IPv6 design, deployment, standards, and best practices.
User avatar
ristau5741
Post Whore
Posts:
10618
Joined:
Tue Aug 21, 2007 2:15 pm
Certs:
Instanity

Neighbor Discovery

Fri Sep 27, 2013 1:16 pm

Learned this today, thought I'd share...

Code: Select all
Cisco IPv6 ACLs have implicit allow statements for Neighbor Discovery that do not show up in the configuration. If you need deny statements that match link-local address space or the global address configured on the interface, you should place these commands prior to them:
permit icmp any any nd-na
permit icmp any any nd-ns

By adding these lines at the top you should be able to safely re-insert the FE80::/10 deny later in the ACL.
Tips of the day:
- The human mind is the ultimate creation invention.
- I have so many customers, my customers have customers.
- Sausage time
- POP, stack, and store

User avatar
that1guy15
Post Whore
Posts:
3224
Joined:
Thu Apr 29, 2010 6:12 pm
Certs:
CCNP, CCDP, CCIP

Re: Neighbor Discovery

Fri Sep 27, 2013 1:29 pm

Makes sense but that's evil to not have then show up :|
http://blog.movingonesandzeros.net/

Reggle
Post Whore
Posts:
1956
Joined:
Sun May 15, 2011 4:16 pm
Certs:
CCNA Security, CCNP, CCDP

Re: Neighbor Discovery

Sat Sep 28, 2013 8:24 am

So people kept messing up and this should make it easier? Not sure, I'd rather have them show up.
http://reggle.wordpress.com

User avatar
eaadams
Post Whore
Posts:
2619
Joined:
Fri Mar 11, 2005 10:26 pm

Re: Neighbor Discovery

Sun Sep 29, 2013 12:05 am

Yeah, I was setting up to teach IPv6 ACLs recently and ... whoa!

The new IOS's make it all too easy, they now won't accept, and will give an error message, if you add an ACE to an ACL that already has a previous ACE with a wider address scope than the new one that you are adding. Where's the troubleshooting fun in that?
:-(

Aubrey
The illiterate of the 21st century will not be those who cannot read and write, but those who cannot learn, unlearn, and relearn. Alvin Toffler, "Future Shock" 1970


Return to IPv6

Who is online

Users browsing this forum: No registered users and 6 guests