Brocade Multi-Service IronWare Routing Configuration Guide (Supporting R05.6.00) User Manual

Multi-Service IronWare Routing Configuration Guide

455

53-1003033-02

IPv6 source routing security enhancements

Brocade(config)# ipv6 access-list deny-access2

Brocade(config-ipv6-access-list deny-access2)# deny host 2001:DB8:1 any

routing-header-type 0

Brocade(config-ipv6-access-list deny-access2)# permit ipv6 any any

Brocade(config-ipv6-access-list deny-access2)# exit

The IPv6 ACL is then applied globally to the device for inbound traffic using the ipv6 access-class
command as shown.

Brocade(config)#ipv6 access-class deny-access2 in

By default, the device drops all IPv6 source-routed packets in hardware and software. Use the ipv6
forward-source- route and ipv6 source-route commands to enable forwarding of IPv6 source-routed
packets, as shown.

Brocade(config)# ipv6 forward-source-route

Brocade(config)# ipv6 source-route

Allowing IPv6 source-routed packets from a specified source on a specified
interface

The following configuration allows IPv6 source-routed packets sent from a specified source and
addressed to the IPv6 address on the device to be received on port 1/1. Source-routed packets
received on all other ports are denied.

NOTE

This configuration only works when the routing header type 0 appears immediately after the IPv6
header.

The following IPv6 ACL is configured to permit IPv6 source route packets that have a source
address of 2001:DB8:1, deny any IPv6 source route packets with any other source address, and
permit all other IPv6 packets.

Brocade(config)# ipv6 access-list allow-access

Brocade(config-ipv6-access-list allow-access)# permit ipv6 host 2001:DB8:1 any

routing-header-type 0

Brocade(config-ipv6-access-list allow-access)# deny any any routing-header-type 0

Brocade(config-ipv6-access-list allow-access)# permit ipv6 any any

Brocade(config-ipv6-access-list allow-access)# exit

Because this example permits IPv6 source-routed packets on a single specified interface, they
must be explicitly dropped on all other interfaces on the Brocade device. The following IPv6 ACL is
configured drop all source-routed packets.

Brocade(config)# ipv6 access-list drop-access

Brocade(config-ipv6-access-list drop-access)# deny any any routing-header-type 0

Brocade(config-ipv6-access-list drop-access)# permit ipv6 any any

Brocade(config-ipv6-access-list drop-access)# exit

The IPv6 ACL “allow-access” is bound to interface 1/1 where the IPv6 source-routed packets are
permitted.

Brocade(config)# interface ethernet 1/1

Brocade(config-if-e100-1/1)# ipv6 traffic-filter allow-access

Brocade(config-if-e100-1/1)#exit

The IPv6 ACL “drop-access” is bound to all other interfaces on the device to drop IPv6 source-
routed packets. The next example shows the “drop-access” ACL being bound to interface 1/2.