cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1664
Views
0
Helpful
4
Replies
Highlighted
Beginner

IPv6 ACLS for LAN traffic

I'm making outbound Ipv6 ACLs for LAN traffic on L3 SVIs and am trying to determined what is actually needed. I have several source/destination combos that I am not sure if i need to permit.

  • seeing drops on outbound V6 ACL with source and destination IP in same subnet. Any ideas why this might be happening?
  • FE80::/10 for link local-does this source need to be allow to my destination LAN subnet?
  • FF00::/8 blockmulticast-does this need to be allowed as both a source and destination network on a given interface? I'm getting a ton of matches on it as a destination with source any.
4 REPLIES 4
Highlighted
VIP Advisor

Hi Jessica,

You shouldn't need to have and ACL for any FE80::/10 traffic, as it has a TTL of 1 and cannot be forwarded beyond the local segment.

Regarding your other questions, it may be easier if you shared the ACL.

 

cheers,

Seb.

Highlighted

Right, but this FE80 traffic is TO the local segment. That's what I find perplexing. You are saying it shouldn't be talking to my local segment at all?
Highlighted

Traffic from the router to an FE80 address would be expected. Due to the TTL of 1 traffic can never be routed beyond the local segment, therefore there is no need for an ACL to police FE80 traffic.

Highlighted

I need the access-list list to police other traffic. I understand what you're saying, but traffic sourced FE80://10 is coming out this network anyway. It is probably sourced from the local subnet. I am also seeing traffic hit this ACL with the source of the local subnet and the destination of the local subnet; this also doesn't make sense to me. With v4, it wasn't necessary to permit the subnet to talk to itself.

 

Sorry, I can't share the ACL as it has my IP's in it.

Content for Community-Ad
This widget could not be displayed.