07-11-2024 07:12 AM
I am configuring an IPv6 ACL for my transit link interface, where I run a BGP session with the ISP that provides me with the link and I am configuring the ACL this way:
ipv6 access-list BOGON-IPv6
deny ipv6 ::/128 any
deny ipv6 ::1/128 any
deny ipv6 ::ffff:0:0/96 any
deny ipv6 100::/64 any
deny ipv6 2001:db8::/32 any
deny ipv6 fc00::/7 any
deny ipv6 fe80::/10 any
permit ipv6 any any
end
I noticed that in many examples fe80::/10 is blocked, but the interface carried out neighbor discovery through the fe80:: address, on cisco equipment is it correct to deny this traffic?
Because it could have implications for the NDP in my understanding.
Solved! Go to Solution.
07-11-2024 07:23 AM
Hi @cardosocristian ,
This would definitely block the NDP traffic and prevent the connection to the service provider to work properly. You should remove this line.
Regards,
07-11-2024 01:48 PM - edited 07-11-2024 02:49 PM
Hi @cardosocristian ,
On a second thought, to make sure someone doesn't use spoofed source link local addresses from remote networks, you could modify the ACL to allow link local address (LLA) to LLA and LLA to solicited node multicast addresses (SNMA) and deny anything else. This would look something like this:
ipv6 access-list BOGON-IPv6
deny ipv6 ::/128 any
deny ipv6 ::1/128 any
deny ipv6 ::ffff:0:0/96 any
deny ipv6 100::/64 any
deny ipv6 2001:db8::/32 any
deny ipv6 fc00::/7 any
permit ipv6 fe80::/10 fe80::/10 # required for NDP (NA from LLA to LLA)
permit ipv6 fe80::/10 FF02::1:FF00:0/104 # required for NDP (NS to solicited node multicast address)
deny ipv6 fe80::/10 any
permit ipv6 any any
Regards,
07-11-2024 07:23 AM
Hi @cardosocristian ,
This would definitely block the NDP traffic and prevent the connection to the service provider to work properly. You should remove this line.
Regards,
07-11-2024 01:48 PM - edited 07-11-2024 02:49 PM
Hi @cardosocristian ,
On a second thought, to make sure someone doesn't use spoofed source link local addresses from remote networks, you could modify the ACL to allow link local address (LLA) to LLA and LLA to solicited node multicast addresses (SNMA) and deny anything else. This would look something like this:
ipv6 access-list BOGON-IPv6
deny ipv6 ::/128 any
deny ipv6 ::1/128 any
deny ipv6 ::ffff:0:0/96 any
deny ipv6 100::/64 any
deny ipv6 2001:db8::/32 any
deny ipv6 fc00::/7 any
permit ipv6 fe80::/10 fe80::/10 # required for NDP (NA from LLA to LLA)
permit ipv6 fe80::/10 FF02::1:FF00:0/104 # required for NDP (NS to solicited node multicast address)
deny ipv6 fe80::/10 any
permit ipv6 any any
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide