Showing results for 
Search instead for 
Did you mean: 

Ask the Expert- SD-WAN


IPv6 ACL implicit rules



I was thinking about the 3 implicit rules that are added to all IPv6 ACLs. I understand their intention is to enable Neighbor Advertisement/Solicitation, however I was thinking about the impact of these rules on the device (outside of allowing NDP to function).


For example,

1) I have set up a lab where I have tested writing a simple QoS classifier for IPv6. To my surprise it did not match against NDP-NA/S traffic unless I added the implicit permit rules explicitly to the ACL. Hence, the IPv6 ACL for QoS behaves like a IPv4 ACL with the only implicit rule being "deny ipv6 any any".


2) I have set up a lab where I have been able to use the implicit "permit icmp any any nd-na" rule to forward Neighbor Advertisements from one subnet to another (using global unicast addresses instead of link-local). This also included adding custom options attached to the end of the NA with payloads, so its theoretically possible this could allow someone to create a tunnel through a router that uses the implicit rules. However, this is not as surprising as it might sound. Its the expected behaviour from, where it states rules need to be configured on routers/firewalls to prevent non-link-local NA/NS being forwarded.


Does anyone know if Cisco has produced a document/some form of guidance that details the impact of these rules?

Everyone's tags (1)
CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards