Link-local and ACLs

Gert Doering gert at
Tue Jul 25 09:07:54 CEST 2017


On Tue, Jul 25, 2017 at 10:41:06AM +1200, Brian E Carpenter wrote:
> Why would you ever do it for normal traffic? 

I'm not sure that was a question asked in this thread :-)

> And why would ACLs be relevant for on-link traffic?

Interface ACLs are relevant for all packets leaving or entering an
interface, generally...

So, to stay with Tore's example, if you want to make NDP work on an IXP,
you need to permit fe80->fe80, fe80->GUA, etc. in your ACLs - which ends
up needing quite a number of lines to cover all cases

#sh access-lists ipv6 internet-ipv6-in | inc icmp
 20 permit icmpv6 fe80::/64 2001:7f8::/64 135 0
 30 permit icmpv6 2001:7f8::/64 2001:7f8::/64 135 0 ttl eq 255
 40 permit icmpv6 2001:7f8::/64 2001:7f8::/64 136 0 ttl eq 255
 50 permit icmpv6 any ff02::/64 135 0
 60 permit icmpv6 fe80::/64 fe80::/64 135 0
 70 permit icmpv6 any fe80::/64 135 0
 80 permit icmpv6 any fe80::/64 136 0
 90 permit icmpv6 any host ff02::1 136 0
 100 deny icmpv6 any any 135 log
 110 deny icmpv6 any any 136 log

(Example for DECIX which uses 2001:7f8::/64 on-link)

Gert Doering
        -- NetMaster
have you enabled IPv6 on something today...?

SpaceNet AG                        Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                   HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444           USt-IdNr.: DE813185279

More information about the ipv6-ops mailing list