IPv6 ACL details/similarities and differences with IPv4 ACL

Technorati labels: IPv6, IPv6 ACL

In fact, IPv6 ACL (access-list) is similar to IPv4. It should be used as an exercise to verify the principle.

1,Standard access list.

650) this. width = 650; "style =" background-image: none; border-bottom: 0px; border-left: 0px; padding-left: 0px; padding-right: 0px; border-top: 0px; border-right: 0px; padding-top: 0px "title =" clip_image002 "border =" 0 "alt =" clip_image002 "height =" 351 "src =" http://img1.51cto.com/attachment/201108/19/351531_1313748782VeSb.jpg "/>

The configuration is like this, there is no big difference with IPv4, the difference is that IPv4 is used in the interface under the ip access-group.IPv6 if you want to apply access-list, it is to use the command ipv6 traffic-filter xxxx in/out.
That's all.
As shown in the preceding figure, the IPv6 address configured for interface f0/0 is 2012: 1/64. if ping 2012: 2 is configured on the above configuration and the source address is 2012: 1/64, the following result is displayed. It is not as intuitive as IPv4.
In this case, open debug ipv6 access-list xxxxx detail.

650) this. width = 650; "style =" background-image: none; border-bottom: 0px; border-left: 0px; padding-left: 0px; padding-right: 0px; border-top: 0px; border-right: 0px; padding-top: 0px "title =" clip_image004 "border =" 0 "alt =" clip_image004 "height =" 54 "src =" http://www.bkjia.com/uploads/allimg/131227/024623B01-1.jpg "/>

This debug information, source: 2012: 1, to 2012: 2, out interface FE0/0.
Sent from physical interfaces of FE0/0.
Encapsulation failed. However, the reason is that the acl is dropped to deny.
I hope IOS will be more user-friendly in the future.
Otherwise, if you want to troubleshoot problems such as cisco 7200, 7600, or GSR through configuration, it will be totally dead. How many MB of configuration is involved. :)

2,Extended access list.
First, compare it with Ipv4.
IPv6 ACLAndIPv4 ACLSimilarities:
Both are done through the IP quintuple.
That is, through, 1 source IP address, 2 destination IP address, 3 Transport Layer Protocol, 4 source port number, 5 destination port number.

IPv6AndIPv4 ACLDifferences:
In the IPv6 ACL, the following information is added:
■ Match the IPv6 Header Based on the flow type and flow tag. The new Optional keywords are DSCP/flow-label/fragments/routing/undetermined-transport. in IPv4, the relationship between DSCP and IP precedence needs to be nested for filtering, and the acl is not used for filtering. The qos mechanism is used to first define class-map, then, use the policy to nest the class map and encapsulate it under the interface. Now, you can directly filter it out.
■ Supports message type filtering of ICMPv6. ICMPv6 is so important in IPv6 that almost all working mechanisms work with different ICMPv6 messages. In fact, ICMPv6 is like an assembly language, IPv6 is just an operating system. no good operating system can be used to compile the platform without compilation. new keywords: nd-na, nd-ns, router-advertisement, and router-solicitation.
■ Added new implicit IPv6 rules for NDP.

Previously, in IPv4, we all know that the last default hidden command is:
Deny ip any
The same is true in IPv6. Deny ipv6 any. But some hidden commands have been added before. The order is like this.
Permit icmp any nd-ns
Permit icmp any nd-na
Deny ipv6 any
Of course, these are not displayed in an IPv6 ACL.
Here we will review the knowledge. We have already explained what is na and what is NS.

Nd-naNeighbor announcement message,ICMPv6 type = 136
Nd-nsNeighbor Request Message, ICMPv6 type = 135.
Router-advertisementVro announcement,ICMPv6 type = 134.
Router-solicitationRouter request,ICMPv6 type = 133.

PS:
For extensionsIPv6 ACLNotPMTUDefault implicit rule.Source nodePMTUDMechanism to detect the maximum value of the target host along the sending pathMTUTo ensure thatIPv6 ACLDefine a declaration: AllowICMPv6Type2The data packet is too large.AnyToAnyTo avoid the sharding problem caused by large data packets.

Below are some IPv6 writing formats and some new functions.
650) this. width = 650; "style =" background-image: none; border-bottom: 0px; border-left: 0px; padding-left: 0px; padding-right: 0px; border-top: 0px; border-right: 0px; padding-top: 0px "title =" clip_image006 "border =" 0 "alt =" clip_image006 "height =" 514 "src =" http://www.bkjia.com/uploads/allimg/131227/0246234b2-2.jpg "/>

The last step is to manage the ACL.
■ Display IPv6 ACL.
Show ipv6 access-list

650) this. width = 650; "style =" background-image: none; border-bottom: 0px; border-left: 0px; padding-left: 0px; padding-right: 0px; border-top: 0px; border-right: 0px; padding-top: 0px "title =" clip_image008 "border =" 0 "alt =" clip_image008 "height =" 252 "src =" http://www.bkjia.com/uploads/allimg/131227/0246234308-3.jpg "/>

This is actually the same as IPv4. It is obvious that the difference between the two ACLs in the figure is that ACL blocksitelocal is actually applied under the interface, so how many packets are contained by the match field, the ACL maipu is only configured in the global environment, but it is not actually applied to the interface for activation.

This is actually a point of ACL troubleshooting. Many end users say that the configured ACL does not take effect, so you can use this command to see if it is applied to the interface, what is the message matching?
■ Of course, if you want to clear the matching counter above, use the command: clear ipv6 access-list.
■ Debug ipv6 packet for troubleshooting.
Or with some sub-parameters:
R1 # debug ipv6 packet access-list maipu detail

This article is from the "thank-me, only focus on the principle" blog, please be sure to keep this source http://361531.blog.51cto.com/351531/643345