IPv6 ACL issues on Cisco Router
Shadow Hawkins on Sunday, 16 March 2008 02:46:11
Hello,
i have a problem regarding an IPv6 ACL on a Cisco 2801. I run IOS Version 12.4(15)T3 Advanced IP Services. You will find below, what I put in my configuration.
My problem is that the outbound acl never matches anything. For example Sixxs pings the tunnel endpoint every 30 minutes i can see the echo request in TU0-INBOUND. If i ping something i see the replies in TU0-INBOUND. But the match counters of TU0-OUTBOUND remain zero.
If i make a telnet like this 'telnet ipv6.google.com 80' i get '% Connection timed out; remote host not responding'. I would expect a match in line 3 of TU0-OUTBOUND and the router should create the temporary acl REFLECTOUT. But all what matches is the implicit deny of TU0-INBOUND causing the above time out. :-(
What am i missing here is it a bug or is there an error in my configuration?
Carsten
interface Tunnel0
description IPv6 uplink to SixXS
no ip address
ipv6 address 2A01:aaa:bbb:cc::d/64
ipv6 enable
ipv6 traffic-filter TU0-INBOUND in
ipv6 traffic-filter TU0-OUTBOUND out
tunnel source Dialer0
tunnel destination a.b.c.d
tunnel mode ipv6ip
!
ipv6 access-list TU0-INBOUND
permit icmp any host 2A01:aaa:bbb:cc::d echo-request
permit icmp any host 2A01:aaa:bbb:cc::d echo-reply
evaluate REFLECTOUT
deny ipv6 any any log-input
!
ipv6 access-list TU0-OUTBOUND
permit icmp host 2A01:aaa:bbb:cc::d any echo-reply
permit icmp host 2A01:aaa:bbb:cc::d any echo-request
permit tcp any any reflect REFLECTOUT
permit udp any any reflect REFLECTOUT
deny ipv6 any any log-input
IPv6 ACL issues on Cisco Router
Shadow Hawkins on Wednesday, 19 March 2008 22:17:08
Hi,
The 'bug' i described above seems to apply only to packets the router generates itself. I tested it by creating a temporary subnet on the inside. Even though i had no end-to-end connectivity i could see packets matching the outbound acl which were created from a host on that subnet.
Carsten
IPv6 ACL issues on Cisco Router
Shadow Hawkins on Monday, 16 June 2008 14:17:02
I tried to use "ipv6 inspect" rules for this purpose (Cisco 877 12.4(15)T3
with advanced ip services feature set).
I think, the problem ist, that packets generated by the router itself
never passes an acess-list on the same router, the traffic generated
by the router itself will bypass the access-list, so you will never get
a match on the reflective access-list for traffic generated from your
router ...
This is not a bug, it is a feature (which i used with ipv4 for an interface,
which should provide ntp service for the connected network, but i wouldn't
the router to forward traffic between that interface and other interfaces).
With my tries with "ipv6 inspect", i see a similar effect (i think, because
"ip inspection" and "ipv6 inspection" is internally realized via temporary
access-lists, but i'm not really shure ...).
Posting is only allowed when you are logged in. |