Question

drop egress ipv6


How can I drop all IPv6 traffic in the egress of a lag?
The switch is a DFE in a E7 chassis.
Thanks

5 replies

I forgotted to say that switches are Enterasys
Userlevel 6
I know how to drop IPv6 traffic on ingress:
set policy profile 100 name BlockIPV6
set policy rule 100 ether 0x86dd drop
set policy port ge.1.1 100
[/code]But I don't know how to set policy on egress packets.
Userlevel 4
As James has stated, policy acts upon ingress yet you would like it to selectively affect egress. This seemingly insurmountable problem does have a workaround, though I preface the following discussion with the caution that we are now squarely within the realm of "understanding the rules so that they can be creatively broken".

Start with the background in
KB 5888, "Filtering Egress Traffic based on Frame Characteristics" (http://bit.ly/1l5lwNg).
A review of
KB 14443, "Using S/K-Series Policy to identify IPv6 Router Advertisements" (http://bit.ly/IMvR28) might also be helpful.

Let's say that the traffic in question will be ingressing port ge.1.1, and all ports on the system are initially egressing vlan x.
The following variation on the previously suggested policy config would, instead of dropping the IPv6 frames, move them to VLAN x2, which all ports except the LAG should be allowed to egress as well. For this purpose the presence of additional VLAN configurations (VLAN x2 definition, VLAN x2 untagged egress from non-LAG ports), not present here, may be assumed.

code:
set policy profile 100 name selectively-BlockIPV6

code:
set policy rule 100 ether 0x86dd vlan
<
code:
x2
>
code:
set policy port ge.1.1 100


The sequence of events outlined in KB 5888 would take it from there.
Thank you for your answers, but in ports where we need to drop IPv6 traffic there is another policy working, I think that is not compatible.
¿It is possible add this rule to the policy profile?
I have seen than in these models I can't configure an ACL that denies IPv6 traffic.
Userlevel 4
Generally it is possible to combine multiple functions into an existing set of policy, perhaps as simply as adding in a rule or two. However, each case will have unique circumstances, so must be evaluated in detail before one can conclude whether such a multi-purpose policy can be successfully crafted to leave each intended function fully complete and effective.

For that detailed evaluation, it would probably be most helpful to get a GTAC Support case opened. Start it off with what has already been discussed here, and when a conclusion is reached, those results can be added to the end of this Hub topic to close the conversational loop.

Reply