Brocade Multi-Service IronWare Routing Configuration Guide (Supporting R05.6.00) User Manual

454

Multi-Service IronWare Routing Configuration Guide

53-1003033-02

IPv6 source routing security enhancements

Dropping all IPv6 source-routed packets on all ports

By default, all IPv6 source-routed packets received on all device ports are dropped.

Dropping all IPv6 source-routed packets on a specified port

The following example shows a configuration that will drop all IPv6 source-routed packets received
on port 1/1 of a device.

In this example, the IPv6 ACL is configured to drop any IPv6 packet with a type 0 routing header
immediately after the IPv6 header.

Brocade(config)# ipv6 access-list deny-access1

Brocade(config-ipv6-access-list deny-access1)# deny any any ipv6

routing-header-type 0

Brocade(config-ipv6-access-list deny-access1# permit ipv6 any any

Brocade(config-ipv6-access-list deny-access1)# exit

The default is for the device to drop all IPv6 source-routed packets in hardware and software.
Forwarding of these packets must be explicitly enabled using the ipv6 forward-source-route and
ipv6 source-route commands as shown.

Brocade(config)# ipv6 forward-source-route

Brocade(config)# ipv6 source-route

The IPv6 ACL must then be bound to the interface it is intended to filter as shown in the following
example for the Ethernet 1/1 interface.

Brocade(config)# interface ethernet 1/1

Brocade(config-if-e100-1/1)# ipv6 traffic-filter deny-access1 in

Silently dropping all IPv6 source-routed packets sent to IPv6 addresses

The following configuration drops all IPv6 source-routed packets addressed to the IPv6 addresses
on a device without sending an ICMP error message.

ICMPv6 parameter problem error messages are sent for dropped IPv6 source-routed packets
addressed to the IPv6 addresses on the device. To disable these messages, use the no option with
the ipv6 icmp source-route command.

Brocade(config)# no ipv6 icmp source-route

By default, the device drops all IPv6 source-routed packets in hardware and software. Use the ipv6
forward-source- route command to enable the forwarding of IPv6 source-routed packets with a type
0 routing extension header immediately after the IPv6 header, as shown in this example.

Brocade(config)# ipv6 forward-source-route

Dropping all IPv6 source-routed packets to IPv6 addresses
from a specified source

This configuration demonstrates how to drop all IPv6 source-routed packets sent from a specified
IPv6 address.

In this example, IPv6 ACL is configured to deny IPv6 source-routed packets with a destination
address of 2001:DB8:1, and permit any other IPv6 packets.