Solved: Need help configuring an IPv6 ACL

nigelblake24 · ‎09-25-2021

I want to configure an ipv6 ACL called PORT80 that:

Permits an IPv6 LAN (2001:10:1:1::/64) to browse port 80 to a server (2001:202:1:1::254)
Deny any IPv6 TCP packets with source port 80 from entering a LAN 179.1.1.0

This ACL also must not prevent other ipv6 traffic.

Is this right?

   10 permit ipv6 2001:10:1:1::/64 2001:202:1:1::254

   40 deny tcp any eq 23 any

Seb Rupik · ‎09-25-2021

Hi there,

To acheive your first and third reqirments the ACL would look like:

!
ipv6 access-list PORT80
 permit tcp 2001:10:1:1::/64 host 2001:202:1:1::254 eq 80
 deny ipv6 any any
!

However your second requirement is mixing IPv6 and IPv4 which is not possible. The two protocols *could* communicate via network translation, and the translated traffic could then be blocked, but for now, it is safe to say that source IPv6 packets will not be able to reach IPV4 hosts in the 179.1.1.0/24 (?) subnet.

cheers,

Seb.

View solution in original post

Seb Rupik · ‎09-25-2021

Hi there,

To acheive your first and third reqirments the ACL would look like:

!
ipv6 access-list PORT80
 permit tcp 2001:10:1:1::/64 host 2001:202:1:1::254 eq 80
 deny ipv6 any any
!

However your second requirement is mixing IPv6 and IPv4 which is not possible. The two protocols *could* communicate via network translation, and the translated traffic could then be blocked, but for now, it is safe to say that source IPv6 packets will not be able to reach IPV4 hosts in the 179.1.1.0/24 (?) subnet.

cheers,

Seb.