Re: JUNOS forwards IPv6 link-local packets

[Phil Bedard <bedard.phil () gmail com>]

On 4/30/12 2:36 PM, "Justin M. Streiner" <streiner () cluebyfour org> wrote:


> On Fri, 27 Apr 2012, Chris Adams wrote:
>
> > I don't think that will work, because there's an automatic direct route
> > for fe80::/64 to all interfaces with family inet6 configured.  The only
> > way I see around it is to apply a firewall filter to all IPv6 interfaces
> > that blocks anything with a source in fe80::/64 and destination _not_ in
> > fe80::/64.
>
> I've verified this between two M7is in my lab, running Junos 10.3.  I
> tried to verify similar behavior between a 6509 running 12.2(33)SXJ2 and
> my target M7i, but either the Cisco box doesn't appear to allow the
> traffic, or the command parser in that version of IOS is smart enough
> not to allow a ping sourced from a link-local address, but destined to a
> non-link-local address.
>
> Jms


When I tried this on IOS-XR I first tried a local ping and it did not
allow a ping sourced from a link-local address to ping any global address
except for one assigned to the same interface.  However that didn't stop
it from forwarding frames coming into an interface from another device.

Phil