Use ACLs to remove router from LAN, such that ipv6 return packets can reach hosts via R2 (ECMP)

jbemmel · jbemmel · commit 5655cfa2c529 · 2025-01-12T22:15:28.000-06:00
diff --git a/tests/integration/gateway/03-vrrp-ipv6.yml b/tests/integration/gateway/03-vrrp-ipv6.yml
@@ -42,11 +42,11 @@ links:
 
 validate:
   r2_eth1_down:
-    description: Remove R2 from the VRRP LAN
+    description: Put ACL to remove R2 from the VRRP LAN
     nodes: [ r2 ]
     config:
-      template: ifdown
-      variable.ifstate: 'down'
+      template: acl
+      variable.acl: 'drop'
     pass: R2 has been disconnected from the VRRP LAN
     stop_on_error: True
   ra:
@@ -65,8 +65,8 @@ validate:
     description: Add R2 to the VRRP LAN
     nodes: [ r2 ]
     config:
-      template: ifdown
-      variable.ifstate: 'up'
+      template: acl
+      variable.acl: 'allow'
     pass: R2 has been reconnected to the VRRP LAN
     stop_on_error: True
   r2_vrrp_backup:
diff --git a/tests/integration/gateway/acl/eos.j2 b/tests/integration/gateway/acl/eos.j2
@@ -0,0 +1,11 @@
+ipv6 access-list drop-ipv6
+   10 deny ipv6 any any
+!
+
+ipv6 access-list drop-vrrp
+   10 deny 112 any any
+!
+
+interface {{ interfaces[0].ifname }}
+  {{ 'no ' if acl|default('allow') == 'allow' else '' }}ipv6 access-group drop-ipv6 in
+  {{ 'no ' if acl|default('allow') == 'allow' else '' }}ipv6 access-group drop-vrrp out
