking for the appropriate next-header:


    term ssh {

        from {

            source-prefix-list {

                inet6-mgmt-hosts;

            }

            next-header tcp;

            port ssh;

        }

        then accept;

    }


    Hope that helps!
    David



  • 3.  RE: IPv6 Firewall Filters

    Posted 02-19-2010 00:48

    thank you very much

     

    that makes perfect sense.