Parameterized Filter Match Conditions for IPv6 Traffic
You can configure a parameterized filter with match conditions
for Internet Protocol version 6 (IPv6) traffic (family inet6
).
For MX Series routers with MPCs, you need to initialize
certain new firewall filters by walking the corresponding SNMP MIB,
for example, show snmp mib walk name ascii
. This forces Junos to learn the filter counters and ensure that
the filter statistics are displayed. This guidance applies to all
enhanced mode firewall filters, filters with flexible conditions,
and filters with certain terminating actions. See those topics, listed
under Related Documentation, for details.
Table 1 describes the match conditions you can configure at the [edit
firewall family inet6 filter filter-name term term-name from]
hierarchy level.
Match Condition |
Description |
|
---|---|---|
|
Match the IPv6 source or
destination address field unless the |
|
|
Match the IPv6 destination
address field unless the You cannot specify both the |
|
|
Match the UDP or TCP destination port field. You cannot specify both the If you configure this match condition,
we recommend that you also configure the In place of the numeric value, you can
specify one of the following text synonyms (the port numbers are also
listed): |
|
|
Do not match the UDP or
TCP destination port field. For details, see the |
|
|
Match the IPv6 destination
prefix to the specified list unless
the The prefix list is defined at the |
|
|
Match the forwarding class of the packet. Specify For information about forwarding classes and router-internal output queues, see Understanding How Forwarding Classes Assign Classes to Output Queues. |
|
|
Do not match the forwarding
class of the packet. For details, see the |
|
|
Match the ICMP message code field. If you configure this match condition, we recommend that you
also configure the If you configure this match condition, you must also configure
the In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed). The keywords are grouped by the ICMP type with which they are associated:
|
|
|
Do not match the ICMP message
code field. For details, see the |
|
|
Match the ICMP message type field. If
you configure this match condition, we recommend that you also configure
the In
place of the numeric value, you can specify one of the following text
synonyms (the field values are also listed): For |
|
|
Do not match the ICMP message
type field. For details, see the |
|
|
Match the packet loss priority (PLP) level. Specify a single level or multiple levels: Supported on M120 and M320 routers; M7i and M10i routers with the Enhanced CFEB (CFEB-E); and MX Series routers and EX Series switches. For IP traffic on M320, MX Series, T Series routers
and EX Series switches with Enhanced II Flexible PIC Concentrators
(FPCs), you must include the For information about the |
|
|
Do not match the PLP level.
For details, see the |
|
|
Match the first 8-bit Next Header field in the packet. Support for the For IPv6, we recommend that you use the Match the first 8-bit Next Header field in the packet. In place of the numeric value, you can specify one of the following
text synonyms (the field values are also listed): Note:
|
|
|
Do not match the 8-bit
Next Header field that identifies the type of header between the IPv6
header and payload. For details, see the |
|
|
Match the length of the received packet, in bytes. The length refers only to the IP packet, including the packet header, and does not include any Layer 2 encapsulation overhead. |
|
|
Do not match the length
of the received packet, in bytes. For details, see the |
|
|
Match the UDP or TCP source or destination port field. If you configure this match condition, you
cannot configure the If you configure this match condition,
we recommend that you also configure the In place of the numeric value, you can
specify one of the text synonyms listed under the |
|
|
Do not match the UDP or
TCP source or destination port field. For details, see the |
|
|
Match the prefixes of the
source or destination address fields to the prefixes in the specified
list unless the The prefix list is defined at the |
|
|
Match a packet received
from a filter where a |
|
|
Match the IPv6 address
of the source node sending the packet unless the You cannot specify both the |
|
|
Match one or more specified source class names (sets of source prefixes grouped together and given a class name). For more information, see Firewall Filter Match Conditions Based on Address Classes. |
|
|
Do not match one or more
specified source class names. For details, see the |
|
|
Match the UDP or TCP source port field. You cannot specify the If you configure this match condition,
we recommend that you also configure the In place of the numeric value, you can
specify one of the text synonyms listed with the |
|
|
Do not match
the UDP or TCP source port field. For details, see the |
|
|
Match the IPv6 address
prefix of the packet source field
unless the Specify a prefix list name defined at the |
|
|
Match the 8-bit field that specifies the class-of-service (CoS) priority of the packet. This field was previously used as the type-of-service (ToS) field in IPv4. You can specify a numeric value from In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):
|
|
|
Do not match the 8-bit
field that specifies the CoS priority of the packet. For details,
see the |
If you specify an IPv6 address in a match condition (the address
, destination-address
, or source-address
match conditions), use the syntax for text representations described
in RFC 4291, IP Version 6 Addressing Architecture. For more information about IPv6 addresses, see IPv6 Overview and Supported IPv6 Standards.
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.
next-header
firewall match condition is available in Junos OS Release 13.3R6
and later.