drop egress ipv6

  • 0
  • 1
  • Question
  • Updated 5 years ago
How can I drop all IPv6 traffic in the egress of a lag?
The switch is a DFE in a E7 chassis.
Thanks
Photo of cpsd

cpsd

  • 90 Points 75 badge 2x thumb

Posted 5 years ago

  • 0
  • 1
Photo of cpsd

cpsd

  • 90 Points 75 badge 2x thumb
I forgotted to say that switches are Enterasys
Photo of James A

James A, Embassador

  • 6,982 Points 5k badge 2x thumb
I know how to drop IPv6 traffic on ingress:
set policy profile 100 name BlockIPV6
set policy rule 100 ether 0x86dd drop
set policy port ge.1.1 100
But I don't know how to set policy on egress packets.
Photo of Paul Poyant

Paul Poyant, Employee

  • 3,536 Points 3k badge 2x thumb
As James has stated, policy acts upon ingress yet you would like it to selectively affect egress. This seemingly insurmountable problem does have a workaround, though I preface the following discussion with the caution that we are now squarely within the realm of "understanding the rules so that they can be creatively broken".

Start with the background in
KB 5888, "Filtering Egress Traffic based on Frame Characteristics" (http://bit.ly/1l5lwNg).
A review of
KB 14443, "Using S/K-Series Policy to identify IPv6 Router Advertisements" (http://bit.ly/IMvR28)
might also be helpful.

Let's say that the traffic in question will be ingressing port ge.1.1, and all ports on the system are initially egressing vlan x.
The following variation on the previously suggested policy config would, instead of dropping the IPv6 frames, move them to VLAN x2, which all ports except the LAG should be allowed to egress as well. For this purpose the presence of additional VLAN configurations (VLAN x2 definition, VLAN x2 untagged egress from non-LAG ports), not present here, may be assumed.

set policy profile 100 name selectively-BlockIPV6
set policy rule 100 ether 0x86dd vlan  <x2>
set policy port ge.1.1 100

The sequence of events outlined in KB 5888 would take it from there.
Photo of cpsd

cpsd

  • 90 Points 75 badge 2x thumb
Thank you for your answers, but in ports where we need to drop IPv6 traffic there is another policy working, I think that is not compatible.
¿It is possible add this rule to the policy profile?
I have seen than in these models I can't configure an ACL that denies IPv6 traffic.
Photo of Paul Poyant

Paul Poyant, Employee

  • 3,536 Points 3k badge 2x thumb
Generally it is possible to combine multiple functions into an existing set of policy, perhaps as simply as adding in a rule or two.  However, each case will have unique circumstances, so must be evaluated in detail before one can conclude whether such a multi-purpose policy can be successfully crafted to leave each intended function fully complete and effective.

For that detailed evaluation, it would probably be most helpful to get a GTAC Support case opened. Start it off with what has already been discussed here, and when a conclusion is reached, those results can be added to the end of this Hub topic to close the conversational loop.