Extend L2 firewalling to allow filtering based on EtherType

  • 2
  • Idea
  • Updated 4 years ago
  • Planned
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes

Posted 5 years ago

  • 2
Photo of Adam Conway

Adam Conway

  • 101 Posts
  • 55 Reply Likes
That is a clever idea... I like it.
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
Good idea, Nick. Don't be too terribly surprised if this shows up in a future release of our software.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
As this was a year ago, I am gently prodding.

Were there any thoughts on enhancing HiveOS/HiveManager to offer filtering by ether type?

In lieu of full IPv6 support in an access point or switch, it is highly desirable from a security perspective to be able to prohibit all IPv6 traffic from passing at the edge of the network between clients in the same broadcast domain.

(In many scenarios, it is not desirable or possible to prohibit all client to client communications.)

Thanks! :)
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
Hi Nick,
My apologies for the delay in responding, I saw when you posted this but got distracted by other things. Yes, this is planned. Give me another day or two to make sure my ducks are all in a row, and I hope to post more here with a small amount of detail about our plans regarding IPv6 support.
Photo of Roberto Casula

Roberto Casula, Champ

  • 231 Posts
  • 111 Reply Likes
Nick, you may have missed this (I did at first) but you can now block IPv6 using an application firewall policy as there is an application definition for IPv6, but you still can't selectively block IPv6 traffic at layer-3 or 4. Not brilliant, but at least there is some option in the current code.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Roberto,

Thank you! I had missed that. Somebody else suggested that I look at the L7 features yesterday to see if it could be achieved there, which I was about to do, but you have preempted that. :)

It would be nice to see filtering by ether type, something I used to have in a previous 802.11g Trapeze system, but it is certainly not as pertinent if I can do it with a L7 classifier.

Thanks,

Nick