Create
Learn
Share

ACLv6

rename
beef410's version from 2018-04-11 15:22

Section

Question Answer
Implicit DenyStill here
AppliedInbound and Outbound must still be specified at interface level
Overloggingv6 is more efficient but beware of logging too much
Per InterfaceEach interface can have a v4 and v6 interface.
Named onlyNo number ranges, named only
(config)#ipv6 access-list <word>Create v6 ACL
(config-ipv6-acl)#deny <protocol/ipv6> <dest>Deny a protocol or source ipv6 addr, still need the permit any any after. std acl
Standard ACL v6Requires source and destination
(config-if)#ipv6 traffic-filter <word> <in/out>Apply the ACL to an interface
pingdoes not require v6 specified, 'A' v6 response code indicates administratively blocked packet.
(config-if)#no ipv6 unreachablesTurns off "A" codes and only sends "." codes. Prevents recon attacks. Unreachables is on by default.
Extended ACL v6Using any additional feature besides a source and dest address
(config-ipv6-acl)#sequence #Must be used at start of line to specify a specific sequence number.
NDPNeighbor Discovery Proto, Neighbor Solicitation and Neighbor Advertisements
SNMASolicited Node Multicast Address, Neighbor Solicitations are destined for the SNMA of the requested host. (which is a multicast addr for a group of hosts whose MAC's resemble what's being requested)
Implicit PermitsPermits NS and NA messages before the implicit deny.
memorize

Troubleshoot

Question Answer
Routing ProtoNot always an ACL at fault, with OSPF area can be missing a link to backbone
Extended Pingeither 'ping' and drop into the line by line setup and select ipv6 or 'ping ipv6', skips a step in the drop down
Permit any anyDon't forget to add this line to the end of the list, unless you're doing an inclusive list.
deny any anyWith implicit permits before the implicit deny any deny any any command will kill IPv6.
memorize