Ipv6acl The rules are as follows:
1 only named ACLs are used
2 ACLs number matching from small to large
3 by default, the implied permit ICMP any any nd-na and permit ICMP Anyany nd-ns are used for neighbor notification and neighbor requests for neighbor discovery protocols, allowing the interface to send and receive IPV6 Neighbor Discovery packets.
3 end default implied deny IPv6 any any
4 use the command IPv6 traffic-filter to apply the in or out direction of an interface
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/58/CA/wKioL1S8zYDBfjSFAACVWq_GIKo653.jpg "title=" 1.png " alt= "Wkiol1s8zydbfjsfaacvwq_giko653.jpg"/>
Requirements: in the R1 configuration ACL, prohibit R1 loopback interface to access R4 loopback interface address;
the ACL is configured as follows, and the other configuration is slightly:
R1 (config) #ipv6 access-list Mao
R1 (config-ipv6-acl) #deny 2011::1/1282044::4/128
R1 (CONFIG-IPV6-ACL) #permit any
R1 (config) #int fa0/0
R1 (config-if) #ipv6 Traffic-filter Mao out
R1#show IPv6 access-list
IPV6 access List Mao
Deny IPv6 host 2011::1 host 2044::4 sequence 10
Permit IPv6 Anyany sequence 20
r1#ping 2044::4 Source 2011::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2044::4,timeout are 2 seconds:
Packet sent with a source address of2011::1
!!!!!
Success rate is percent (5/5), round-trip Min/avg/max = 24/36/52 ms
Why does ping pass? is because the command IPv6 traffic-filter is the function of filtering the traffic forwarded by the router, but does not filter traffic originating from this router;
will now The ACL is modified as follows, rejecting packets sent back from the R4 loopback interface and applying ACLs to the fa0/0 interface direction;
R1 (config) #ipv6access-list Mao
R1 (CONFIG-IPV6-ACL) #no deny IPv6 host 2011::1 host 2044::4
R1 (config-ipv6-acl) #deny IPv6 2044::4/128 2011::1/128
R1 (CONFIG-IPV6-ACL) #permit any
R1 (config-if) #no IPv6 traffic-filter Mao out
R1 (config-if) #ipv6 Traffic-filter Mao in
R1#ping2044::4 Source 2011::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2044::4,timeout are 2 seconds:
Packet sent with a source address of2011::1
.....
Success rate is 0 percent (0/5)
r1#show access-lists
IPV6 access List Mao
Deny IPv6 host 2044::4 host 2011::1 (5 matches) sequence 5 packets matched
Permit IPv6 Anyany (4 matches) sequence 40
Summary: The command ipv6traffic-filter does not filter traffic originating from this router, so when configuring the IPV6 ACL you need to be aware of whether the origin of the traffic comes to the router.
The above examples can also be R3 on the configuration, as follows:
R3 (config) #ipv6access-list Mao
R3 (config-ipv6-acl) #deny IPv6 2011::1/128 2044::4/128
R3 (CONFIG-IPV6-ACL) #permit any
R3 (config) #int FA0/1
R3 (config-if) #ipv6 Traffic-filter Mao out
r1#ping 2044::4 Source 2011::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2044::4,timeout are 2 seconds:
Packet sent with a source address of2011::1
Sssss
Success rate is 0 percent (0/5)
not pass, in R1 and the R3 between grasping a packet, such as:
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/58/CA/wKioL1S8zd_gj2QwAAJ5uXE7pGo479.jpg "title=" 2. The type of JPG "alt=" wkiol1s8zd_gj2qwaaj5uxe7pgo479.jpg "/>ICMPv6 is 1, which indicates that thetarget is unreachable, The Code field is 5, and the source address is blocked by the inbound / outbound policy.
This article is from "Twilight Cloud Wind Xiao" blog, please make sure to keep this source http://muyun.blog.51cto.com/952166/1605876
ACL configuration and attention points of IPV6