beautypg.com

Brocade Multi-Service IronWare Routing Configuration Guide (Supporting R05.6.00) User Manual

Page 481

background image

Multi-Service IronWare Routing Configuration Guide

453

53-1003033-02

IPv6 source routing security enhancements

Additionally, you must also enable forwarding using the ipv6 forward-source-route and ipv6
source-route commands (as shown in the following) to allow any forwarding of IPv6 source-routed
packets.

Brocade(config)# ipv6 forward-source-route

Brocade(config)# ipv6 source-route

Complete and selective filtering combination and
order of application

If the complete filtering of IPv6 source-routed packets is enabled (the default state) then selective
filtering cannot be performed. Consequently, you must use the ipv6 forward-source-route and ipv6
source-route commands to allow IPv6 source-routed packets when you are selectively allowing
some IPv6 source-routed packets.

The following configuration of complete hardware and software filtering can be used with selective
filtering if the commands are configured in the correct order:

When the ipv6 forward-source-route command is configured, IPv6 source-routed packets that
contain a type 0 routing extension header immediately after the IPv6 header are not dropped
by hardware.

All IPv6 source-routed packets addressed to any IPv6 address on a Brocade device (regardless
of where the Routing Extension Header is located) are dropped by software. This is the default
configuration.

When using the ipv6 forward-source-route and ipv6 source-route commands as described, the
filtering is performed in the order described below.

1. Inbound filtering is performed on the receiving interface using an ACL applied using the ipv6

traffic-filter command. This filtering is performed using hardware.

2. Complete filtering for IPv6 source route. This filtering is performed by the CPU.

3. Selective filtering using an IPv6 ACL applied on a system-wide basis using the ipv6

access-class command.

4. Selective filtering by hardware using an IPv6 ACL bound to an interface for outbound traffic

using the ipv6 traffic-filter command.

Configuration examples for complete and selective
filtering of source routed packets

The following examples demonstrate how to use this feature for different purposes:

Dropping all IPv6 Source Routed Packets on all Ports

Dropping all IPv6 Source Routed Packets on a Specified Port

Silently Dropping all IPv6 Source Routed Packets Addressed to IPv6 Addresses

Dropping all IPv6 Source Routed Packets Addressed to IPv6 Addresses from a Specified Source

Allowing IPv6 Source Routed Packets from a Specified Source on a Specified Interface

Each of these examples are described in detail in the following sections.

See also other documents in the category Brocade Computer Accessories: