Log in to ask questions, share your expertise, or stay connected to content you value. Don’t have a login? Learn how to become a member.
I want to apply a firewall filter to my loopback interface that would accept ISIS and OSPF packets. What would be the match criteria for ISIS packets?
Since IS-IS packets are not IP (family inet/inet6) packets, you wouldn't need to add a term to your loopback filter for this. You just need to make sure that your interfaces and loopback have "family iso" configured on them and you'll be able to communicate.
Since the packets are not family inet nor inet6, you can't block it with your standard loopback firewall filter (since those are generally applied to those families) and it will work even if you were to install a "discard everything" firewall filter.
I've had a quick look out of academic interest to see if you can apply a filter to family iso instead, but as far as I could see you can't block IS-IS packets (there's probably a way that I missed, but it's not in the standard types of match criteria that I'd use at least), but either adding or removing family iso to the relevant interfaces will do the equivalent trick of allowing or denying IS-IS traffic on particular interfaces.
That makes sense.