12-23-2007 07:27 AM - edited 03-05-2019 08:08 PM
HELLO
HOW CAN VERIFY AN IPV6 ACCESS-LIST IF IT WORK OR NOT.I I HAVE NOT SEE ANY MATCHING WHEN I ISSUE SH ACCESS-LIST
10XS
12-23-2007 11:17 AM
Ali,
Can you post your configuration?
Here is a sample example of how you would configure an IPv6 access-list and verify
R1
ipv6 unicast-routing
interface Serial2/0
ipv6 address 2001::1/128 eui-64
ipv6 traffic-filter test in <--- apply access-list
clock rate 64000
ipv6 route 2001::2/128 Serial2/0
ipv6 access-list test
deny icmp any any <---- define access-list
sequence 20 permit ipv6 any any
R2
IPv6 unicast-routing
interface Serial2/0
ipv6 address 2001::2/128 eui-64
ipv6 route 2001::1/128 Serial2/0
R2#ping ipv6 2001::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001::1, timeout is 2 seconds:
AAAAA
Success rate is 0 percent (0/5)
R2#
R1#sh ipv6 access-list
IPv6 access list test
deny icmp any any (5 matches) sequence 10 ----------> you see hits for the access-list
permit ipv6 any any sequence 20
R1#
HTH
Narayan
12-23-2007 11:44 AM
Hello i didn't see any matches.mmmlmaybe becuase i have ipv6 turned off?
10xs
12-23-2007 11:48 PM
Yes
IPv6 access-list can be created and applied even when you have not enabled ipv6 routing
HTH
Narayan
12-24-2007 01:06 AM
hello Narayan;Thanks for ur reply.but i see not any matches?
Thanks
12-24-2007 01:25 AM
Can you post the config...
It will be easier to find the exact reason for not having the matches :-)
Narayan
12-24-2007 01:35 AM
HELLO
IPv6 access list IPV6-IPV6
deny ipv6 any host FF04::10 sequence 10
deny ipv6 any host FF02::16 sequence 20
deny ipv6 any host FF02::1 sequence 30
deny ipv6 any host FF02::3 sequence 40
INT VLAN X
ipv6 mld access-group IPV6-IPV6
10XS
12-24-2007 01:48 AM
You actually have multicast receiver access control enabled on the interface which restricts hosts on this subnet to joining multicast groups and this may be the reason for not seeing any hits
I haven't worked much on this and hence not sure whether the implcit deny rule at the end of the list would block other Ipv6 traffic as well or just multicast
Normal access-list uses the ipv6 traffic-filter command as i had shown previously
Narayan
12-24-2007 02:15 AM
hello my goal is to stop this Flood:check the Sceenshot
12-24-2007 02:15 AM
12-24-2007 03:36 AM
If you do not need to run IPv6, you can go ahead and disable the protocol on the machines.
on the cmd prompt ipv6 uninstall will do the trick
Narayan
12-24-2007 03:54 AM
10xs
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: