The difference between IPv6 ACL and IPv4 ACL

Source: Internet
Author: User
Tags filter port number

In fact, here IPv6 ACL (access-list) and IPv4 are very similar, all as a practice to verify the principle of it.

1, about the standard access list.

Configuration is the case, and IPv4 is not much different, the difference is IPv4 in the interface is the use of IP access-group. IPV6 if you want to apply access-list, is to use the command IPv6 traffic-filter xxxx in/out.

That's all.

As you can see from the configuration above, the IPV6 address of the interface f0/0 configuration is 2012::1/64. If you will ping 2012::2 on the above configuration, the source is the interface address 2012::1/64, and the following results are obtained. appear to be as intuitive as not IPv4.

This time turn on debug IPv6 access-list xxxxx Detail

This debug information, source for 2012::1, to 2012::2, out of interface fe0/0.

Sent out from the physical interface of the fe0/0.

The final encapsulation failed. But there is no specific explanation because the ACL is out of the deny.

Oh, hope that the future of iOS will be more humane.

Otherwise, if you want to troubleshoot by configuring it like Cisco 7200, 7600, or GSR, you're dead. How many M is the configuration of the move? It's scary. :)

2, about the extended access list.

First, there is a comparison with Ipv4.

IPv6 ACL is the same point as IPv4 ACL:

All two are made by IP five-tuple.

That is, 1 source IP address, 2 destination IP address, 3 Transport layer protocol, 4 source port number, 5 destination port number.

Differences between IPV6 and IPV4 ACLs:

In the ACL for IPV6, a new addition was added:

Match according to the flow category and flow tag label in the IPV6 header. The new optional keyword is dscp/flow-label/fragments/routing/undetermined-transport. In IPv4, the DSCP and IP precedence require nested relationships to filter. And not with ACLs, is to use the mechanism of QoS to define Class-map, and then use the policy class map nesting, and finally encapsulated into the interface below. Now it can be filtered directly.

Support for ICMPV6 message type filtering. ICMPV6 is so important in IPv6 that almost all working mechanisms work in different ICMPv6 different types of messages, actually ICMPv6 like assembly language, IPv6 is just a feeling of an operating system. If there is no compilation of the platform to compile, no matter how good the operating system, there is no way to work. New keywords Nd-na,nd-ns,router-advertisement and router-solicitation.

Added a new implied IPv6 rule for NDP.

Previously in IPv4, we all know that the last default hidden command is:

Deny IP any

The same is true in IPv6. Deny IPv6 any. However, some hidden commands were added before that. The overall order is this.

Permit ICMP any any nd-ns

Permit ICMP any any Nd-na

Deny IPv6 any

Of course, these are not shown in a IPv6 ACL.

Here is a review of the knowledge, which has already explained what is NA and what is ns.

Nd-na Neighbor Bulletin News, ICMPv6 type=136

Nd-ns Neighbor Request message, ICMPv6 type=135.

Router-advertisement Router Bulletin, ICMPv6 type=134.

Router-solicitation router request, ICMPv6 type=133.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.