RE: acl query

From: ccie2be (ccie2be@nyc.rr.com)
Date: Wed Jul 20 2005 - 09:01:52 GMT-3

• Next message: Habib: "BGP Path Selection"
• Previous message: Bob Sinclair: "Re: acl query"
• Maybe in reply to: ccie2be: "acl query"
• Next in thread: Scott Morris: "RE: acl query"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thank you Bob.

I knew I had seen this somewhere but couldn't remember where or all the
details.

So, let me make sure I've got this right. Let's say this is my scenario.

R1 s0 --- R2 ---- s0 R3

Between R1 and R3 is an ipv6 in ipv4 tunnel where int s0 on both R1 and R3
are the physical endpoints.

I also have an inbound acl on R1's s0 int. To make sure the ipv6 tunneled
traffic isn't blocked, the acl needs to include this entry:

access-list 100 permit 41 any any

Is this correct?

Thanks again, Tim

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Bob
Sinclair
Sent: Wednesday, July 20, 2005 7:31 AM
To: ccie2be; 'Jaycee Cockburn - BCX SS'; Group Study
Subject: Re: acl query

Hi Tim,

Protocol 41 matches on IPV6-over-IPV4 tunnel traffic. See RFC 3056.

HTH,

Bob Sinclair
CCIE #10427, CCSI 30427, CISSP
www.netmasterclass.net

  ----- Original Message -----
  From: ccie2be
  To: 'Jaycee Cockburn - BCX SS' ; Group Study
  Sent: Wednesday, July 20, 2005 5:32 AM
  Subject: RE: acl query

  Hi JC,

  Thanks for getting back to me on this.

  What you say makes sense to me. But, if ipv6 and ipv4 are not related,
  what's the point of using an ipv4 acl like this:

  access-list 100 permit 41 any any

  where 41 is the protocol number for ipv6.

  I know I've seen example scenario's where this was needed but I can't find
  them now.

  TIA, Tim

  -----Original Message-----
  From: Jaycee Cockburn - BCX SS [mailto:Jaycee.Cockburn@bcx.co.za]
  Sent: Wednesday, July 20, 2005 12:20 AM
  To: ccie2be
  Subject: RE: acl query
  Importance: High

  Hi All,
  Sorry, lets try again....

  IPv6 and IPv4 are different protocols, so IPv6 won't be affected by any
  IPv4 access-lists...

  To create and apply IPv6 access-list:

  ipv6 access-list EXAMPLE
   permit icmp any any
   permit tcp any any eq telnet

  interface FastEthernet0/0
   no ip address
   duplex auto
   speed auto
   ipv6 traffic-filter EXAMPLE in

  You can see that IPv6 and IPv4 are separate and thus won't interfere
  each other...

  Regards
  JC

  -----Original Message-----
  From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
  ccie2be
  Sent: 20 July 2005 12:55 AM
  To: Group Study
  Subject: acl query

  Hi guys,

  I've got a dumb acl question.

  R1 ------- s0 R2

  I apply an acl inbound on s0 that explicitly allows only icmp, ripv2,
  telnet, and snmp.

  If an ipv6 packet arrives from R1, will that packet be blocked by the
  acl?

  Why or why not?

  I don't have access to any ipv6 routers at the moment to test this out
  but I vaguely recall that if I have an acl and I want to allow ipv6
  traffic I have to explicitly configure something like this:

  permit 41 any any

  Any thought?

  TIA, Tim

  _______________________________________________________________________
  Subscription information may be found at:
  http://www.groupstudy.com/list/CCIELab.html

  _______________________________________________________________________
  Subscription information may be found at:
  http://www.groupstudy.com/list/CCIELab.html

• Next message: Habib: "BGP Path Selection"
• Previous message: Bob Sinclair: "Re: acl query"
• Maybe in reply to: ccie2be: "acl query"
• Next in thread: Scott Morris: "RE: acl query"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:00:30 GMT-3