g.vlachos at kestrel-is
Aug 17, 2012, 3:02 AM
Post #4 of 4
(773 views)
Permalink
|
|
Re: IPv6 firewall filter for Route-Engine protection
[In reply to]
|
|
Hello Harry and all,
Is there any update on how we can possibly match the second "next-header"?
As far as I know this affects all Junos products, currently only the first
header can be checked, correct?
Thank you,
George
-----Original Message-----
From: juniper-nsp-bounces [at] puck
[mailto:juniper-nsp-bounces [at] puck] On Behalf Of Harry Reynolds
Sent: Tuesday, January 24, 2012 12:26 AM
To: Alex D.; Juniper-Nsp
Subject: Re: [j-nsp] IPv6 firewall filter for Route-Engine protection
You want to use next-header keyword matches for v6. Note, you can opnly
match on one/the first next-header.
From:
http://tools.ietf.org/html/rfc6192#appendix-A.2
family inet6 {
filter protect-router-control-plane-v6 {
term fragv6 {
from {
next-header fragment;
}
then {
count frag-v6-discards;
log;
discard;
}
}
Dugal, et al. Informational [Page 21]
RFC 6192 Protect Router Control Plane March 2011
term icmpv6 {
from {
next-header icmpv6;
}
then {
policer 500kbps;
accept;
}
}
term ospfv3 {
from {
source-address {
FE80::/10;
}
next-header ospf;
}
then accept;
}
term ibgpv6-connect {
from {
source-prefix-list {
IBGPv6-NEIGHBORS;
}
next-header tcp;
destination-port bgp;
}
then accept;
}
term ibgpv6-reply {
from {
source-prefix-list {
IBGPv6-NEIGHBORS;
}
next-header tcp;
port bgp;
}
then accept;
}
term ebgpv6-connect {
from {
source-prefix-list {
EBGPv6-NEIGHBORS;
}
next-header tcp;
destination-port bgp;
}
then accept;
}
HTHs
-----Original Message-----
From: juniper-nsp-bounces [at] puck
[mailto:juniper-nsp-bounces [at] puck] On Behalf Of Alex D.
Sent: Monday, January 23, 2012 2:22 PM
To: Juniper-Nsp
Subject: [j-nsp] IPv6 firewall filter for Route-Engine protection
Hello guys,
i try to build a basic inet6 firewall filter for Route-Engine protection
on Juniper MX80 running JUNOS 10.4R8.5.
It seems that there is no support for protocol match in "from" statement.
Is there actually no possibility for protocol match (e.g. tcp, udp,
ospf3) or do i forget something ?
Can someone give me a hint for a basic filter ?
Regards,
Alex
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp
|
