SixXS::Sunset 2017-06-06

IPv6 ACL issues on Cisco Router
[de] Shadow Hawkins on Sunday, 16 March 2008 02:46:11
Hello, i have a problem regarding an IPv6 ACL on a Cisco 2801. I run IOS Version 12.4(15)T3 Advanced IP Services. You will find below, what I put in my configuration. My problem is that the outbound acl never matches anything. For example Sixxs pings the tunnel endpoint every 30 minutes i can see the echo request in TU0-INBOUND. If i ping something i see the replies in TU0-INBOUND. But the match counters of TU0-OUTBOUND remain zero. If i make a telnet like this 'telnet ipv6.google.com 80' i get '% Connection timed out; remote host not responding'. I would expect a match in line 3 of TU0-OUTBOUND and the router should create the temporary acl REFLECTOUT. But all what matches is the implicit deny of TU0-INBOUND causing the above time out. :-( What am i missing here is it a bug or is there an error in my configuration? Carsten
interface Tunnel0 description IPv6 uplink to SixXS no ip address ipv6 address 2A01:aaa:bbb:cc::d/64 ipv6 enable ipv6 traffic-filter TU0-INBOUND in ipv6 traffic-filter TU0-OUTBOUND out tunnel source Dialer0 tunnel destination a.b.c.d tunnel mode ipv6ip ! ipv6 access-list TU0-INBOUND permit icmp any host 2A01:aaa:bbb:cc::d echo-request permit icmp any host 2A01:aaa:bbb:cc::d echo-reply evaluate REFLECTOUT deny ipv6 any any log-input ! ipv6 access-list TU0-OUTBOUND permit icmp host 2A01:aaa:bbb:cc::d any echo-reply permit icmp host 2A01:aaa:bbb:cc::d any echo-request permit tcp any any reflect REFLECTOUT permit udp any any reflect REFLECTOUT deny ipv6 any any log-input
IPv6 ACL issues on Cisco Router
[de] Shadow Hawkins on Wednesday, 19 March 2008 22:17:08
Hi, The 'bug' i described above seems to apply only to packets the router generates itself. I tested it by creating a temporary subnet on the inside. Even though i had no end-to-end connectivity i could see packets matching the outbound acl which were created from a host on that subnet. Carsten
IPv6 ACL issues on Cisco Router
[de] Shadow Hawkins on Monday, 16 June 2008 14:17:02
I tried to use "ipv6 inspect" rules for this purpose (Cisco 877 12.4(15)T3 with advanced ip services feature set). I think, the problem ist, that packets generated by the router itself never passes an acess-list on the same router, the traffic generated by the router itself will bypass the access-list, so you will never get a match on the reflective access-list for traffic generated from your router ... This is not a bug, it is a feature (which i used with ipv4 for an interface, which should provide ntp service for the connected network, but i wouldn't the router to forward traffic between that interface and other interfaces). With my tries with "ipv6 inspect", i see a similar effect (i think, because "ip inspection" and "ipv6 inspection" is internally realized via temporary access-lists, but i'm not really shure ...).

Please note Posting is only allowed when you are logged in.

Static Sunset Edition of SixXS
©2001-2017 SixXS - IPv6 Deployment & Tunnel Broker