I have two servers, IPv6 interfaces: 2a06:6780:0:1: 1 and 2a06:6780:0: 2: 2
Each of the servers is connected to BD-8810, on each port there is the same ingress policy, approximately with the following content:
code:# To our IPv6
entry 06_to_our_ipv6 {
if {
destination-address 2a06:6780::/29;
}
then {
count 06_to_our_ipv6;
permit;
}
}
# To world IPv6
entry 07_from_ipv6 {
if {
source-address 2a06:6780::/29;
}
then {
count 07_from_ipv6;
redirect-name uplink6;
}
}
Connectivity between servers over IPv6 is present, but turned out to be suspiciously high ping between them ~20ms. By the way ~10ms-this is the first gateway uplink.
Began to understand, the traffic from the server to the server goes through uplink (uplink6).
For clarity, changed the policy to this:
code:# To our IPv6
entry 06_to_our_ipv6 {
if {
source-address 0::/0;
}
then {
count 06_to_our_ipv6;
permit;
}
}
# To world IPv6
entry 07_from_ipv6 {
if {
source-address 0::/0;
}
then {
count 07_from_ipv6;
redirect-name uplink6;
}
}
What was my surprise that both counters
are growing at the same time and equally!
code:# sho access-list counter ports 1:34
Policy Name Vlan Name Port Direction
Counter Name Packet Count Byte Count
==================================================================
from_ipv4_ipv6 * 1:34 ingress
...
06_to_our_ipv6 624
07_from_ipv6 624
How is that even possible? Why does permit not stop the package from passing by the rules?
