Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1253
Views
10
Helpful
4
Replies

IPV6 ACL

Go to solution
libra_ali786
Level 1
Level 1

‎06-20-2019 12:26 AM

Ipv6 access-list net

Permit ipv6 2001:DB8:AD59:BA21::/64   2001:DB8:C0AB:BA14::/64

Permit tcp 2001:DB8:AD59:BA21::/64   2001:DB8:C0AB:BA13::/64 eq telnet

Permit tcp 2001:DB8AD59:BA21::64 any eq http

Permit ipv6 2001:DB8:AD59::/48 any

deny ipv6 any any log

 

Which statement is true and why?

  1. A packet with a source address of 2001:DB80:AD59:BA21:101:CAB:64:38 destined to port 80 will be permitted.
  2. A packet with a source address of 2001:DB8:AD59:ACC0:2020:882:DB8:1125 will be denied.
  3. The denied entries will be logged because of the explicit deny ipv6 any any log line.
  4. HTTPS traffic from the 2001:DB8:AD59:BA21::/64 subnet will automatically be permitted along with HTTP traffic.

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni
In response to Seb Rupik

‎06-20-2019 01:00 AM

I should probably explain the others too.
Statements:
1) False. The network address for this host is 2001:DB80:AD59:BA21::/64 . Note the position of the 0 in the second hextet. The ACL shows an compressed IPv6 address which when expanded equals: 2001:0DB8:AD59:BA21::/64

2) False. This host is permitted by the last permit ACE.

3) True.

4) False (~True) : For the purpose of this ACL I assumed that 'HTTP traffic' actually means traffic destined to a HTTP port. The destination port in the third ACE is TCP/80, therefore it does not permit TCP/443 . However such traffic would be permitted by the fourth ACE.

View solution in original post

4 Replies 4

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎06-20-2019 12:45 AM

Hi there,

Statement 3 is the only correct one. Although every ACL ends with an implicit deny, the final ACE is an explicit deny which also stipulates that every denied packet is also logged.

 

cheers,

Seb.

0 Helpful

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni
In response to Seb Rupik

‎06-20-2019 01:00 AM

I should probably explain the others too.
Statements:
1) False. The network address for this host is 2001:DB80:AD59:BA21::/64 . Note the position of the 0 in the second hextet. The ACL shows an compressed IPv6 address which when expanded equals: 2001:0DB8:AD59:BA21::/64

2) False. This host is permitted by the last permit ACE.

3) True.

4) False (~True) : For the purpose of this ACL I assumed that 'HTTP traffic' actually means traffic destined to a HTTP port. The destination port in the third ACE is TCP/80, therefore it does not permit TCP/443 . However such traffic would be permitted by the fourth ACE.

Go to solution
giuseppepratola
Level 1
Level 1
In response to Seb Rupik

‎07-23-2019 07:47 AM

Sorry but answer 1 why it is not correct?

 

IP address2001:db8:ad59:ba21::/64
typeGLOBAL-UNICAST (reserved for documentation purpose (2001:db8::/32)
[rfc3849][IANA])
network2001:db8:ad59:ba21::
Prefix length64
network range2001:0db8:ad59:ba21:0000:0000:0000:0000-
2001:0db8:ad59:ba21:ffff:ffff:ffff:ffff
total IP addresses18446744073709551616
Giuseppe P
0 Helpful

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni
In response to giuseppepratola

‎07-24-2019 12:23 AM

Hi Giuseppe,

The question mentioned a source IP of 2001:DB80:AD59:BA21:101:CAB:64:38 /64 , which gives a subnet of:

2001:DB80:AD59:BA21::/64

 

This is different to the subnet you mention due to the position of the zero in the second hextet:

The question: Your example and the also the ACL
:DB80: :0DB8:

 

These are totally different addresses.

 

cheers,

Seb.

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card