Comware Based
cancel
Showing results for 
Search instead for 
Did you mean: 

Does undetermined-transport as IPv6 ACL exist in A-series?

 
Apachez-
Trusted Contributor

Does undetermined-transport as IPv6 ACL exist in A-series?

I failed to locate such in 5120 or 5820, I guess this simply doesnt exist?

 

From Troopers14 - How to Securely Operate an IPv6 Network:

 

"

undetermined-transport keyword does not match if
– TCP/UDP/SCTP and ports are in the fragment
– ICMP and type and code are in the fragment
– Everything else matches (including OSPFv3, …)  
– Only for deny ACE

"

 

As a sidenote it also seems that one cannot filter ipv6 fragments nor ipv6 routing headers (incl RH0) for ACLs used by interfaces - only software ACLs can do this (ACL used to protect various mgmt-interfaces such as SSH, SNMP etc of the switch/router itself).