Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2835
Views
5
Helpful
3
Replies

IPv6 ACL oddity

brianhill88
Level 1
Level 1

‎03-25-2011 10:33 AM - edited ‎03-01-2019 05:26 PM

Hello,

We are testing in our IPv6 lab and ran across an issue with deny any any added to the bottom of an IPv6 access-list.  Even though deny any any is implicit at the bottom of an ACL we usually include it the bottom anyway.  When we did this with an IPv6 ACL it converted the "deny any any" line to "deny ipv6 any any" and even though there were allows before the deny the ACL blocks all traffic.  If I remove the explicit deny ipv6 any any from the bottom, the ACL works correctly (verified by "debug ipv6 packet detail").   Is this normal or is this a bug in the IOS?

This is on a 3845 router running IOS 15.1 3(T).

Labels:
0 Helpful
3 Replies 3

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎03-27-2011 02:48 AM

Brian,

I don't have a box to test right now, but if you doublechecked the behavior I would say open up a TAC case, let the guys investigate.

Behavior for IPv4 and IPv6 should be same - top to bottom processing until first match with not-interesting at the very end.

If adding a deny any any at the end of IPv6 acl is causing some sort of corruption there might be a problem with interacting with other features.

Marcin

0 Helpful

brianhill88
Level 1
Level 1
In response to Marcin Latosiewicz

‎03-29-2011 09:42 AM

So I opened a TAC case and this was their response:

"It is expected behavior because every ipv6 acl contain the following implicit rules to allow neighbor discovery (the equivalent is not required by ipv4 acls, since ARP is not blocked by an ip acl)

  permit icmp any any nd-ns

  permit icmp any any nd-na

  deny ipv6 any any

This is by design. The implicit rules must be present for neighbor discovery to function, it was deemed as the best approach, rather than having to specify the rules in each acl. There was a great deal of confusion before the implicit rules were added.

The implicit permit rules can be overruled by a user specifying an earlier acl entry e.g. adding 'deny ipv6 any any' in the acl would never match any implicit rules. However, this will in turn disable certain implicit permit which will block neighbor discovery packets which means no ARP in IPv4 term.

Please don't use explicit deny ipv6 any any or configuring explicit permit for ND packets."

Interesting that the permit for nd is implicit as well.

Phillip Remaker
Cisco Employee
Cisco Employee
In response to brianhill88

‎05-02-2011 09:26 PM

Great, thanks for the follow up!

Earl Carter also did a nice blog on IPv6 security, which is a quick, useful read.

http://blogs.cisco.com/security/securing-ipv6/

0 Helpful
Customers Also Viewed These Support Documents