Question

IPv6: permit does not stop passing of the packet according to the rules

  • 13 February 2019
  • 0 replies
  • 178 views

I have two servers, IPv6 interfaces: 2a06:6780:0:1: 1 and 2a06:6780:0: 2: 2

Each of the servers is connected to BD-8810, on each port there is the same ingress policy, approximately with the following content:

code:
# To our IPv6
entry 06_to_our_ipv6 {
if {
destination-address 2a06:6780::/29;
}
then {
count 06_to_our_ipv6;
permit;
}
}

# To world IPv6
entry 07_from_ipv6 {
if {
source-address 2a06:6780::/29;
}
then {
count 07_from_ipv6;
redirect-name uplink6;
}
}

Connectivity between servers over IPv6 is present, but turned out to be suspiciously high ping between them ~20ms. By the way ~10ms-this is the first gateway uplink.

Began to understand, the traffic from the server to the server goes through uplink (uplink6).

For clarity, changed the policy to this:
code:
# To our IPv6
entry 06_to_our_ipv6 {
if {
source-address 0::/0;
}
then {
count 06_to_our_ipv6;
permit;
}
}

# To world IPv6
entry 07_from_ipv6 {
if {
source-address 0::/0;
}
then {
count 07_from_ipv6;
redirect-name uplink6;
}
}

What was my surprise that both counters are growing at the same time and equally!
code:
# sho access-list counter ports 1:34
Policy Name Vlan Name Port Direction
Counter Name Packet Count Byte Count
==================================================================
from_ipv4_ipv6 * 1:34 ingress
...
06_to_our_ipv6 624
07_from_ipv6 624


How is that even possible? Why does permit not stop the package from passing by the rules?

0 replies

Be the first to reply!

Reply