Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IOS Inspect IPv6 router-generated traffic

I'm trying to configure IPv6 packet inspection on a 2911 router (IOS 15.1(2)T5) but I'm unable to inspect router-generated traffic. There isn't an option "ipv6 inspect name xxxx udp router-traffic" as in IPv4. Thus I'm unable to ping from the router to a remote host.

I could solve the ping problem by simply adding a "permit icmp any any echo-reply" on my ACL, but I'm still unable to access TCP or UDP-based services (DNS, HTTP...).

Does anyone know if is it possible to enable IPv6 router-generated traffic, or is there any other solution for this problem? If so, how can I do that?

Partial configuration:

ipv6 unicast-routing

ipv6 inspect name SPI_DIALER1_OUT tcp
ipv6 inspect name SPI_DIALER1_OUT udp
ipv6 inspect name SPI_DIALER1_OUT icmp
ipv6 inspect name SPI_DIALER1_OUT ftp
interface Dialer1
 ipv6 inspect SPI_DIALER1_OUT out
 ipv6 traffic-filter acl6_dialer1_in in
ipv6 access-list acl6_dialer1_in
 sequence 10 permit icmp any any nd-ns
 sequence 20 permit icmp any any nd-na
 sequence 30 permit icmp any any router-advertisement
 sequence 40 permit icmp any any echo-reply
 deny ipv6 any any log

Everyone's tags (6)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

The old Cisco IOS "inspect"

The old Cisco IOS "inspect" system has effectively been deprecated.  You should be using zone based firewalling now.

Here is the guide for IPv6 zone based firewall support.

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/sec-data-zbf-xe-book/sec-zbf-ipv6.html

If you want to get up to speed more quickly for ipv4 zone based firewall, try using my Config Wizard and copying the bits you need.

http://www.ifm.net.nz/cookbooks/890-isr-wizard.html

1 REPLY
VIP Purple

The old Cisco IOS "inspect"

The old Cisco IOS "inspect" system has effectively been deprecated.  You should be using zone based firewalling now.

Here is the guide for IPv6 zone based firewall support.

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/sec-data-zbf-xe-book/sec-zbf-ipv6.html

If you want to get up to speed more quickly for ipv4 zone based firewall, try using my Config Wizard and copying the bits you need.

http://www.ifm.net.nz/cookbooks/890-isr-wizard.html

116
Views
0
Helpful
1
Replies