Discussion:
[j-nsp] IPv6 Router Guard
Chris Evans
2011-07-29 01:34:38 UTC
Permalink
I'm trying to implement a firewall filter to implement IPv6 RA guard on an
EX4200. I have the ACL written to block DHCP and icmp router-advertisements.
However it appears that the EX4200 only supports IPv4 at this time for
PACLs? I have applied the filter ingress to my interfaces and RA
advertisements are still passing.



This is on 11.1 code. Anyone else tried this??

EX4200-1> show configuration firewall
family ethernet-switching {
filter RA-GUARD {
interface-specific;
term RA-GUARD-DHCP {
from {
protocol udp;
source-port 547;
destination-port 546;
}
then {
discard;
count DHCP;
}
}
term RA-GUARD-ICMP-RA {
from {
protocol icmp;
icmp-type router-advertisement;
}
then {
discard;
count ICMP-RA;
}
}
term ALL-ELSE {
then accept;
}
}
}
Chris Adams
2011-07-29 02:40:21 UTC
Permalink
Post by Chris Evans
I'm trying to implement a firewall filter to implement IPv6 RA guard on an
EX4200. I have the ACL written to block DHCP and icmp router-advertisements.
However it appears that the EX4200 only supports IPv4 at this time for
PACLs? I have applied the filter ingress to my interfaces and RA
advertisements are still passing.
This is on 11.1 code. Anyone else tried this??
EX4200-1> show configuration firewall
family ethernet-switching {
term RA-GUARD-ICMP-RA {
from {
protocol icmp;
icmp-type router-advertisement;
You are filtering the (unused) IPv4 ICMP RAs, not IPv6 ICMPv6 RAs. You
can match protocol icmpv6, but I don't think there is a corresponding
icmpv6-type, so I don't think you can do this right now.
--
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
Chris Evans
2011-07-29 10:53:58 UTC
Permalink
Yeah I think you are right. Ipv6 isn't supported on Ethernet filters at this
point.
Post by Chris Evans
I'm trying to implement a firewall filter to implement IPv6 RA guard on an
EX4200. I have the ACL written to block DHCP and icmp
router-advertisements.
Post by Chris Evans
However it appears that the EX4200 only supports IPv4 at this time for
PACLs? I have applied the filter ingress to my interfaces and RA
advertisements are still passing.
This is on 11.1 code. Anyone else tried this??
EX4200-1> show configuration firewall
family ethernet-switching {
term RA-GUARD-ICMP-RA {
from {
protocol icmp;
icmp-type router-advertisement;
You are filtering the (unused) IPv4 ICMP RAs, not IPv6 ICMPv6 RAs. You
can match protocol icmpv6, but I don't think there is a corresponding
icmpv6-type, so I don't think you can do this right now.
--
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
OBrien, Will
2011-07-29 14:31:30 UTC
Permalink
Does anyone have examples of configuring nat (NAPT) on the outside interface of a MX? I've got a working config with Nat applied to an inside interface, but I need to do it on my gateway interface...

Here's why.
I want to police per user IP at ingres. Policing doesn't play nice with services NAT. I've had a ticket open with TAC for a while now and seen no traction on it. Applying both to the same interface causes strange behavior on the policer.

So my solution is to police at ingres and NAT at egress. I'm building a config now, but I wanted to see if anyone has done anything similar...
Chuck Anderson
2011-07-29 13:16:28 UTC
Permalink
Post by Chris Adams
Post by Chris Evans
I'm trying to implement a firewall filter to implement IPv6 RA guard on an
EX4200. I have the ACL written to block DHCP and icmp router-advertisements.
However it appears that the EX4200 only supports IPv4 at this time for
PACLs? I have applied the filter ingress to my interfaces and RA
advertisements are still passing.
This is on 11.1 code. Anyone else tried this??
EX4200-1> show configuration firewall
family ethernet-switching {
term RA-GUARD-ICMP-RA {
from {
protocol icmp;
icmp-type router-advertisement;
You are filtering the (unused) IPv4 ICMP RAs, not IPv6 ICMPv6 RAs. You
can match protocol icmpv6, but I don't think there is a corresponding
icmpv6-type, so I don't think you can do this right now.
Right. As a workaround if you don't want any IPv6 packets to pass at
all, you can block by Ethertype:

firewall {
family ethernet-switching {
filter DROP-IPv6 {
term DROP-IPv6 {
from {
ether-type 0x86dd;
}
then {
discard;
count DROP-IPv6;
}
}
term ACCEPT {
then accept;
}
}
}
}
Chris Evans
2011-07-29 13:35:41 UTC
Permalink
I definitely want ipv6 but am researching how to implement RA guard on
juniper devices.
Post by Chris Evans
I'm trying to implement a firewall filter to implement IPv6 RA guard on an
EX4200. I have the ACL written to block DHCP and icmp
router-advertisements.
Post by Chris Evans
However it appears that the EX4200 only supports IPv4 at this time for
PACLs? I have applied the filter ingress to my interfaces and RA
advertisements are still passing.
This is on 11.1 code. Anyone else tried this??
EX4200-1> show configuration firewall
family ethernet-switching {
term RA-GUARD-ICMP-RA {
from {
protocol icmp;
icmp-type router-advertisement;
You are filtering the (unused) IPv4 ICMP RAs, not IPv6 ICMPv6 RAs. You
can match protocol icmpv6, but I don't think there is a corresponding
icmpv6-type, so I don't think you can do this right now.
Right. As a workaround if you don't want any IPv6 packets to pass at
firewall {
family ethernet-switching {
filter DROP-IPv6 {
term DROP-IPv6 {
from {
ether-type 0x86dd;
}
then {
discard;
count DROP-IPv6;
}
}
term ACCEPT {
then accept;
}
}
}
}
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Loading...