From: marvin greenlee (marvin@ccbootcamp.com)
Date: Wed Mar 09 2005 - 21:14:24 GMT-3
The link local address is specific to the link. If you want to filter local
traffic from hosts on that link, you can use the link local address for
filtering.
********
R3(config)#ipv6 access-list nor4
R3(config-ipv6-acl)#deny FE80::250:54FF:FE7F:5EC1/128 any
R3(config-ipv6-acl)#permit any any
R3(config)#int eth0/0
R3(config-if)#ipv6 traffic-filter nor4 in
R3(config-if)#end
R3#ping FE80::250:54FF:FE7F:5EC1
Output Interface: Ethernet0/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FE80::250:54FF:FE7F:5EC1, timeout is 2
seconds
:
Packet sent with a source address of FE80::203:E3FF:FE89:1C81
.....
Success rate is 0 percent (0/5)
R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#int eth0/0
R3(config-if)#no ipv6 traffic-filter nor4 in
R3(config-if)#end
R3#ping FE80::250:54FF:FE7F:5EC1
Output Interface: Ethernet0/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FE80::250:54FF:FE7F:5EC1, timeout is 2
seconds
:
Packet sent with a source address of FE80::203:E3FF:FE89:1C81
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/4 ms
R3#
Marvin Greenlee, CCIE#12237, CCSI# 30483
Network Learning Inc
marvin@ccbootcamp.com
www.ccbootcamp.com (Cisco Training)
-----Original Message-----
From: ccie2be [mailto:ccie2be@nyc.rr.com]
Sent: Wednesday, March 09, 2005 3:42 PM
To: marvin greenlee; Group Study
Subject: RE: ipv6 acl's [bcc][faked-from][bayes]
Thanks Marvin,
That makes sense.
So, would there ever be a good reason to use a link-local address in an ipv6
acl?
Based on what you just said, it doesn't sound like there would be, but maybe
that's just my inexperience with ipv6.
More generally, the only time I would need to use the link-local address to
configure something, as far as I know, is when I'm configuring layer 3 to
layer 2 mapping on p2m interfaces like with frame-relay or atm or bri.
Otherwise, the link-local address is there doing its thing in the background
and from a configuration point of view, I don't need to be concerned with
it.
Would you agree with that statement?
If not, where else do I need to be concerned with link-local addresses?
Thanks again,
Tim
-----Original Message-----
From: marvin greenlee [mailto:marvin@ccbootcamp.com]
Sent: Wednesday, March 09, 2005 6:27 PM
To: 'ccie2be'; Group Study
Subject: RE: ipv6 acl's [bcc][faked-from][bayes]
Link local addressing is per link. The link local address of R3 means
nothing to R1, because R1 is on a different link. Whether you need site
local or global depends on what addressing you have configured on R3. Does
R3 have a site-local address?
Marvin Greenlee, CCIE#12237, CCSI# 30483
Network Learning Inc
marvin@ccbootcamp.com
www.ccbootcamp.com (Cisco Training)
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
ccie2be
Sent: Wednesday, March 09, 2005 3:16 PM
To: Group Study
Subject: ipv6 acl's [bcc][faked-from][bayes]
Importance: Low
Hi guys,
When an ipv6 acl is being configured, which type of ipv6 address should be
used: global, link-local, site-local?
I'm sure the answer depends but can someone explain how I should think about
this so I know how to go about this.
Assume this topology:
/-> r3
r1 --> r2
\--> r4
For example, suppose I need to block all ipv6 traffic at r2 coming from r1
and going to r3.
r2 is connected to r3 and r4 via a p2m f/r interface. I want to place the
acl on r2's interface connected to r1.
So, the acl will filter based on destination ipv6 address. Which type ipv6
address should be in the acl?
Does it matter?
Note that r3 interface has 2 types of ipv6 address: a link-local and a
global.
Thanks, Tim
This archive was generated by hypermail 2.1.4 : Sun Apr 03 2005 - 17:56:44 GMT-3