08-31-2017 02:05 PM - edited 03-01-2019 05:54 PM
I'm making outbound Ipv6 ACLs for LAN traffic on L3 SVIs and am trying to determined what is actually needed. I have several source/destination combos that I am not sure if i need to permit.
09-01-2017 01:40 AM
Hi Jessica,
You shouldn't need to have and ACL for any FE80::/10 traffic, as it has a TTL of 1 and cannot be forwarded beyond the local segment.
Regarding your other questions, it may be easier if you shared the ACL.
cheers,
Seb.
09-01-2017 07:44 AM
09-01-2017 08:43 AM
Traffic from the router to an FE80 address would be expected. Due to the TTL of 1 traffic can never be routed beyond the local segment, therefore there is no need for an ACL to police FE80 traffic.
09-13-2017 09:40 AM
I need the access-list list to police other traffic. I understand what you're saying, but traffic sourced FE80://10 is coming out this network anyway. It is probably sourced from the local subnet. I am also seeing traffic hit this ACL with the source of the local subnet and the destination of the local subnet; this also doesn't make sense to me. With v4, it wasn't necessary to permit the subnet to talk to itself.
Sorry, I can't share the ACL as it has my IP's in it.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: