Other IPv6 ACL Topics

Misc info IPv6

NS ICMPv6 messages are sent to the solicited node multicast address( FF02:0:0:0:0:1:FF00/104). NA's are sent back to the unicast of the soliciting node. R1# show ipv6 routers.(Check timer for connectivity)

Implicit filtering IPv6 ACL

Basic IPv6 ACL can be used to filter communication between specific IPv6 hosts and IPv6 address prefixes. Extended IPv6 ACL's have the ability to match ICMPv6, TCP, UDP or other IPv6 header fields and extension headers. For WAN dont block ICMPv6 to aggressively. For LAN dont blocl NDP messagesto access nodes or between directly connected routers.

More avoid filtering ICMP NDP IPv6

*IOS XE has no default permit NS/NA *NX-OS has default NS/NA and RS/RA. if logging is needed then use at the end: R1(config-ipv6-acl)# deny ipv6 any any log outbound ACL wont block RA/RS for being originated by the router. inbound will block RA/RS.

IPv6 Management Control ACL's

IPv6 ACL's can be used to restric SNMP, RADIUS, TACACS+ HTTP/HTTPS. NTP Telnet/ssh CLI access. using access-class command in line subcommand config. R2(config-line)# ipv6 access-class V6ACCESS in. to check for matches: R1# show ipv6 access-list.

Implicit IPv6 ACL Rules

IPv6 requires ICMPv6 and multicast to function. NDP is a part of ICMPv6 with its NA, NS, RA, RS.

Avoid Filtering ICMPv6 NDP Messages

Three implicit rules for this: permit icmp any any nd-na permit icmp any any nd-ns deny ipv6 any any you could add: permit icmp any any router-solicitation permit icmp any any router-advertisement. *Always allow NDP.

Verifying IPv6 working

To check correct IPv6 working: R1# show ipv6 neighbors Gi0/1 (list ipv6 addresses learned by receiving ICMPv6 NDP NA messages) R1# show ipv6 routers. (confirms R2 info learned by receiving ICMPv6 NDP RA messages ). *Routers send RA messages every 200 sec. *Routers send RS messages when booted up or joined a network to learn method to acquire IPv6 address.