ARRIS 2247-N8-10NA (v9.1.x) Admin Handbook User Manual

Page 66

Advertising
background image

Administrator’s Handbook

66

Reflexive ACL

set security spi ip6 allow-inbound [ on | off ]

Turns reflexive ACL on or off for IPv6.

Reflexive Access Control Lists (ACL) provide that layer 4 Session information is used to make decisions about
what packets to route. Reflexive ACL reduces exposure to spoofing and denial-of-service attacks, because
desired inbound packet flows are usually in response to outbound traffic.

Motorola 9.x DSL Gateways use the relevant session information about whether the packet flow was initiated
from the LAN side (upstream) or WAN side (downstream). If the parameter security.

spi.ip6.allow-inbound

is

set to

off

, then sessions which are initiated from the WAN side are disallowed. Upstream sessions are never

precluded because of reflexive ACL. (Of course there may be other reasons that particular packets are
dropped.)

For IPv4, NAT is generally enabled, so reflexive ACL is usually not an issue.

set security spi ip6 src-mcast-drop [ off | on ]

Drop IPv6 packets with source multicast address. The default is off.

set security spi ip6 invalid-mcast-scope-drop [ off | on ]

Drop IPv6 packets with invalid multicast scope. Default is on.

set security spi ip6 forbidden-addr-drop [ off | on ]

Drop IPv6 packets with forbidden addresses. Default is on.

set security spi ip6 deprecated-ext-hdr-drop [ off | on ]

Drop IPv6 packets with deprecated extension headers. Default is on.

set security spi ip6 src-addr-from-lan-unassigned-drop [ off | on ]

Drop IPv6 packets from LAN with source address not derived from WAN. Default is on.

set security spi ip6 lan-assigned-src-addr-from-wan-drop [ off | on ]

Drop IPv6 packets from WAN with source address derived from LAN. Default is on.

set security spi ip6 ula-drop [ off | on ]

Drop IPv6 packets with unique local address (ULA). Default is on.

set security spi ip6 ignore-dns-from-wan [ off | on ]

Drop IPv6 packets from WAN to DNS proxy. Default is on.

set security spi ip6 ignore-dhcp-from-wan [ off | on ]

Drop IPv6 packets from WAN to local DHCPv6 server. Default is on.

Advertising
Popular Brands
Popular manuals