ACCESS-LIST

Unanswered Question
royalblues Sun, 12/23/2007 - 11:17

Ali,

Can you post your configuration?

Here is a sample example of how you would configure an IPv6 access-list and verify

R1

ipv6 unicast-routing

interface Serial2/0

ipv6 address 2001::1/128 eui-64

ipv6 traffic-filter test in <--- apply access-list

clock rate 64000

ipv6 route 2001::2/128 Serial2/0

ipv6 access-list test

deny icmp any any <---- define access-list

sequence 20 permit ipv6 any any

R2

IPv6 unicast-routing

interface Serial2/0

ipv6 address 2001::2/128 eui-64

ipv6 route 2001::1/128 Serial2/0

R2#ping ipv6 2001::1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2001::1, timeout is 2 seconds:

AAAAA

Success rate is 0 percent (0/5)

R2#

R1#sh ipv6 access-list

IPv6 access list test

deny icmp any any (5 matches) sequence 10 ----------> you see hits for the access-list

permit ipv6 any any sequence 20

R1#

HTH

Narayan

royalblues Sun, 12/23/2007 - 23:48

Yes

IPv6 access-list can be created and applied even when you have not enabled ipv6 routing

HTH

Narayan

royalblues Mon, 12/24/2007 - 01:25

Can you post the config...

It will be easier to find the exact reason for not having the matches :-)

Narayan

royalblues Mon, 12/24/2007 - 01:48

You actually have multicast receiver access control enabled on the interface which restricts hosts on this subnet to joining multicast groups and this may be the reason for not seeing any hits

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/ipv6_r/ipv6_06g.htm#wp2016579

I haven't worked much on this and hence not sure whether the implcit deny rule at the end of the list would block other Ipv6 traffic as well or just multicast

Normal access-list uses the ipv6 traffic-filter command as i had shown previously

Narayan

Actions

This Discussion