IPv6 Access-list on Cisco IOS

Thanks :slight_smile:

It appears that if you need to have RSs on the link you will need to allow them in your ipv6 access list. The RAs wouldn’t need to be let through because they aren’t coming inbound the router is sending them out.

permit icmp any any router-solicitation

Hello Justin

As soon as a host is configured with IPv6 autoconfig, it sends out a router solicitation (RS). RS messages are not included within the implicit permit statements on IPv6 ACLs, so if you want to use them you must indeed include them in an additional permit statement as you mention.

Note that the ND-NA and ND-NS indicators on the two permit statements include Neighbor Advertisements and Neighbor Solicitation messages, and not RAs and RSs.

For Router Advertisements (RAs) however, you do not need to include these. Even if you create an IPv6 ACL in an outgoing direction, the RAs will not be filtered because ACLs only filter transient traffic and not traffic initiated by the router itself.

I hope this has been helpful!