ACCESS-LIST

Unanswered Question
royalblues Sun, 12/23/2007 - 11:17
User Badges:
  • Green, 3000 points or more

Ali,


Can you post your configuration?


Here is a sample example of how you would configure an IPv6 access-list and verify


R1

ipv6 unicast-routing


interface Serial2/0

ipv6 address 2001::1/128 eui-64

ipv6 traffic-filter test in <--- apply access-list

clock rate 64000


ipv6 route 2001::2/128 Serial2/0

ipv6 access-list test

deny icmp any any <---- define access-list

sequence 20 permit ipv6 any any


R2

IPv6 unicast-routing


interface Serial2/0

ipv6 address 2001::2/128 eui-64


ipv6 route 2001::1/128 Serial2/0


R2#ping ipv6 2001::1


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2001::1, timeout is 2 seconds:

AAAAA

Success rate is 0 percent (0/5)

R2#


R1#sh ipv6 access-list

IPv6 access list test

deny icmp any any (5 matches) sequence 10 ----------> you see hits for the access-list

permit ipv6 any any sequence 20

R1#



HTH

Narayan




royalblues Sun, 12/23/2007 - 23:48
User Badges:
  • Green, 3000 points or more

Yes


IPv6 access-list can be created and applied even when you have not enabled ipv6 routing


HTH

Narayan

royalblues Mon, 12/24/2007 - 01:25
User Badges:
  • Green, 3000 points or more

Can you post the config...


It will be easier to find the exact reason for not having the matches :-)


Narayan

royalblues Mon, 12/24/2007 - 01:48
User Badges:
  • Green, 3000 points or more

You actually have multicast receiver access control enabled on the interface which restricts hosts on this subnet to joining multicast groups and this may be the reason for not seeing any hits


http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/ipv6_r/ipv6_06g.htm#wp2016579


I haven't worked much on this and hence not sure whether the implcit deny rule at the end of the list would block other Ipv6 traffic as well or just multicast


Normal access-list uses the ipv6 traffic-filter command as i had shown previously


Narayan


Actions

This Discussion