02-22-2010 02:43 PM - edited 03-04-2019 07:35 AM
Hi,
We have a new policy to block IPv6 routing header extension type 0, 1 and 3-255. This is what I have came up:
ipv6 access-list inbound
deny ipv6 any any routing-type 0 log
deny ipv6 any any routing-type 1 log
However, I don't want to type every single ACL entry from 3 to 255. From the CLI, I don't see a way to do 3 - 255. Does anyone know?
So it would look like this:
ipv6 access-list inbound
deny ipv6 any any routing-type 0 log
deny ipv6 any any routing-type 1 log
deny ipv6 any any routing-type 3-255 log
Thanks.
02-22-2010 03:18 PM
You only want to permit routing-type 2? You can do the following
ipv6 access-list inbound
permit ipv6 any any routing-type 2 log
The ipv6 ACL will have an implicit deny ipv6 any any at the end.
Regards,
jerry
02-23-2010 09:57 AM
Thanks Jerry. But I still would like to know some kind of "range" command within IPv6 ACL. Anyone else knows?
02-23-2010 10:07 AM
Hello Kevin,
current command reference does not provide a range option for routing-type a specific value is expected
see
http://www.cisco.com/en/US/docs/ios/ipv6/command/reference/ipv6_10.html#wp2268514
also because only first values have been defined for real use:
integer in the range from 0 to 255 representing an IPv6 routing header type. Possible routing header types and their corresponding routing-number value are as follows:
•0—Standard IPv6 routing header
•2—Mobile IPv6 routing header
By the way, Jerry's solution should work well and shows how to deal with this limitation
if you want to add a third line to use log option you could use an explicit deny without any routing-type option.
Permitted routing type values are matched by previous lines
Edit:
in a previous line you can permit routing-type 2 ( I see is the only one you are interested to permit)
a second line can deny all the rest with log option
Hope to help
Giuseppe
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: