Internet Interface ACL - LLA ND-NA and ND-NS

imfvieira · ‎02-08-2014

I´m studying about IPv6 security (IPv6 security book from Cisco- Scott Hogg and Eric Vyncke) and at this momment I´m trying to build an ACL to apply on a interface that is connected to a ISP.

At recomendations they say that we need to allow icmp nd-na and nd-ns to any from link local address:

permit icmp fe80::/10 any nd-ns

permit icmp fe80::/10 any nd-na

I can´t see this permit as mandatory and in a laboratory I made a ACL blocking it. It is a simple LAB, but I didn´t see problems after blocked it.

I´m not using LLA as BGP neighbor address.

Does anyone know something about permit or deny LLA icmp on production networks?

Thanks.

Andrew Yourtchenko · ‎02-10-2014

Save the configs on your lab boxes, reboot them both and see what happens, preferrably with a sniffer on the wire between the two boxes :-)

p.s. unless you statically hardcoded the neighbor entries of course.

Internet Interface ACL - LLA ND-NA and ND-NS

ASA5500-X: Internet Firewall 設定例 (冗長構成)

Re: Access Control Lists (ACL) Explained

Configuring Interface ACLs for VPNs

Interface 監視用 OID について

WLC 9800 ACL only internet