Re: IPv6 ACLS for LAN traffic

JESSICA Walsh · ‎08-31-2017

I'm making outbound Ipv6 ACLs for LAN traffic on L3 SVIs and am trying to determined what is actually needed. I have several source/destination combos that I am not sure if i need to permit.

seeing drops on outbound V6 ACL with source and destination IP in same subnet. Any ideas why this might be happening?
FE80::/10 for link local-does this source need to be allow to my destination LAN subnet?
FF00::/8 blockmulticast-does this need to be allowed as both a source and destination network on a given interface? I'm getting a ton of matches on it as a destination with source any.

Seb Rupik · ‎09-01-2017

Hi Jessica,

You shouldn't need to have and ACL for any FE80::/10 traffic, as it has a TTL of 1 and cannot be forwarded beyond the local segment.

Regarding your other questions, it may be easier if you shared the ACL.

cheers,

Seb.

JESSICA Walsh · ‎09-01-2017

Right, but this FE80 traffic is TO the local segment. That's what I find perplexing. You are saying it shouldn't be talking to my local segment at all?

Seb Rupik · ‎09-01-2017

Traffic from the router to an FE80 address would be expected. Due to the TTL of 1 traffic can never be routed beyond the local segment, therefore there is no need for an ACL to police FE80 traffic.

JESSICA Walsh · ‎09-13-2017

I need the access-list list to police other traffic. I understand what you're saying, but traffic sourced FE80://10 is coming out this network anyway. It is probably sourced from the local subnet. I am also seeing traffic hit this ACL with the source of the local subnet and the destination of the local subnet; this also doesn't make sense to me. With v4, it wasn't necessary to permit the subnet to talk to itself.

Sorry, I can't share the ACL as it has my IP's in it.