ON THIS PAGE
Example: Configuring an Egress Filter Based on IPv6 Source or Destination IP Addresses
This example shows how to configure a firewall
filter to accept IPv6 packets egressing an inet6 interface.
Requirements
This topic describes a feature supported on EX4300 and QFX5100 that was introduced in Junos OS Release 19.1R1. No special configuration beyond device initialization is required before configuring this example.
Overview
In this example, you create a typical firewall filter to accept
IPv6 source and destination packets in the egress direction of an inet6 interface. To support filtering in the egress direction,
however, you’ll first need to set the set system packet-forwarding-options
eracl-ip6-match using either the srcip6-and-destip6 or srcip6-only option. You'll also need to restart the
packet forwarding engine(PFE) after committing the configuration.
Configuration
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Use the CLI Editor in Configuration Mode.
- CLI Quick Configuration
- Enable the system for IPv6 address filtering
- Apply the firewall filter to an egress interface
- Confirm and Commit Your Candidate Configuration
CLI Quick Configuration
To quickly configure this example, copy the following
commands into a text file, remove any line breaks, and then paste
the commands into the CLI at the [edit] hierarchy level.
set system packet-forwarding-options eracl-ip6-match srcip6-and-destip6 set firewall family inet6 filter ipv6_filter term t1 from source-address 3001::10/64 set firewall family inet6 filter ipv6_filter term t1 from destination-address 2001::10/64 set interfaces ge-0/0/0 unit 0 family inet6 filter output ipv6_filter
Enable the system for IPv6 address filtering
Step-by-Step Procedure
To configure a firewall filter for IPv6 filtering on
an inet6 egress interface:
Enable packet forwarding options for matching on either IPv6 source, or IPv6 source and destination IP addresses. In this example, we’ll enable both source and destination IP address matching.
[edit] user@host# set system packet-forwarding-options eracl-ip6-match srcip6-and-destip6
Check, and if appropriate, delete any existing firewall filters that are already bound to the interface you will use for the IPv6 firewall filter:
[edit] user@host# delete interfaces ge-0/0/0 unit 0 family inet6 filter output tcp_filter.
Commit the changes above, then stop and restart the PFE to accept the
packet-forwarding-optionsand clear the PFE for the IPv6 filter(s).For EX4300, use the following:
user@host# commit user@host# run request restart pfe-manager
For EX4300 virtual chassis, use the following:
user@host# commit user@host# run request system reboot all-members
For QFX5100, reboot the system:
user@host# commit user@host# run request system reboot
Create a IPv6 firewall filter named tcp_filter.
[edit] user@host# edit firewall family inet6 filter tcp_filter
Configure the required filter action, here to match packets with an IPv6 source or destination address within the configured range.
[edit firewall family inet6 filter tcp_filter] user@host# set term t1 from source-address 3001::10/64 user@host# set term t1 from destination-address 2001::10/64
Specify that matched packets are counted, logged to the buffer on the PFE, and accepted.
[edit firewall family inet6 filter tcp_filter] user@host# set term t1 then count egress_ipv6-packets user@host# set term t1 then log user@host# set term t1 then accept
Apply the firewall filter to an egress interface
Step-by-Step Procedure
To apply the firewall filter to an egress inet6 interface, type the following:
user@host# set interfaces ge-0/0/0 unit 0 family inet6 filter output tcp_filter
Confirm and Commit Your Candidate Configuration
Step-by-Step Procedure
To confirm and then commit your candidate configuration:
Confirm the configuration of the firewall filter by entering the
show firewallconfiguration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.[edit] user@host# show firewall family inet6 { filter tcp_filter { term t1 { from { source-address 3001::10/64; destination-address 2001::10/64; } then { count egress_ipv6-packets; log; accept; } } } }Confirm the configuration of the interface by entering the
show interfacesconfiguration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.[edit] user@host# show interfaces ge-0/0/0 { unit 0 { family inet6 { filter { output tcp_filter; } source-address 3001::10/64; destination-address 2001::10/64; } } }When you are done configuring the device, commit the candidate configuration.
[edit] user@host# commit