Block all IPv6 traffic

  • 0
  • 1
  • Question
  • Updated 1 year ago
  • Answered
How can i block all ipv6 trafic in xos?
Photo of gbs

gbs

  • 490 Points 250 badge 2x thumb

Posted 1 year ago

  • 0
  • 1
Photo of OscarK

OscarK, ESE

  • 7,912 Points 5k badge 2x thumb
You could write an ACL to block all traffic with ethertype 0x86DD.
Photo of Martineau, John

Martineau, John, Employee

  • 812 Points 500 badge 2x thumb
Photo of gbs

gbs

  • 490 Points 250 badge 2x thumb
Thanks!
Photo of Mrxlazuardin

Mrxlazuardin

  • 1,534 Points 1k badge 2x thumb
Hi Gerson,

What if you just don't put IPv6 address on the interface/vlan? So there is no one can do IPv6 gatewaying? It is only work for L3 blocking.

Best regards,
Photo of OscarK

OscarK, ESE

  • 7,912 Points 5k badge 2x thumb
Exos does not work that way, almost every acl action is done on all packets, no matter if it is l2 switched or routed.
(Edited)
Photo of Mrxlazuardin

Mrxlazuardin

  • 1,534 Points 1k badge 2x thumb
Hi Oscar,

If using ACL, is that kind ACL processed by CPU or ASIC?

Best regards,
Photo of OscarK

OscarK, ESE

  • 7,912 Points 5k badge 2x thumb
ACL is done in Hardware (asic).
Photo of gbs

gbs

  • 490 Points 250 badge 2x thumb
i work at a very large campus.

A lot of routers are installed everyday without our knowledge.

I'm concerned with those routers acting as IPv6 dhcp-servers.

We have trusted ports well configured, but i suspect that it doesn't work for IPv6.

Since we don't have IPv6 for users, i think that if we block it, that problem is solved for now.
Photo of Mrxlazuardin

Mrxlazuardin

  • 1,534 Points 1k badge 2x thumb
Hi Gerson,

Any specific reason to do this on L2 level? Is IPv6 traffic inside a client VLAN only matter to you since it will not gatewaying if you don't put IPv6 address on your L3? I think the L2 way only works if all your clients connected directly to your controllable switch, if not L3 way is more simple since the traffic will only reach your controllable switch for gatewaying or accessing different connected ports clients (or client switches) on the same VLAN.

Best regards,