Answers: IPv6 Standard ACL 1

certskills
By certskills September 9, 2016 09:10

The previous lab exercise requires you to configure a standard IPv6 ACL. The address range matching should be pretty straightforward. You also need to choose where to put the ACL, and for which direction of flow for the packets. As usual, check the requirements from the previous lab exercise and make your own answer first – it’s an exercise for you. Enjoy!

Answers

Figure 1: Two Router ROAS Topology for IPv6 Standard ACLs

 

Example 5: R2 Config

interface GigabitEthernet0/2.1
 ipv6 traffic-filter StdACL01 out
!
interface GigabitEthernet0/2.2
 ipv6 traffic-filter StdACL01 out
!
ipv6 access-list StdACL01
 deny ipv6 2001:0:0:10::/64 2001:0:0:30::/64
 deny ipv6 2001:0:0:10::/64 2001:0:0:40::/64
 deny ipv6 host 2001:0:0:20::100 2001:0:0:30::/64
 deny ipv6 host 2001:0:0:20::100 2001:0:0:40::/64
 permit ipv6 any any

 

Commentary

With this lab you were tasked with configuring a standard IPv6 ACL. The requirement to create a standard IPv6 ACL versus an extended IPv6 ACL is actually pretty subtle, because the difference in commands is not as obvious as it is with IPv4 standard and extended ACLs. In short, IPv6 ACLs that match only the source and destination IPv6 address fields are standard IPv6 ACLs. If your ACL matched only on the source and destination IPv6 addresses, then you met the first requirement.

Next, before choosing whether to place a particular address range as the source or destination address, you must choose both the location and direction for the ACL. The lab requirement wording listed source addresses from the IPv6 prefixes at the top of the figure, with destination prefixes at the bottom of the figure. You could have placed the ACL on either R1 or R2 in this case, and for either direction, and still met the lab’s requirements. For the purposes of this lab, the answer shows the ACL on router R2, for the direction from the upper subnets to the lower subnets. Also, the solution enables the ACL in the outbound direction on the ROAS subinterfaces (the subinterfaces of R2’s G0/2 physical interface.)

The matching is relatively straightforward. The first requirement lists a source subnet of 2001:0:0:10::/64, and with two destination subnets. To match for this requirement, you need one statement, one for each destination subnet. The second requirement is similar, with a source host address of 2001:0:0:20::100, and with the same two destination subnets. In this case, the source address field can be matched with the host keyword before the host IPv6 address.

The ACL closes with a permit ipv6 any any command, which meets the requirement to permit all other traffic.

This lab also might have made you wonder if the ACL could have been applied to the G0/2 physical interface in this case, filtering all IPv6 traffic exiting the interface, and the answer is no. An ACL applied under physical interface G0/2 – not one of its subinterfaces – would be considered for packets routed out G0/2, but not for packets routed out its subinterfaces. So, as shown in the answer, the ipv6 traffic-filter StdACL01 out command is used as a subcommand on both subinterfaces.

IPv6 Standard ACL 1
Multilink PPP 1
certskills
By certskills September 9, 2016 09:10
TAGS: ACLIPv6
Subscribe
Notify of

Your e-mail address will not be published.
Required fields are marked*

guest

7 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Erjol
Erjol
October 8, 2016 12:55 pm

Hi Wendell, if the ACL is applied though on R2 g0/1 interface for inbound direction, would it be wrong?

thanks.

0
Reply
Kram
Kram
December 20, 2016 1:34 pm

Example 5 shows
interface GigabitEthernet0/2.2
ip traffic-filter StdACL01 out

should it not be
interface GigabitEthernet0/2.2
ipv6 traffic-filter StdACL01 out

0
Reply
certskills
certskills
Author
Reply to  Kram
December 21, 2016 7:18 am

Hi Kram,
Yes indeed. Fixed. Thanks again,
Wendell

0
Reply
Sunny
Sunny
December 25, 2017 8:15 am

Can we applied acl on R1 g0/1 or on R2 g0/1?

0
Reply
certskills
certskills
Author
Reply to  Sunny
January 8, 2018 9:54 am

Hi Sunny,
Sure. See 2nd paragraph of Commentary for related.
Wendell

0
Reply
Vadim
Vadim
August 23, 2018 8:24 am

Dear Mr. Odom,

Unlike IPv4 standard ACL an IPv6 standard ACL has destination part in its statement. Therefore it breaks the rule for standard ACL to locate it closer to destination for the purpose to avoid filtering packets which are flowing to other destinations. As far as destination is known in the statement the matched packets can be filtered earlier. This will reduce unnecessary packets from flowing through the network and processing by the routers. So, I would apply the StdACL01 to R1’s Gi0/2.1 and Gi0/2.2 subinterfaces inbound.
What do you think?
Thank you in advance. Your labs are very interesting and useful. Much appreciated.

Best regards,
Vadim.

0
Reply
certskills
certskills
Author
Reply to  Vadim
September 4, 2018 9:05 am

Hi Vadim,
Glad you’re liking the labs!
Sure, your suggested location and direction sounds good to me. And it’s a good idea to think like that – apply the ACL as early in the packet’s life as practicable – because that’s one good design goal for ACLs in real life. Thanks for the post.
Regards,
Wendell

0
Reply

Search

Categories

Tag Cloud

100-105 200-105 200-125 Acing2018-01 ACL ARP CCENT CCNA CCNP Config Lab DevNet DHCP EIGRP Encapsulation Ethernet Frame relay GRE ICND1 ICND2 IP Address IPv6 IPv6 address Lab Gear MAC Table OSPF OSPFv3 Packet Tracer password port security PPP RIPv2 Root Switch RSTP SNMP SSH static route STP Study Tips subnet summary route switching Telnet VLAN VLSM VPN