Quick question regarding: Problematic IPv6 Multicast traffic within an IX.

Bob_Evans · June 24, 2016, 4:27pm

Is it true that managed Layer2 switches used by IX's can not block IPv6
multicast ingress port traffic from broadcasting to all ports ?

___Yes , seen many IXs with IPv6 multicast continuing yet IPv4 multicast
is blocked.

___No , All should be able to bock IPv6 multicast.

___Only a few specific managed switch manufacturers have this issue with
IPv6 multicast broadcasting.

You're knowledge on this problem would be helpful.

Thank You in advance.

Bob Evans
CTO

Baldur_Norddahl · June 24, 2016, 5:00pm

IPv6 NDP is multicast so you can not block multicast with a layer 2 ACL.
You need L3 ACL to block all multicast except NDP packets.

Of course any switch in use at a major transition point in the internet
should have that capability.

Regards,

Baldur

Joel_Jaeggli · June 24, 2016, 5:31pm

Is it true that managed Layer2 switches used by IX's can not block IPv6
multicast ingress port traffic from broadcasting to all ports ?

you can filter multicast destination addresses by acl.

NDP you kinda need since it replaces ARP

RA's you can and should filter (icmp6 type 134)

Bruce_Simpson · June 25, 2016, 10:29am

Data point, although the chances of you using this kit in an IX are slim to none: The HPE-badged H3C workgroup switches are problematic to configure this for.

1) The web GUI is woefully unable to do it right, and HP do not officially sanction the use of the CLI.

2) IPv6 packet ACLs only appear to be supported per-port on *ingress*.

Christopher_Morrow · June 26, 2016, 1:54am

you can filter multicast destination addresses by acl.

NDP you kinda need since it replaces ARP

RA's you can and should filter (icmp6 type 134)

Data point, although the chances of you using this kit in an IX are slim
to none: The HPE-badged H3C workgroup switches are problematic to configure
this for.

1) The web GUI is woefully unable to do it right, and HP do not officially
sanction the use of the CLI.

haha! you said gui and switch configuration...

Errm, 'do not officially sanction the use of the CLI' ? Did you promptly
'not officially sanction their use in your nettwork?' If not, I think I see
your problem...

2) IPv6 packet ACLs only appear to be supported per-port on *ingress*.

I think this might actually be the case for quite a few
devices/manufacturers actually. It's nice that for mcast on v6 you actually
mostly care about that on ingress though :)