09-17-2012 07:51 AM - edited 03-04-2019 05:35 PM
I am encountering an issue with IPv6 trace route both from within LAN as well as on the Cisco router is unable to function beyond the WAN interface of my Cisco 1941 router with IOS v15.x.
Below is the IPv6 Access List:
[code]
sequence 410 remark Allow Specific Inbound ICMP Types
permit icmp any 2001:D98:XXXX::/64 1 3
permit icmp any 2001:D98:XXXX::/64 packet-too-big
permit icmp any 2001:D98:XXXX::/64 parameter-problem
permit icmp any 2001:D98:XXXX::/64 echo-reply
permit icmp 2001:D98:XXXX::/64 any echo-request
sequence 510 remark Allow Inbound Connections to WAN Interface for Specific Services
permit icmp any host 2001:D98:XXX::XXX 1 3
permit icmp any host 2001:D98:XXX::XXX packet-too-big
permit icmp any host 2001:D98:XXX::XXX parameter-problem
permit icmp any host 2001:D98:XXX::XXX echo-reply
permit icmp host 2001:D98:XXX::XXX any echo-request
sequence 810 remark Block Specific ICMP Types
deny icmp any any echo-request log
sequence 910 remark Block IPv6 *
deny ipv6 any any log
[/code]
Below is the Logs that indicates IPv6 trace route being blocked:
[code]
081439: Sep 17 21:22:18.168 GMT: %IPV6_ACL-6-ACCESSLOGDP: list ViewQwest-IPv6-WAN-Inbound/920 denied icmpv6 2406:3000:0:4::17 -> 2001:D98:XXX::XXX (3/0), 4 packets
081440: Sep 17 21:22:18.168 GMT: %IPV6_ACL-6-ACCESSLOGDP: list ViewQwest-IPv6-WAN-Inbound/920 denied icmpv6 2406:3000:A:1::7C9B:DF2B -> 2001:D98:XXX::XXX (1/4), 110 packets
[/code]
Is there any specific permit that I need to add in order for IPv6 Trace Route to work?
09-17-2012 10:06 AM
No, but I believe that your line in the acl is incorrect:
Change:
permit icmp host 2001:D98:XXX::XXX any echo-request
to:
permit icmp any host 2001:d98:xxx::xxx echo-request
** Edit ** Actually, how are these applied and in what direction?
HTH,
John
09-17-2012 06:22 PM
The ACL posted is applied on the WAN interface which has been provisioned for a dual-stack IPv4 and IPv6 FTTH connection. This particular ACL is for inbound IPv6 traffic only. There is another separate ACL for inbound IPv4 traffic which is working fine.
The logs I have posted seems to indicate the blocking is due to ACL rule sequence 920. I realized the post I made didn't indicate which line is sequence 920 and have included below:
deny ipv6 any any log
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide