ACL configuration and attention points of IPV6

Source: Internet
Author: User

Ipv6acl The rules are as follows:

1 only named ACLs are used

2 ACLs number matching from small to large

3 by default, the implied permit ICMP any any nd-na and permit ICMP Anyany nd-ns are used for neighbor notification and neighbor requests for neighbor discovery protocols, allowing the interface to send and receive IPV6 Neighbor Discovery packets.

3 end default implied deny IPv6 any any

4 use the command IPv6 traffic-filter to apply the in or out direction of an interface

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/58/CA/wKioL1S8zYDBfjSFAACVWq_GIKo653.jpg "title=" 1.png " alt= "Wkiol1s8zydbfjsfaacvwq_giko653.jpg"/>

Requirements: in the R1 configuration ACL, prohibit R1 loopback interface to access R4 loopback interface address;

the ACL is configured as follows, and the other configuration is slightly:

R1 (config) #ipv6 access-list Mao

R1 (config-ipv6-acl) #deny 2011::1/1282044::4/128

R1 (CONFIG-IPV6-ACL) #permit any

R1 (config) #int fa0/0

R1 (config-if) #ipv6 Traffic-filter Mao out

R1#show IPv6 access-list

IPV6 access List Mao

Deny IPv6 host 2011::1 host 2044::4 sequence 10

Permit IPv6 Anyany sequence 20

r1#ping 2044::4 Source 2011::1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2044::4,timeout are 2 seconds:

Packet sent with a source address of2011::1

!!!!!

Success rate is percent (5/5), round-trip Min/avg/max = 24/36/52 ms

Why does ping pass? is because the command IPv6 traffic-filter is the function of filtering the traffic forwarded by the router, but does not filter traffic originating from this router;

will now The ACL is modified as follows, rejecting packets sent back from the R4 loopback interface and applying ACLs to the fa0/0 interface direction;

R1 (config) #ipv6access-list Mao

R1 (CONFIG-IPV6-ACL) #no deny IPv6 host 2011::1 host 2044::4

R1 (config-ipv6-acl) #deny IPv6 2044::4/128 2011::1/128

R1 (CONFIG-IPV6-ACL) #permit any

R1 (config-if) #no IPv6 traffic-filter Mao out

R1 (config-if) #ipv6 Traffic-filter Mao in

R1#ping2044::4 Source 2011::1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2044::4,timeout are 2 seconds:

Packet sent with a source address of2011::1

.....

Success rate is 0 percent (0/5)

r1#show access-lists

IPV6 access List Mao

Deny IPv6 host 2044::4 host 2011::1 (5 matches) sequence 5 packets matched

Permit IPv6 Anyany (4 matches) sequence 40

Summary: The command ipv6traffic-filter does not filter traffic originating from this router, so when configuring the IPV6 ACL you need to be aware of whether the origin of the traffic comes to the router.

The above examples can also be R3 on the configuration, as follows:

R3 (config) #ipv6access-list Mao

R3 (config-ipv6-acl) #deny IPv6 2011::1/128 2044::4/128

R3 (CONFIG-IPV6-ACL) #permit any

R3 (config) #int FA0/1

R3 (config-if) #ipv6 Traffic-filter Mao out

r1#ping 2044::4 Source 2011::1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2044::4,timeout are 2 seconds:

Packet sent with a source address of2011::1

Sssss

Success rate is 0 percent (0/5)

not pass, in R1 and the R3 between grasping a packet, such as:

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/58/CA/wKioL1S8zd_gj2QwAAJ5uXE7pGo479.jpg "title=" 2. The type of JPG "alt=" wkiol1s8zd_gj2qwaaj5uxe7pgo479.jpg "/>ICMPv6 is 1, which indicates that thetarget is unreachable, The Code field is 5, and the source address is blocked by the inbound / outbound policy.


This article is from "Twilight Cloud Wind Xiao" blog, please make sure to keep this source http://muyun.blog.51cto.com/952166/1605876

ACL configuration and attention points of IPV6

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.