Quick question regarding: Problematic IPv6 Multicast traffic within an IX.
Is it true that managed Layer2 switches used by IX's can not block IPv6 multicast ingress port traffic from broadcasting to all ports ? ___Yes , seen many IXs with IPv6 multicast continuing yet IPv4 multicast is blocked. ___No , All should be able to bock IPv6 multicast. ___Only a few specific managed switch manufacturers have this issue with IPv6 multicast broadcasting. You're knowledge on this problem would be helpful. Thank You in advance. Bob Evans CTO
IPv6 NDP is multicast so you can not block multicast with a layer 2 ACL. You need L3 ACL to block all multicast except NDP packets. Of course any switch in use at a major transition point in the internet should have that capability. Regards, Baldur On 24 June 2016 at 18:27, Bob Evans <bob@fiberinternetcenter.com> wrote:
Is it true that managed Layer2 switches used by IX's can not block IPv6 multicast ingress port traffic from broadcasting to all ports ?
___Yes , seen many IXs with IPv6 multicast continuing yet IPv4 multicast is blocked.
___No , All should be able to bock IPv6 multicast.
___Only a few specific managed switch manufacturers have this issue with IPv6 multicast broadcasting.
You're knowledge on this problem would be helpful.
Thank You in advance.
Bob Evans CTO
On 6/24/16 9:27 AM, Bob Evans wrote:
Is it true that managed Layer2 switches used by IX's can not block IPv6 multicast ingress port traffic from broadcasting to all ports ?
you can filter multicast destination addresses by acl. NDP you kinda need since it replaces ARP RA's you can and should filter (icmp6 type 134)
___Yes , seen many IXs with IPv6 multicast continuing yet IPv4 multicast is blocked.
___No , All should be able to bock IPv6 multicast.
___Only a few specific managed switch manufacturers have this issue with IPv6 multicast broadcasting.
You're knowledge on this problem would be helpful.
Thank You in advance.
Bob Evans CTO
On 24/06/16 18:31, joel jaeggli wrote:
you can filter multicast destination addresses by acl.
NDP you kinda need since it replaces ARP
RA's you can and should filter (icmp6 type 134)
Data point, although the chances of you using this kit in an IX are slim to none: The HPE-badged H3C workgroup switches are problematic to configure this for. 1) The web GUI is woefully unable to do it right, and HP do not officially sanction the use of the CLI. 2) IPv6 packet ACLs only appear to be supported per-port on *ingress*.
On Sat, Jun 25, 2016 at 6:29 AM, Bruce Simpson <bms@fastmail.net> wrote:
On 24/06/16 18:31, joel jaeggli wrote:
you can filter multicast destination addresses by acl.
NDP you kinda need since it replaces ARP
RA's you can and should filter (icmp6 type 134)
Data point, although the chances of you using this kit in an IX are slim to none: The HPE-badged H3C workgroup switches are problematic to configure this for.
1) The web GUI is woefully unable to do it right, and HP do not officially sanction the use of the CLI.
haha! you said gui and switch configuration... Errm, 'do not officially sanction the use of the CLI' ? Did you promptly 'not officially sanction their use in your nettwork?' If not, I think I see your problem...
2) IPv6 packet ACLs only appear to be supported per-port on *ingress*.
I think this might actually be the case for quite a few devices/manufacturers actually. It's nice that for mcast on v6 you actually mostly care about that on ingress though :)
participants (5)
-
Baldur Norddahl -
Bob Evans -
Bruce Simpson -
Christopher Morrow -
joel jaeggli