As explained in my first lesson that introduces access-lists, we can use access-lists for filtering (blocking packets) or selecting traffic (for VPNs, NAT, etc).
This also applies to IPv6 access-lists which are very similar to IPv4 access-lists. There are two important differences however:
- IPv4 access-lists can be standard or extended, numbered or named. IPv6 only has named extended access-lists.
- IPv4 access-lists have an invisible implicit deny any at the bottom of every access-list. IPv6 access-lists have three invisible statements at the bottom:
- permit icmp any any nd-na
- permit icmp any any nd-ns
- deny ipv6 any any
The two permit statements are required for neighbor discovery which is an important protocol in IPv6, it’s the replacement for ARP.
Having said that, let’s take a look at the configuration.
Configuration
For this demonstration we only need two routers:
I’ll use subnet 2001:DB8:0:12::/64 in between R1 and R2. To demonstrate the access-list, I’ll create one inbound on R2 and we will try to filter some packets from R1. Let’s take a look at the access-list:
R2(config)#ipv6 access-list ?
WORD User selected string identifying this access list
log-update Control access list log updatesAs you can see above the only option is the named access-list. There’s also no option for standard or extended access-list. Let’s create that access-list:
R2(config)#ipv6 access-list R1_TRAFFICI’ll call it “R1_TRAFFIC”. Here are our options when we create a statement:
R2(config-ipv6-acl)#permit ?
<0-255> An IPv6 protocol number
X:X:X:X::X/<0-128> IPv6 source prefix x:x::y/<z>
ahp Authentication Header Protocol
any Any source prefix
esp Encapsulation Security Payload
host A single source host
icmp Internet Control Message Protocol
ipv6 Any IPv6
pcp Payload Compression Protocol
sctp Streams Control Transmission Protocol
tcp Transmission Control Protocol
udp User Datagram ProtocolThis is similar to IPv4 access-lists. You can pick any protocol you like. Let’s see if we can permit telnet traffic from R1 and deny everything else:
Hi @hussien.samer,
It’s working fine here:
This blocks telnet traffic and permits everything else:
... Continue reading in our forumI tested this on Cisco VIRL. You might also want to try it on some real hardware…could be a IOL quirk
Rene,
Having trouble understanding how an IPv6 ACL is used to permit & block EIGRP (88) Traffic…so I have two directly connected routers (IOSv) that have EIGRP Adjacency…when the following line is used:
EIGRP Control-Plane Traffic isn’t allowed but when I change it to:
Adjacency comes back up…it has me confused due to the fact that I understand the rule is working vice-versa, whereas deny = permit & permit = deny…have you seen this before?
Laz,
Sure…I think CoPP is my issue, doing a lab out of a Tshoot WB…I just need to understand why EIGRP Neighborship works when the deny is in place…attaching configs for both routers and the topology.
//cdn-forum.networklessons.com/uploads/default/original/2X/0/069b46130c594014ee04a11e7983af047fe91fe4.png
##################################
... Continue reading in our forum############R2####################
##################################
Hello Boris
The question as it is stated is not very clear. After doing a search, I found that the question you stated is used as a summary. The specific question that is being asked is:
The question is specifically asking you to show how you would distinguish an IPv6 header from an IPv4 header. The answers are: Tra
... Continue reading in our forum