ipv6 with-options drop

IPv6 packets may contain the following extension headers:

• Routing header: An IPv6 source node uses this header to specify the intermediate nodes that a packet must pass through on the way to its destination.

• Fragment header: The length of IPv6 packets to be forwarded cannot exceed the maximum transmission unit (MTU) specified on interfaces of devices along the forwarding path. When the packet length exceeds the MTU, the packet needs to be fragmented. In IPv6, the fragment header is used by an IPv6 source node to send a packet larger than the MTU. Fragmentation in IPv6 is performed only by source nodes, not by intermediate nodes along the path a packet traverses.

• Destination options header: This header carries information that only the destination node of a packet processes.

Malicious attacks can be initiated using these IPv6 extension headers. For example, the routing header can be used to specify a node that packets must pass through. The fragment header can be used to set the MTU to a small value on the source node, leading to a large number of data fragments. The destination options header can specify destination devices to process IPv6 packets. If attackers send a large number of such IPv6 packets to the switch, the switch is busy handling these packets, degrading the forwarding performance. To prevent malicious network attacks and reduce impact on the forwarding performance, you can enable the switch to discard IPv6 packets destined for the switch and containing specified extension headers.