Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

RLI 40201, Technical Review

 

eracl-ip6-match (packet-forwarding-options)

Syntax

Hierarchy Level

Release Information

Statement introduced in Junos OS Release 19.1 (EX4300 and QFX5100 Series switches only).

Description

Use the options of this command to allow source and/or destination IPv6 address match conditions for eRACL inet6 filters.

In Junos, firewall filters are classified as ingress or egress depending on where in the sequence the packet is evaluated and action taken. Starting in Junos OS Release 19.1R1, for inet6 interfaces, both source and destination IPv6 match conditions are supported, in both ingress and egress directions for inet6 interfaces. Filtering IPv6 traffic on an inet6 egress interface can be useful, for example, for safeguarding a third-party device connected to the Juniper switch.

Note

For your updates to take effect, you need to stop and restart the packet forwarding engine (PFE) after committing any changes to this configuration.

Options

eracl-ip6-match Configuring match conditions in a firewall filter for IPv6 source and/or destination IP addresses is only allowed if the srcip6-and-destip6 or the srcip6-only options described below are enabled. The two options cannot both be enabled at the same time. If neither option is configured, the default behavior is to allow match condition to be created for IPv6 destination addresses on egress interfaces only.

Values:

  • srcip6-and-destip6—Choose this option to allow both source and destination IPv6 address match conditions on inet6 interfaces in egress direction. The source and destination port match conditions are also allowed only with this option. Note that when this option is enabled, the scale of eRACLv6 is reduced by half allow both source and destination IPv6 addresses, or ports, to be created for inet6 interfaces in the egress direction. Note that when this option is enabled, the scale of eRACLv6 is reduced by half.

  • srcip6-only—Choosing this option allows the source IPv6 address match condition in eRACLv6 filters but not a destination address. Both source and destination port match conditions be configured at the same time as this option is enabled (you will get a commit error)..

Required Privilege Level

flow-tap

Example: Configuring an Egress Filter Based on IPv6 Source or Destination IP Addresses

This example shows how to configure a firewall filter to accept IPv6 packets egressing an inet6 interface.

Requirements

This topic describes a feature supported on EX4300 and QFX5100 that was introduced in Junos OS Release 19.1R1. No special configuration beyond device initialization is required before configuring this example.

Overview

In this example, you create a typical firewall filter to accept IPv6 source and destination packets in the egress direction of an inet6 interface. To support filtering in the egress direction, however, you’ll first need to set the set system packet-forwarding-options eracl-ip6-match using either the srcip6-and-destip6 or srcip6-only option. You'll also need to restart the packet forwarding engine(PFE) after committing the configuration.

Configuration

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.

CLI Quick Configuration

To quickly configure this example, copy the following commands into a text file, remove any line breaks, and then paste the commands into the CLI at the [edit] hierarchy level.

Enable the system for IPv6 address filtering

Step-by-Step Procedure

To configure a firewall filter for IPv6 filtering on an inet6 egress interface:

  1. Enable packet forwarding options for matching on either IPv6 source, or IPv6 source and destination IP addresses. In this example, we’ll enable both source and destination IP address matching.

  2. Check, and if appropriate, delete any existing firewall filters that are already bound to the interface you will use for the IPv6 firewall filter:

  3. Commit the changes above, then stop and restart the PFE to accept the packet-forwarding-options and clear the PFE for the IPv6 filter(s).

    • For EX4300, use the following:

    • For EX4300 virtual chassis, use the following:

    • For QFX5100, reboot the system:

  4. Create a IPv6 firewall filter named tcp_filter.

  5. Configure the required filter action, here to match packets with an IPv6 source or destination address within the configured range.

  6. Specify that matched packets are counted, logged to the buffer on the PFE, and accepted.

Apply the firewall filter to an egress interface

Step-by-Step Procedure

To apply the firewall filter to an egress inet6 interface, type the following:

  • user@host# set interfaces ge-0/0/0 unit 0 family inet6 filter output tcp_filter

Confirm and Commit Your Candidate Configuration

Step-by-Step Procedure

To confirm and then commit your candidate configuration:

  1. Confirm the configuration of the firewall filter by entering the show firewall configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

  2. Confirm the configuration of the interface by entering the show interfaces configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

  3. When you are done configuring the device, commit the candidate configuration.