Using S/K-Series Policy to identify IPv6 Router Advertisements

FAQ_User — Tue, 10 Dec 2013 04:37:00 GMT

Article ID: 14443

Products
S-Series
K-Series

Goals
Identify IPv6 Router Advertisements on user ports, for the purpose of dropping what amounts to "rogue" IPv6 traffic that can either directly misroute IPv6 traffic or cause IPv6/IPv4 users to try to communicate using IPv6 when no actual IPv6 connectivity exists.

Solution
Here is a sample configuration which uses Policy to identify and drop IPv6 RA traffic ingressing the configured user port(s):set policy profile 1 name IPv6-RA-drop
[profile to drop incoming IPv6 Router Advertisements]
set policy rule admin-profile port ge.1.1 mask 16 port-string ge.1.1 admin-pid 1
[assign the profile to this port]
set policy rule 1 icmp6type 134.0 mask 16 drop syslog enable
[cause the profile to drop ingress RAs]
set policy autoclear interval 1 ports ge.1.1
[force a max of one syslog message per second for this port]
set policy syslog extended-format enable every-time enable
[allow detailed syslogging for every rule hit]The intent of the continued syslogging is to allow the network manager to identify any false router nodes and resolve them (via manual intervention), on an ongoing basis.

The Policy supported on other Enterasys products can use ethertype 0x86dd (native IPv6; 12627) or ipproto 41 (IPv6 encapsulated into IPv4) to identify IPv6 in general, but do not have the granularity to determine the type of IPv6 packet.
Also see this HowTo Video which explains how to drop all IPv6 packets on the S/N/K-Series.

topic Using S/K-Series Policy to identify IPv6 Router Advertisements in FAQs

Using S/K-Series Policy to identify IPv6 Router Advertisements