Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

IPv6 Wildcard Mask Match Conditions

Overview

Firewall filters are an important component of network security. You (the network administrator) might have many similar IP addresses in your network that you want to allow or disallow. Configuring each address individually can be time-consuming and inefficient. A more efficient option is to use wildcard masks. To dynamically apply firewall filters to similar IPv6 addresses, configure match conditions based on wildcard masks for your firewall filters.

By default, any IPv6 address you configure in a firewall filter has a subnet mask of 128, which means the address must match exactly. To get a partial match on an address, use a subnet mask where ffff includes that portion of the address and 0000 excludes that portion of the address.

Configuration

Follow these steps to use wildcard masks for IPv6 addresses.

  1. Create an IPv6 stateless firewall filter. In this example, the filter is called f1.
  2. Specify that a packet matches if it is from a source address or going to a destination address that matches the condition after the subnet mask is applied.

    In this example, the firewall filter matches on packets with a source address of the form 2001:db8:0:0:****:1111, where **** stands for any value. The firewall filter also matches on packets with a destination address of 2001:db8:0:0:****:2222, where **** stands for any value.

  3. Specify that matched packets should be counted, logged to the buffer on the Packet Forwarding Engine, and accepted.
  4. Specify that for packets not matching the specified source or destination addresses, the firewall filter should count them separately.
  5. Apply the firewall filter to a particular port. In this example, the interface et-0/0/16:4 has address 2001:db8:3c4d:3::2222. We apply the firewall filter to packets that enter the port et-0/0/16:4. Any packets destined for that port match the f1 filter and are logged accordingly.
  6. Commit the configuration.
  7. Verify your configuration was successful.
    In the example below, the counter cnt1 shows the number of packets that matched the firewall filter’s match condition. The default-match counter shows the packets that did not match the condition.

Platform Support

See Feature Explorer for platform and release support.