Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
911
Views
0
Helpful
4
Replies

How to deny ipv6 echo-reply to directly adjacent router?

Go to solution
mmanthe
Level 1
Level 1

‎01-14-2018 03:31 PM - edited ‎03-05-2019 09:45 AM

Scenario: 2 routers (R1 & R2) connected directly (point-to-point) via serial interfaces. Dual stack (IPv4 & IPv6). R1 is mine - I control it. R2 is not mine - I cannot control it or make any configurations on it.

 

I want to be able to block IPv6 ICMP echo replies from *MY* (R1's) serial interface back to R2's serial interface (e.g. not reply to pings sourced from R2's serial interface). Creating and applying an IPv6 ACL on R1's serial interface does not work - I guess because it only filters/blocks traffic going *through* the interface, not *to* the interface.

 

How else would I accomplish this?

 

Thanks!

 

PS - please ignore the 'logic' of this endeavor - it is purely academic. 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎01-15-2018 12:09 AM

Hi there,

Take a look at CoPP. You should be able to take the ACL you have configured and use it to define a class-map. Then create a new policy-map referencing your class map with the action drop, something like:

!
class-map match-all DROP-R2-ICMP
  match access-group <YOUR_ACL>
!
policy-map RTR_COPP
  class DROP-R2-ICMP
    drop
!
control-plane
  service-policy input RTR_COPP
!

cheers,

Seb.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎01-15-2018 12:09 AM

Hi there,

Take a look at CoPP. You should be able to take the ACL you have configured and use it to define a class-map. Then create a new policy-map referencing your class map with the action drop, something like:

!
class-map match-all DROP-R2-ICMP
  match access-group <YOUR_ACL>
!
policy-map RTR_COPP
  class DROP-R2-ICMP
    drop
!
control-plane
  service-policy input RTR_COPP
!

cheers,

Seb.

0 Helpful

Go to solution
mmanthe
Level 1
Level 1
In response to Seb Rupik

‎01-16-2018 10:48 AM

Seb

 

This worked like a charm - thanks! It's a bit of a 'long-way-round', but I can see a lot of ways to utilize this. Thanks so much for your help!

0 Helpful

Go to solution
Harold Ritter
Cisco Employee
Cisco Employee

‎01-15-2018 11:09 AM

Hi,

 

Interface ACLs in general do not normally block locally originated traffic. Have you tried blocking ICMPv6 echo request coming from R2 in an inbound ACL, rather than ICMPv6 echo reply to R2 in an outbound ACL.

 

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
0 Helpful

Go to solution
mmanthe
Level 1
Level 1
In response to Harold Ritter

‎01-16-2018 10:54 AM

Harold - thanks for the reply. I tried blocking requests and replies (e.g. ingress and egress) - unfortunately, due to the nature of ACLs in general, there never was really any hope for it to work for what I wanted it to do.Fortunately, Seb's solution was able to accomplish this. Given its operation at the control-plane level - it 'sees' the packets before the interface does and can filter on my criteria (albeit 3 layers deep ;-) ).

 

Thanks!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card