Solved: IPv6 Bogon ACL

cardosocristian · ‎07-11-2024

I am configuring an IPv6 ACL for my transit link interface, where I run a BGP session with the ISP that provides me with the link and I am configuring the ACL this way:

ipv6 access-list BOGON-IPv6
deny ipv6 ::/128 any
deny ipv6 ::1/128 any
deny ipv6 ::ffff:0:0/96 any
deny ipv6 100::/64 any
deny ipv6 2001:db8::/32 any
deny ipv6 fc00::/7 any
deny ipv6 fe80::/10 any
permit ipv6 any any
end

I noticed that in many examples fe80::/10 is blocked, but the interface carried out neighbor discovery through the fe80:: address, on cisco equipment is it correct to deny this traffic?

Because it could have implications for the NDP in my understanding.

Harold Ritter · ‎07-11-2024

Hi @cardosocristian ,

This would definitely block the NDP traffic and prevent the connection to the service provider to work properly. You should remove this line.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

View solution in original post

Harold Ritter · ‎07-11-2024

Hi @cardosocristian ,

On a second thought, to make sure someone doesn't use spoofed source link local addresses from remote networks, you could modify the ACL to allow link local address (LLA) to LLA and LLA to solicited node multicast addresses (SNMA) and deny anything else. This would look something like this:

ipv6 access-list BOGON-IPv6
deny ipv6 ::/128 any
deny ipv6 ::1/128 any
deny ipv6 ::ffff:0:0/96 any
deny ipv6 100::/64 any
deny ipv6 2001:db8::/32 any
deny ipv6 fc00::/7 any
permit ipv6 fe80::/10 fe80::/10 # required for NDP (NA from LLA to LLA)
permit ipv6 fe80::/10 FF02::1:FF00:0/104 # required for NDP (NS to solicited node multicast address)
deny ipv6 fe80::/10 any
permit ipv6 any any

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

View solution in original post

Harold Ritter · ‎07-11-2024

Hi @cardosocristian ,

This would definitely block the NDP traffic and prevent the connection to the service provider to work properly. You should remove this line.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Harold Ritter · ‎07-11-2024

Hi @cardosocristian ,

On a second thought, to make sure someone doesn't use spoofed source link local addresses from remote networks, you could modify the ACL to allow link local address (LLA) to LLA and LLA to solicited node multicast addresses (SNMA) and deny anything else. This would look something like this:

ipv6 access-list BOGON-IPv6
deny ipv6 ::/128 any
deny ipv6 ::1/128 any
deny ipv6 ::ffff:0:0/96 any
deny ipv6 100::/64 any
deny ipv6 2001:db8::/32 any
deny ipv6 fc00::/7 any
permit ipv6 fe80::/10 fe80::/10 # required for NDP (NA from LLA to LLA)
permit ipv6 fe80::/10 FF02::1:FF00:0/104 # required for NDP (NS to solicited node multicast address)
deny ipv6 fe80::/10 any
permit ipv6 any any

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México