[f-nsp] Enabling ipv6 on J-BxGMR4

Thu Feb 16 22:52:05 EST 2012

I see that you can configure IPv6 acl's with the latest version with a caveat...only on routed/L3 interfaces. I have a need to apply filters on access/host ports to filter rogue dhcp and rogue ra's. It would appear that this is not supported as v6 has to be enabled on the interface per the config guide before you can apply a v6 ACL...and you can't enable v6 on a L2 port. So you can apply a v4 ACL on a L2 port, just not a v6 ACL. Unless...of course I'm missing something?

__________
Josh Baity 
Network & Computer Services
Black Hills State University

|-----Original Message-----
|From: Matt Kassawara [mailto:mkassawara at gmail.com]
|Sent: Thursday, February 16, 2012 4:09 PM
|To: Diederik Schouten
|Cc: Baity, Josh; foundry-nsp at puck.nether.net
|Subject: Re: [f-nsp] Enabling ipv6 on J-BxGMR4
|
|I can configure IPv6 access lists on a FCX running the 7.3.0a routing image
|without an advanced license.  Are you running the switching image?
|
|  Copyright (c) 1996-2011 Brocade Communications Systems, Inc.
|    UNIT 1: compiled on Dec 02 2011 at 11:46:03 labeled as FCXR07300a
|                (6803305 bytes) from Primary FCXR07300a.bin
|        SW: Version 07.3.00aT7f3
|  Boot-Monitor Image size = 369491, Version:07.3.01T7f5 (grz07301)
|
|SSH at i2-net-acc-1(config)#ipv6 access-list test SSH at i2-net-acc-1(config-ipv6-
|access-list test)#permit ipv6 any any SSH at i2-net-acc-1(config-ipv6-access-
|list test)#exit SSH at i2-net-acc-1(config)#int e 1/1/20
|SSH at i2-net-acc-1(config-if-e1000-1/1/20)#ipv6 traffic-filter test in SSH at i2-
|net-acc-1(config-if-e1000-1/1/20)#exit
|SSH at i2-net-acc-1(config)#show run int e 1/1/20 interface ethernet 1/1/20
| ipv6 enable
| ipv6 traffic-filter test in
|!
|
|
|On Thu, Feb 16, 2012 at 3:34 PM, Diederik Schouten <dschout at high5.net>
|wrote:
|>
|> This is not really a licensing issue... Brocade can tell you what is and what is
|not supported when.
|>
|>
|> I'm quite sure that hardware/software related limitations are know to
|Brocade System and Support Engineers.
|> Have you opened a case with support to get this confirmed?
|>
|> Or did you check the manual?
|>
|>
|> FastIron 7.3 Configuration Guide
|> Chapter 19
|> "Configuring IPv6 Access Control Lists (ACLs)"
|>
|> Table 134 "Supported IPv6 ACL features"
|>
|> FCX
|> there's a note:
|> "1. IPv6 ACLs are not supported on base Layer 3 software images on the FSX
|and FCX platforms"
|>
|>
|> I have to agree that the manuals seem a bit chaotic at times, but when in
|doubt get it checked by a Brocade SE or by Brocade Support.
|>
|> Greetings,
|>
|>   Diederik
|>
|>
|>
|>
|> On 16 Feb 2012, at 10:48 , Baity, Josh wrote:
|>
|>> We've recently discovered that there seems to be a glaring issue with IPv6
|and licensing on the FCX platform....and that is IPv6 ACL's. It appears that you
|can enable IPv6, route IPv6, and run IPv6...but you can't apply sanity
|filters/acl's w/the base L3 image. I've tried creating a simple v6 acl to mimic
|ra-guard and found that v6 ACL's aren't supported on the L3 base image. I'm
|running 7.3...have you found differently?
|>>
|>> __________
|>> Josh Baity
|>> Network & Computer Services
|>> Black Hills State University
|>>
|>>
|>> |-----Original Message-----
|>> |From: foundry-nsp-bounces at puck.nether.net [mailto:foundry-nsp-
|>> |bounces at puck.nether.net] On Behalf Of Matt Kassawara
|>> |Sent: Thursday, February 16, 2012 2:26 PM
|>> |To: Jethro R Binks
|>> |Cc: foundry-nsp at puck.nether.net
|>> |Subject: Re: [f-nsp] Enabling ipv6 on J-BxGMR4
|>> |
|>> |I'm not aware of any special licenses to enable IPv6 on the FCX and
|>> |most other Brocade IP products, at least in recent history.  Please
|>> |elaborate on your issue with the FCX.
|>> |
|>> |On Thu, Feb 16, 2012 at 1:50 PM, Jethro R Binks
|>> |<jethro.binks at strath.ac.uk>
|>> |wrote:
|>> |> On Thu, 16 Feb 2012, Nick Gray wrote:
|>> |>
|>> |>> That is indeed unfortunate as all of our equipment is purchased
|>> |>> from third parties. Seems that is the way they get you with those
|contracts.
|>> |>> Its surprising ipv6 isn't supported by default. Alas, I will wait
|>> |>> for a kind soul to provide personal help.
|>> |>
|>> |> Foundry/Brocade's attitude to ipv6 has never been good over all
|>> |> the years in my experience.
|>> |>
|>> |> Even now, if I want "advanced features" like IPv6 on modern kit
|>> |> like the F-CX, I have to pay an additional premium which on the
|>> |> last quote I had nearly doubled the cost of the switch.  I sent a
|>> |> very long ranty email to my Brocade contact about how disgraceful
|>> |> it was and so on and so forth, and said he was free to pass on my
|>> |> comments to whoever.  I didn't really expect a response, and I wasn't
|disappointed.
|>> |>
|>> |> Even these days I'm not quite sure what the situation is with
|>> |> various models we were told were "ready for IPv6" years ago, but
|>> |> turns out they need upgrades/premium code, did it in software not
|>> |> hardware, blah
|>> |blah.
|>> |>
|>> |> Jethro.
|>> |>
|>> |> .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .
|>> |> Jethro R Binks, Network Manager,
|>> |> Information Services Directorate, University Of Strathclyde,
|>> |> Glasgow, UK
|>> |>
|>> |> The University of Strathclyde is a charitable body, registered in
|>> |> Scotland, number SC015263.
|>> |> _______________________________________________
|>> |> foundry-nsp mailing list
|>> |> foundry-nsp at puck.nether.net
|>> |> http://puck.nether.net/mailman/listinfo/foundry-nsp
|>> |
|>> |_______________________________________________
|>> |foundry-nsp mailing list
|>> |foundry-nsp at puck.nether.net
|>> |http://puck.nether.net/mailman/listinfo/foundry-nsp
|>>
|>> _______________________________________________
|>> foundry-nsp mailing list
|>> foundry-nsp at puck.nether.net
|>> http://puck.nether.net/mailman/listinfo/foundry-nsp
|>
|>
|> _______________________________________________
|> foundry-nsp mailing list
|> foundry-nsp at puck.nether.net
|> http://puck.nether.net/mailman/listinfo/foundry-nsp