Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1229
Views
0
Helpful
3
Replies

IPV6 access-list to allow the OSPFv3 and EIGRP traffic and hello packets

Mehdi.a.majid1
Level 1
Level 1

‎09-11-2018 08:14 AM

Hello,

 

How can I configure IPV6 access-list to allow the OSPFv3 and EIGRP traffic and hello packets so that the neighbor relationship can be established without any problem?

 

Thank you.

Labels:
0 Helpful
3 Replies 3

Seb Rupik
VIP Alumni
VIP Alumni

‎09-11-2018 08:29 AM

Hi there,

You will want to permit any link-local address (fe80::/10) (or a specific subset of known routers), to the reserved multicast group addresses:

ff02::5     (OSPF All routers)
ff02::6     (OSPF All DRs)

ff02::a     (EIGRP Routers)

 

If you have configured neighbour statements then the IGP control packets will be unicast, so tweak the ACLs to suit.

 

Cheers,

Seb.

0 Helpful

Mehdi.a.majid1
Level 1
Level 1
In response to Seb Rupik

‎09-11-2018 08:46 AM

Hi ,

Thanks for replying,

Actually I was hoping that I could get an answer to be able to just input 1 permit line on IPv6 ACL to do so

Like what we can do to allow the RIP-NG hello packets to freely establish the neighbor relationship,

like : the line "  permit udp any any eq 521 sequence 21  "

but for OSPFv3 I had to use

 permit ipv6 any host FF02::5 (191 matches) sequence 31

and

 permit ipv6 host FE80::E95:D9FF:FEC5:F601 host FE80::E95:D9FF:FE4E:F500 (4 matches) sequence 71

 

So the question is that is there any just 1 single permit line which could do the job of the both line in OSPFv3 and EIGRP for each one ?!

 

R1(config-ipv6-acl)#do show ipv6 access-list
IPv6 access list from_HQ
    permit ipv6 host FEC0:DB8::11 any sequence 10
    permit udp any any eq 521 sequence 21
    permit ipv6 any host FF02::5 (191 matches) sequence 31
    permit ipv6 any host FF02::6 sequence 41
    permit ipv6 host FF02::5 any sequence 51
    permit ipv6 host FF02::6 any sequence 61
    permit ipv6 host FE80::E95:D9FF:FEC5:F601 host FE80::E95:D9FF:FE4E:F500 (4 matches) sequence71

 

thanks.

0 Helpful

Seb Rupik
VIP Alumni
VIP Alumni
In response to Mehdi.a.majid1

‎09-11-2018 08:55 AM

If I'm understanding you correctly, you could use the following multicast range:

 

ff02::/124

 

Which covers the address ff02::0 – ff02::f  , so not totally specific and a bit ugly!

 

Arguably you could forget about using an ACL and use the inbuilt authentication provided by both OSPF and EIGRP.

 

Cheers,

Seb.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card