Internet Interface ACL - LLA ND-NA and ND-NS

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-08-2014 10:48 AM - edited 03-01-2019 05:43 PM
I´m studying about IPv6 security (IPv6 security book from Cisco- Scott Hogg and Eric Vyncke) and at this momment I´m trying to build an ACL to apply on a interface that is connected to a ISP.
At recomendations they say that we need to allow icmp nd-na and nd-ns to any from link local address:
permit icmp fe80::/10 any nd-ns
permit icmp fe80::/10 any nd-na
I can´t see this permit as mandatory and in a laboratory I made a ACL blocking it. It is a simple LAB, but I didn´t see problems after blocked it.
I´m not using LLA as BGP neighbor address.
Does anyone know something about permit or deny LLA icmp on production networks?
Thanks.
- Labels:
-
IPv6 Configuration
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-10-2014 01:49 AM
Save the configs on your lab boxes, reboot them both and see what happens, preferrably with a sniffer on the wire between the two boxes :-)
p.s. unless you statically hardcoded the neighbor entries of course.
