beautypg.com

Brocade Multi-Service IronWare Routing Configuration Guide (Supporting R05.6.00) User Manual

Page 480

background image

452

Multi-Service IronWare Routing Configuration Guide

53-1003033-02

IPv6 source routing security enhancements

Selective filtering of IPv6 source-routed packets using ACLs

You can selectively filter IPv6 source-routed packets using ACLs. This is accomplished by creating
an IPv6 ACL that specifies a type 0 routing extension header. This is done using the
routing-header-type option when configuring an IPv6 ACL. An example of an IPv6 ACL that
selectively drops IPv6 source-routed packets is shown in the following.

Brocade(config)# ipv6 access-list deny-access1

Brocade(config-ipv6-access-list deny-access1)#deny ipv6 any any

routing-header-type 0

As with complete filtering, selective filtering can be done in both hardware and software as
described:

Hardware – Inbound and outbound IPv6 source-routed packets that contain a type 0 routing
extension header immediately after the IPv6 header can be selectively dropped in hardware
through use of an IPv6 ACL and bound to an interface using the ipv6 traffic-filter command.

Software – Inbound IPv6 source-routed packets that contain a routing extension header
anywhere in a packet can be selectively dropped in software using an IPv6 ACL and bound to
interfaces using the ipv6 access-class command.

Details about how to configure selective hardware and software filtering of IPv6 source-routed
packets are provided in the following.

Selective hardware filtering of IPv6 source-routed packets

Both inbound and outbound IPv6 source-routed packets that contain a type 0 routing extension
header immediately after the IPv6 header can be selectively dropped in hardware using an IPv6
ACL. source-routed packets dropped in hardware are dropped without an ICMP error message
being sent. To apply an IPv6 ACL with the routing-header-type option for hardware filtering, you
must apply the IPv6 ACL to specific ports using the ipv6 traffic-filter command as shown in the
following example.

Brocade(config)# interface ethernet 3/1

Brocade(config-if-e100-3/1)# ipv6 traffic-filter deny-access1 in

Additionally, you must also enable forwarding using the ipv6 forward-source-route command (as
shown in the following) to allow any forwarding of IPv6 source-routed packets.

Brocade(config)# ipv6 forward-source-route

Selective software filtering of IPv6 source-routed packets

Inbound IPv6 source-routed packets that contain a routing extension header anywhere in a packet
can be selectively dropped in software using an IPv6 ACL. source-routed packets dropped in
software generate ICMP Destination Unreachable error messages.

NOTE

This filtering only applies to packets addressed to one of the IPv6 addresses of the device.

To apply an IPv6 ACL with the routing-header-type option for software filtering, you must apply the
IPv6 ACL system wide using the ipv6 access-class command.

Brocade(config)# # ipv6 access-class deny-access1 in

See also other documents in the category Brocade Computer Accessories: