Cat6500 ipv6 nd raguard feature
Nick Hilliard
nick at foobar.org
Fri Nov 19 23:54:01 CET 2010
On 19/11/2010 08:39, Daniel Verlouw wrote:
> Cisco suggests disabling it all together as a workaround, however, we
> found that IPv6 PACLs (also introduced in SXI4) do work fine in our
> limited testing so far, e.g.:
>
> ipv6 access-list block-rogue-ipv6
> remark Block DHCPv6 server messages
> deny udp any eq 547 any eq 546
> remark Block Router Advertisements
> deny icmp any any router-advertisement
> permit ipv6 any any
Would it not be better to use instead:
deny udp fe80::/16 eq 547 host ff02::1 eq 546
... just in case.
Nick
More information about the ipv6-ops
mailing list