Wired Intelligent Edge

I'm currently planning to move the SVIs for student dormitory access vlans from a juniper (in the datacenter) to a CX 6300M switch (in the dorm).
When building the config templates and verifying, I failed to activate urpf for ipv6 (for ipv4 it works).
There is the command
  ip urpf-check strict
but not
  ipv6 urpf-check strict

Verifying with show [ip,ipv6] interface, I see something about urpf on ipv6 is present in the os:

#show ipv6 interface
Interface vlan23 is up
Admin state is up
IPv6 address:
2001:db8:23::1/64 [VALID]
IPv6 link-local address: fe80::1/64 [VALID]
IPv6 virtual address configured: none
IPv6 multicast routing: disable
IPv6 Forwarding feature: enabled
IPv6 multicast groups locally joined:
ff02::1 ff02::1:ff00:1 ff02::1:ff00:0 ff02::2
IPv6 multicast (S,G) entries joined: none
IPv6 MTU 1500
IPv6 unicast reverse path forwarding: none
IPv6 load sharing: none
L3 Counters: Rx Enabled, Tx Enabled

the config for above SVI is:
interface vlan 23
  description test-a101
  ip address 100.84.167.129/27
  ipv6 address link-local fe80::1/64
  ipv6 address 2001:db8:23::1/64
  ip urpf-check strict
  ipv6 nd ra other-config-flag
  no ipv6 nd suppress-ra
  ipv6 nd ra dns search-list dorm.example.com
  ipv6 nd ra dns server 2001:db8::1
  ipv6 nd ra dns server 2001:db8::2
  ipv6 helper-address unicast 2001:db8:102:6896:5aff:fe57:74db
  l3-counters

​​ip urpf-check only handles ipv4, I verified that by sending spoofed ipv6 packets. I would really like to avoid creating ~650 ACLs as a workaround.
While I have an outgoing acl on the uplink, I rather protect each vlan by itself.

------------------------------
Stephan Westphal

Running IPv6-only in production
------------------------------

It is not supported on IPv6.
Please contact your local SE to raise the concern and get it prioritized.

------------------------------
Vincent Giles
------------------------------

Original Message:
Sent: Aug 15, 2021 08:05 AM
From: Stephan Westphal
Subject: IPv6 uRPF on vlan interfaces

I'm currently planning to move the SVIs for student dormitory access vlans from a juniper (in the datacenter) to a CX 6300M switch (in the dorm).
When building the config templates and verifying, I failed to activate urpf for ipv6 (for ipv4 it works).
There is the command
  ip urpf-check strict
but not
  ipv6 urpf-check strict

Verifying with show [ip,ipv6] interface, I see something about urpf on ipv6 is present in the os:

#show ipv6 interface
Interface vlan23 is up
Admin state is up
IPv6 address:
2001:db8:23::1/64 [VALID]
IPv6 link-local address: fe80::1/64 [VALID]
IPv6 virtual address configured: none
IPv6 multicast routing: disable
IPv6 Forwarding feature: enabled
IPv6 multicast groups locally joined:
ff02::1 ff02::1:ff00:1 ff02::1:ff00:0 ff02::2
IPv6 multicast (S,G) entries joined: none
IPv6 MTU 1500
IPv6 unicast reverse path forwarding: none
IPv6 load sharing: none
L3 Counters: Rx Enabled, Tx Enabled

the config for above SVI is:
interface vlan 23
  description test-a101
  ip address 100.84.167.129/27
  ipv6 address link-local fe80::1/64
  ipv6 address 2001:db8:23::1/64
  ip urpf-check strict
  ipv6 nd ra other-config-flag
  no ipv6 nd suppress-ra
  ipv6 nd ra dns search-list dorm.example.com
  ipv6 nd ra dns server 2001:db8::1
  ipv6 nd ra dns server 2001:db8::2
  ipv6 helper-address unicast 2001:db8:102:6896:5aff:fe57:74db
  l3-counters

​​ip urpf-check only handles ipv4, I verified that by sending spoofed ipv6 packets. I would really like to avoid creating ~650 ACLs as a workaround.
While I have an outgoing acl on the uplink, I rather protect each vlan by itself.

------------------------------
Stephan Westphal

Running IPv6-only in production
------------------------------