Routing
Highlighted
Routing

IPv6 RE filter not working

02.12.18   |  
a week ago

Hello folks,

 

Not strictly a routing issue, but it is one I'm having on MX platform so...

 

I have an RE filter built, it is applied to the lo0 interface, but I still seem to be able to ssh from addresses not in the allowed list. The counter shows zero hits, even though MONITOR INTERFACE TRAFFIC shows the packets hitting...

 

Further, when I create an interface-range of all physical interfaces and apply the filter to the range, the filter comes into affect, including when ssh-ing on the lo0 inet6 address!

 

Some configurations and cli output will follow, I'm thinking this is just a firmware issue, but want to see if anyone else has seen anything similar.

 

This seems to be the case on MX104 JunOS 13.3R6.5, for the ACX (JunOS 12.3X54-D27.1) I get "Warning: configuration block ignored: unsupported platform (acx2200)" which I expected as I didn't think IPv6 was supposed to work on this platform/firmware - it tunrs out it does, but not filtering, although, I haven't tried adding it to the front interfaces so it *may* still work!!!

 

Anyway, filter configured thus :

show configuration firewall family inet6 filter INBOUND-RE6 
term icmp {
    from {
        payload-protocol icmp6;
    }
    then accept;
}
term TRACEROUTE {
    from {
        payload-protocol udp;
        destination-port 33434-33523;
    }
    then accept;
}
term SSH {
    from {
        source-prefix-list {
            SSH6-MANAGEMENT;
        }
        payload-protocol tcp;
        destination-port 22;
    }
    then {
        count ssh;
        accept;
    }
}
term TCP-established {
    from {
        next-header tcp;
        payload-protocol tcp;
        tcp-established;
    }
    then {
        count tcp-established;
        accept;
    }
}
term dhcp-server-accept {
    from {
        payload-protocol udp;
        source-port [ 67 68 ];
        destination-port [ 67 68 ];
    }
    then {
        count DHCP-Server-Accept;
        accept;
    }
}
term DNS {
    from {
        payload-protocol udp;
        source-port 53;
    }
    then accept;
}
term Allow-NTP {
    from {
        source-prefix-list {
            public6_ntp_servers;
        }
        payload-protocol udp;
        source-port ntp;
    }
    then accept;
}
term Block-NTP {
    from {
        payload-protocol udp;
        port ntp;
    }
    then discard;
}
term snmp {
    from {
        source-prefix-list {
            our_office6;
        }
        payload-protocol udp;
        destination-port [ snmp 161-162 ];
    }
    then accept;
}
term ospf {
    from {
        payload-protocol ospf;
    }
    then accept;
}
term ibgp {
    from {
        source-prefix-list {
            loopbacks6;
        }
    }
    then accept;
}
term Netconf {
    from {
        source-prefix-list {
            our_office6;
        }
        payload-protocol tcp;
        destination-port 830;
    }
    then accept;
}
term reject-all {
    then discard;
}

 

And the filter is applied to the lo0 interface here :

> show configuration interfaces lo0
unit 0 {
    family inet {
        filter {
            input Protect-RE;
        }
        address a.b.c.146/32;
    }
    family inet6 {
        filter {
            input INBOUND-RE6;
        }
        address 2001:DB8::146/128 {
            primary;
        }
    }
}

With this config I registered no hits on the counters when attempting to ssh to 2001Smiley Very HappyB8::146 from any address (although I was allowed to connect from any addresses...) :

EDGEMX# run show firewall filter INBOUND-RE6 

Filter: INBOUND-RE6                                            
Counters:
Name                                                Bytes              Packets
DHCP-Server-Accept                                      0                    0
ssh                                                                 0                    0
tcp-established                                               0                    0

But when I created the interface range and applied the filter to that, the filter blocked ssh connections from addresses other than SSH6-MANAGEMENT and started registering hits on the counters :

EDGEMX# run show firewall filter INBOUND-RE6

Filter: INBOUND-RE6
Counters:
Name                                                Bytes              Packets
DHCP-Server-Accept                                      0                    0
ssh                                                            4049                   17
tcp-established                                 317402103               352346

Is this the expected behaviour?

Many thanks in advance!

6 REPLIES
Routing

Re: IPv6 RE filter not working

02.12.18   |  
a week ago

Hi!

 

Loopback filter should have worked on MX (It's working in My LAb on 17.3R1) . It could be a bug but need to test it. I wil test it in your release and check.

 

For ACX, I am suspicious as loopback filter is supported from 15.1 onwards (as far as i know) but i will reconfirm it. could you please share the below command output after applying filter on lo0 in your acx?

 

show pfe tcam usage all-tcam-stages detail

 

Also, do you see any errors in the log message related to firewall filter on your acx?

 

 

 

 

Routing

Re: IPv6 RE filter not working

02.13.18   |  
a week ago

Hi!

Thanks for replying!

Results of that on the ACX as follows :

ar1> show pfe tcam usage all-tcam-stages detail

Slot 0

Tcam Resource Stage: Pre-Ingress
--------------------------------
Free [hw-grps: 3 out of 3]
No dynamic tcam usage

Tcam Resource Stage: Ingress
----------------------------
Free [hw-grps: 7 out of 7]
No dynamic tcam usage

Tcam Resource Stage: Egress
---------------------------
Free [hw-grps: 4 out of 4]
No dynamic tcam usage

Further, I get the same warning on the interface config that the lo0 filter isn't supported in the inet6 stanza :

ar1# show interfaces lo0.0 family inet6
##
## Warning: configuration block ignored: unsupported platform (acx2200)
##
filter {
    input INBOUND-RE6; ## reference 'INBOUND-RE6' not found
}
address 2001:db8::143/128;

When configuring it wouldn't auto complete either as if (as the warning suggests) the configuration blocks are not available, although it didn't complain of syntax errors when I added it...

Thanks again!

Kind regards,

 

Routing

Re: IPv6 RE filter not working

02.13.18   |  
a week ago

Yes, so it seems it's not supported in the current release. You need to upgrade the ACX in this case

Routing

Re: IPv6 RE filter not working

02.19.18   |  
Monday

Hi Guys,

 

I could find this public KB article which clearly states that loopback filter is not supported on ACX platform and the workaround is to either use a forwarding table filter or applying the filter to L3 interface.

 

Please refer to following article:

https://kb.juniper.net/KB28893

 

Thanks

Hope this helps

--------------------------------------------------------------------------------------------------------
If this post was helpful, please mark this post as an "Accepted Solution".
Kudos are always appreciated!
--------------------------------------------------------------------------------------------------------
Routing

Re: IPv6 RE filter not working

02.19.18   |  
Monday
It is supported in 17.x and in 15.1 as well.

HTH
Routing

Re: IPv6 RE filter not working

02.19.18   |  
Monday
It was not supported earlier. We need to modify the KB it seems.