Link-local and ACLs
Gert Doering
gert at space.net
Tue Jul 25 09:07:54 CEST 2017
Hi,
On Tue, Jul 25, 2017 at 10:41:06AM +1200, Brian E Carpenter wrote:
> Why would you ever do it for normal traffic?
I'm not sure that was a question asked in this thread :-)
> And why would ACLs be relevant for on-link traffic?
Interface ACLs are relevant for all packets leaving or entering an
interface, generally...
So, to stay with Tore's example, if you want to make NDP work on an IXP,
you need to permit fe80->fe80, fe80->GUA, etc. in your ACLs - which ends
up needing quite a number of lines to cover all cases
#sh access-lists ipv6 internet-ipv6-in | inc icmp
20 permit icmpv6 fe80::/64 2001:7f8::/64 135 0
30 permit icmpv6 2001:7f8::/64 2001:7f8::/64 135 0 ttl eq 255
40 permit icmpv6 2001:7f8::/64 2001:7f8::/64 136 0 ttl eq 255
50 permit icmpv6 any ff02::/64 135 0
60 permit icmpv6 fe80::/64 fe80::/64 135 0
70 permit icmpv6 any fe80::/64 135 0
80 permit icmpv6 any fe80::/64 136 0
90 permit icmpv6 any host ff02::1 136 0
100 deny icmpv6 any any 135 log
110 deny icmpv6 any any 136 log
(Example for DECIX which uses 2001:7f8::/64 on-link)
Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?
SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
More information about the ipv6-ops
mailing list