Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


eracl-ip6-match (packet-forwarding-options)


Hierarchy Level


Use the options of this command to allow source and/or destination IPv6 address match conditions for eRACL inet6 filters.

In Junos, firewall filters are classified as ingress or egress depending on where in the sequence the packet is evaluated and action taken. Filtering IPv6 traffic on an inet6 egress interface can be useful, for example, for safeguarding a third-party device connected to the Juniper switch.


After configuring, modifying, or deleting the eracl-ip6-match statement, you must commit the configuration, and the packet forwarding engine (PFE) must be restarted.



Configuring match conditions in a firewall filter for IPv6 source and/or destination IP addresses is only allowed if the srcip6-and-destip6 or the srcip6-only options described below are enabled. The two options cannot both be enabled at the same time. If neither option is configured, the default behavior is to allow match condition to be created for IPv6 destination addresses on egress interfaces only.

  • Values:

    • srcip6-and-destip6—Choose this option to allow both source and destination IPv6 address match conditions on inet6 interfaces in egress direction. The source and destination port match conditions are also allowed only with this option. Note that when this option is enabled, the scale of eRACLv6 is reduced by half.

    • srcip6-only—Choosing this option allows the source IPv6 address match condition in eRACLv6 filters but not a destination address. Both source and destination port match conditions cannot be configured at the same time as this option is enabled (you will get a commit error).

Required Privilege Level


Release Information

Statement introduced in Junos OS Release 19.1 (EX4300 and QFX5100 Series switches only).