cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
618
Views
25
Helpful
11
Replies

ACCESS-LIST

alsayed
Level 1
Level 1

HELLO

HOW CAN VERIFY AN IPV6 ACCESS-LIST IF IT WORK OR NOT.I I HAVE NOT SEE ANY MATCHING WHEN I ISSUE SH ACCESS-LIST

10XS

11 Replies 11

royalblues
Level 10
Level 10

Ali,

Can you post your configuration?

Here is a sample example of how you would configure an IPv6 access-list and verify

R1

ipv6 unicast-routing

interface Serial2/0

ipv6 address 2001::1/128 eui-64

ipv6 traffic-filter test in <--- apply access-list

clock rate 64000

ipv6 route 2001::2/128 Serial2/0

ipv6 access-list test

deny icmp any any <---- define access-list

sequence 20 permit ipv6 any any

R2

IPv6 unicast-routing

interface Serial2/0

ipv6 address 2001::2/128 eui-64

ipv6 route 2001::1/128 Serial2/0

R2#ping ipv6 2001::1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2001::1, timeout is 2 seconds:

AAAAA

Success rate is 0 percent (0/5)

R2#

R1#sh ipv6 access-list

IPv6 access list test

deny icmp any any (5 matches) sequence 10 ----------> you see hits for the access-list

permit ipv6 any any sequence 20

R1#

HTH

Narayan

Hello i didn't see any matches.mmmlmaybe becuase i have ipv6 turned off?

10xs

Yes

IPv6 access-list can be created and applied even when you have not enabled ipv6 routing

HTH

Narayan

hello Narayan;Thanks for ur reply.but i see not any matches?

Thanks

Can you post the config...

It will be easier to find the exact reason for not having the matches :-)

Narayan

HELLO

IPv6 access list IPV6-IPV6

deny ipv6 any host FF04::10 sequence 10

deny ipv6 any host FF02::16 sequence 20

deny ipv6 any host FF02::1 sequence 30

deny ipv6 any host FF02::3 sequence 40

INT VLAN X

ipv6 mld access-group IPV6-IPV6

10XS

You actually have multicast receiver access control enabled on the interface which restricts hosts on this subnet to joining multicast groups and this may be the reason for not seeing any hits

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/ipv6_r/ipv6_06g.htm#wp2016579

I haven't worked much on this and hence not sure whether the implcit deny rule at the end of the list would block other Ipv6 traffic as well or just multicast

Normal access-list uses the ipv6 traffic-filter command as i had shown previously

Narayan

hello my goal is to stop this Flood:check the Sceenshot

sorry here the File

If you do not need to run IPv6, you can go ahead and disable the protocol on the machines.

on the cmd prompt ipv6 uninstall will do the trick

Narayan

10xs

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: