drop egress ipv6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎02-06-2014 08:54 PM
How can I drop all IPv6 traffic in the egress of a lag?
The switch is a DFE in a E7 chassis.
Thanks
The switch is a DFE in a E7 chassis.
Thanks
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎02-10-2014 01:10 PM
Generally it is possible to combine multiple functions into an existing set of policy, perhaps as simply as adding in a rule or two. However, each case will have unique circumstances, so must be evaluated in detail before one can conclude whether such a multi-purpose policy can be successfully crafted to leave each intended function fully complete and effective.
For that detailed evaluation, it would probably be most helpful to get a GTAC Support case opened. Start it off with what has already been discussed here, and when a conclusion is reached, those results can be added to the end of this Hub topic to close the conversational loop.
For that detailed evaluation, it would probably be most helpful to get a GTAC Support case opened. Start it off with what has already been discussed here, and when a conclusion is reached, those results can be added to the end of this Hub topic to close the conversational loop.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎02-10-2014 12:45 PM
Thank you for your answers, but in ports where we need to drop IPv6 traffic there is another policy working, I think that is not compatible.
¿It is possible add this rule to the policy profile?
I have seen than in these models I can't configure an ACL that denies IPv6 traffic.
¿It is possible add this rule to the policy profile?
I have seen than in these models I can't configure an ACL that denies IPv6 traffic.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎02-07-2014 12:59 PM
As James has stated, policy acts upon ingress yet you would like it to selectively affect egress. This seemingly insurmountable problem does have a workaround, though I preface the following discussion with the caution that we are now squarely within the realm of "understanding the rules so that they can be creatively broken".
Start with the background in
KB 5888, "Filtering Egress Traffic based on Frame Characteristics" (http://bit.ly/1l5lwNg).
A review of
KB 14443, "Using S/K-Series Policy to identify IPv6 Router Advertisements" (http://bit.ly/IMvR28) might also be helpful.
Let's say that the traffic in question will be ingressing port ge.1.1, and all ports on the system are initially egressing vlan x.
The following variation on the previously suggested policy config would, instead of dropping the IPv6 frames, move them to VLAN x2, which all ports except the LAG should be allowed to egress as well. For this purpose the presence of additional VLAN configurations (VLAN x2 definition, VLAN x2 untagged egress from non-LAG ports), not present here, may be assumed.
The sequence of events outlined in KB 5888 would take it from there.
Start with the background in
KB 5888, "Filtering Egress Traffic based on Frame Characteristics" (http://bit.ly/1l5lwNg).
A review of
KB 14443, "Using S/K-Series Policy to identify IPv6 Router Advertisements" (http://bit.ly/IMvR28) might also be helpful.
Let's say that the traffic in question will be ingressing port ge.1.1, and all ports on the system are initially egressing vlan x.
The following variation on the previously suggested policy config would, instead of dropping the IPv6 frames, move them to VLAN x2, which all ports except the LAG should be allowed to egress as well. For this purpose the presence of additional VLAN configurations (VLAN x2 definition, VLAN x2 untagged egress from non-LAG ports), not present here, may be assumed.
code:
set policy profile 100 name selectively-BlockIPV6
code:
<set policy rule 100 ether 0x86dd vlan
code:
>x2
code:
set policy port ge.1.1 100
The sequence of events outlined in KB 5888 would take it from there.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎02-06-2014 09:10 PM
I forgotted to say that switches are Enterasys
