On 25/07/2017 19:07, Gert Doering wrote: > Hi, > > On Tue, Jul 25, 2017 at 10:41:06AM +1200, Brian E Carpenter wrote: >> Why would you ever do it for normal traffic? > > I'm not sure that was a question asked in this thread :-) > >> And why would ACLs be relevant for on-link traffic? > > Interface ACLs are relevant for all packets leaving or entering an > interface, generally...
Yes, but why are they relevant except for routers? I didn't see anything in the original message that limited its scope to routers. Most nodes aren't routers. I don't expect to see ACLs on normal hosts. > So, to stay with Tore's example, if you want to make NDP work on an IXP, > you need to permit fe80->fe80, fe80->GUA, etc. in your ACLs - which ends > up needing quite a number of lines to cover all cases Fair enough. IXPs are a bit of a special case, though. Brian > > #sh access-lists ipv6 internet-ipv6-in | inc icmp > 20 permit icmpv6 fe80::/64 2001:7f8::/64 135 0 > 30 permit icmpv6 2001:7f8::/64 2001:7f8::/64 135 0 ttl eq 255 > 40 permit icmpv6 2001:7f8::/64 2001:7f8::/64 136 0 ttl eq 255 > 50 permit icmpv6 any ff02::/64 135 0 > 60 permit icmpv6 fe80::/64 fe80::/64 135 0 > 70 permit icmpv6 any fe80::/64 135 0 > 80 permit icmpv6 any fe80::/64 136 0 > 90 permit icmpv6 any host ff02::1 136 0 > 100 deny icmpv6 any any 135 log > 110 deny icmpv6 any any 136 log > > (Example for DECIX which uses 2001:7f8::/64 on-link) > > Gert Doering > -- NetMaster >
