Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3849
Views
0
Helpful
1
Replies

Internet Interface ACL - LLA ND-NA and ND-NS

imfvieira
Level 1
Level 1

‎02-08-2014 10:48 AM - edited ‎03-01-2019 05:43 PM

I´m studying about IPv6 security (IPv6 security book from Cisco- Scott Hogg and Eric Vyncke) and at this momment I´m trying to build an ACL to apply on a interface that is connected to a ISP.

At recomendations they say that we need to allow icmp nd-na and nd-ns to any from link local address:

permit icmp fe80::/10 any nd-ns

permit icmp fe80::/10 any nd-na

I can´t see this permit as mandatory and in a laboratory I made a ACL blocking it. It is a simple LAB, but I didn´t see problems after blocked it.

I´m not using LLA as BGP neighbor address.

Does anyone know something about permit or deny LLA icmp on production networks?

Thanks.  

Labels:
0 Helpful
1 Reply 1

Andrew Yourtchenko
Cisco Employee
Cisco Employee

‎02-10-2014 01:49 AM

Save the configs on your lab boxes, reboot them both and see what happens, preferrably with a sniffer on the wire between the two boxes :-)

p.s. unless you statically hardcoded the neighbor entries of course. 

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card