Wired Intelligent Edge

last person joined: 5 hours ago 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

IPv6 uRPF on vlan interfaces

Jump to Best Answer
This thread has been viewed 10 times
  • 1.  IPv6 uRPF on vlan interfaces

    Posted Aug 15, 2021 08:06 AM

    I'm currently planning to move the SVIs for student dormitory access vlans from a juniper (in the datacenter) to a CX 6300M switch (in the dorm).
    When building the config templates and verifying, I failed to activate urpf for ipv6 (for ipv4 it works).
    There is the command
      ip urpf-check strict
    but not
      ipv6 urpf-check strict

    Verifying with show [ip,ipv6] interface, I see something about urpf on ipv6 is present in the os:

    #show ipv6 interface
    Interface vlan23 is up
    Admin state is up
    IPv6 address:
    2001:db8:23::1/64 [VALID]
    IPv6 link-local address: fe80::1/64 [VALID]
    IPv6 virtual address configured: none
    IPv6 multicast routing: disable
    IPv6 Forwarding feature: enabled
    IPv6 multicast groups locally joined:
    ff02::1 ff02::1:ff00:1 ff02::1:ff00:0 ff02::2
    IPv6 multicast (S,G) entries joined: none
    IPv6 MTU 1500
    IPv6 unicast reverse path forwarding: none
    IPv6 load sharing: none
    L3 Counters: Rx Enabled, Tx Enabled

    the config for above SVI is:
    interface vlan 23
      description test-a101
      ip address 100.84.167.129/27
      ipv6 address link-local fe80::1/64
      ipv6 address 2001:db8:23::1/64
      ip urpf-check strict
      ipv6 nd ra other-config-flag
      no ipv6 nd suppress-ra
      ipv6 nd ra dns search-list dorm.example.com
      ipv6 nd ra dns server 2001:db8::1
      ipv6 nd ra dns server 2001:db8::2
      ipv6 helper-address unicast 2001:db8:102:6896:5aff:fe57:74db
      l3-counters

    ​​ip urpf-check only handles ipv4, I verified that by sending spoofed ipv6 packets. I would really like to avoid creating ~650 ACLs as a workaround.
    While I have an outgoing acl on the uplink, I rather protect each vlan by itself.

    ------------------------------
    Stephan Westphal

    Running IPv6-only in production
    ------------------------------


  • 2.  RE: IPv6 uRPF on vlan interfaces
    Best Answer

    Posted Aug 23, 2021 09:28 AM
    It is not supported on IPv6.
    Please contact your local SE to raise the concern and get it prioritized.

    ------------------------------
    Vincent Giles
    ------------------------------