Technical Documentation

Configuring Filters for inet6 Family Type (NSM Procedure)

You can configure filter and service filters for inet6 using the Firewall option. See the following topics:

Configuring Firewall Filter for inet6 Family Type (NSM Procedure)

You can specify inet6 to filter IP version 6 (IPv6) packets.

To configure the firewall filter in NSM:

  1. In the NSM navigation tree, select Device Manager > Devices.
  2. Click the Device Tree tab, and then double-click the device to select it.
  3. Click the Configuration tab. In the configuration tree, expand Firewall > Family > Inet6.
  4. Add or modify settings as specified in Table 1.
  5. Click one:
    • OK—Saves the changes.
    • Cancel—Cancels the modifications.

Table 1: Inet6 Firewall Filter Configuration Details

Task Your Action

Configure firewall filter to filter IPv6 packets.
  1. Click Filter next to Inet6.
  2. Click Add new entry next to Filter.
  3. Expand Filter.
  4. In the Name box, enter the name that identifies the filter.
  5. In the Comment box, enter the comment.
  6. Select the Interface Specific check box to configure interface-specific names for firewall counters.

Configure accounting for firewall filters.

  1. Click Accounting Profile next to filter.
  2. Click Add new entry next to Accounting Profile.
  3. In the New accounting-profile window, enter the name to be assigned to the accounting profile.

Define firewall filter term.
  1. Click Term next to Accounting Profile.
  2. Click Add new entry next to Term.
  3. Expand Term.
  4. In the Name box, enter the name that identifies the term.
  5. In the Comment box, enter the comment for the term.
  6. From the Filter list, select the name that identifies the filter.
  7. Expand From.
  8. In the Comment box, enter the comment.
  9. Select the Tcp Initial check box if it matches the first TCP packet of a connection.
  10. Select the Tcp established check box if it matches the TCP packets other than the first packet of a connection.
  11. In the Tcp Flags box, enter the TCP flags.
  12. From the listed protocol-independent match conditions, select the filters defined for the inet family type.

    The protocol-independent match conditions are Address, Destination Address, Destination Class, Destination port, Destination prefix List, Dscp, Forwarding Class, Fragment offset, Icmp Code, Icmp Type, Interface, Interface Group, Interface Set, Ip Options, Loss Priority, Packet Length, Port, prefix List, Protocol, Source Address, Source Port, Source Prefix List, and traffic list.

  13. Expand Then.
  14. In the Comment box, enter the comment for then.
  15. In the Count box, enter the number of packets.
  16. Select the Log check box to store the header information of a packet on the Routing Engine.
  17. Select the Syslog check box to log an alert for the packet.
  18. Select the Sample check box to sample the packet traffic.
  19. Select the Port Mirror check box to port-mirror the packets.
  20. From the Loss Priority list, set the packet loss priority (PLP) to low, medium-low, medium-high, or high.
  21. In the Forwarding Class box, enter the packet forwarding class name.
  22. From the Prefix Action list, select the prefix specific action.
  23. Click Accept next to Then.
  24. Select one of the following:
    • Accept—To accept a packet.
    • Discard—To discard a packet silently, without sending an ICMP message.
    • Next—To evaluate the next term in the firewall filter.
  25. Click Policer next to Then.
  26. Select one of the following:
    • policer—To configure a new policer for each filter and select the policer name.
    • three-color-policer—To configure a tricolor marking policer,
      1. Expand Three Color Policer.
      2. Click Single Rate next to Three Color Policer.
      3. Select one of the following:
        • Select single-rate if the named tricolor policer is a single-rate policer.
        • Select two-rate if the named tricolor policer is a two-rate policer.

Configuring Service Filters for inet6 (NSM Procedure)

To configure the service filters for inet6 in NSM:

  1. In the NSM navigation tree, select Device Manager > Devices.
  2. Click the Device Tree tab, and then double-click the device to select it.
  3. Click the Configuration tab. In the configuration tree, expand Firewall > Family > Inet6.
  4. Add or modify settings as specified in Table 2.
  5. Click one:
    • OK—Saves the changes.
    • Cancel—Cancels the modifications.

Table 2: inet6 Service Filter Configuration Details

Task Your Action

Configure service filter.
  1. Click Service Filter next to inet.
  2. Click Add new entry next to Service Filter.
  3. Expand service-filter.
  4. In the Name box, enter the name that identifies the service filter.

Define term.
  1. Click Term next to service-filter.
  2. Click Add new entry next to Term.
  3. Expand Term.
  4. In the Name box, enter the name that identifies the term.
  5. In the Comment box, enter the comment for the term.
  6. Expand From.
  7. In the Comment box, enter the comment.
  8. From the listed protocol-independent match conditions, select the filters defined for the inet6 family type.

    The protocol-independent match conditions are Address, Ah Spi, Destination Address, Destination port, Destination prefix List, interface Group, Next Header, Interface Set, Ip Options, Loss Priority, Port, Prefix List, Protocol, Source Address, Source Port, Source Prefix List, and Esp spi.

  9. Click Then next to From.
  10. In the Comment box, enter the comment for then.
  11. In the Count box, enter the number of packets.
  12. Select the Log check box to store the header information of a packet on the Routing Engine.
  13. Select the Sample check box to sample the packet traffic.
  14. Select the Port Mirror check box to port-mirror the packets.
  15. Select one of the following:
    • service—To direct packets for stateful-firewall service.
    • skip—To let packets bypass stateful-firewall service.

Published: 2009-08-23