IPv6 filtering

• Previous message (by thread): IPv6 filtering
• Next message (by thread): IPv6 filtering
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 1/25/2011 9:25 PM, Owen DeLong wrote:
>
> DO NOT filter IPv6 ICMP like you filter IPv4.
>
> If you do, you will break PMTU-Discovery, Neighbor Discovery,
> and RA/SLAAC, all of which depend on ICMPv6.
>

This can bite you in unexpected ways, too.  For example, on a Cisco ASA,
if you add a system-level 'icmpv6 permit' line and if this does not
include ND, then you break ND responses to the ASA.  This is much unlike
ARP, which is unaffected by 'icmp permit' statements for IPv4.  And, the
default with no such lines is to permit all ICMP/ICMPv6 to the ASA. This
seems so obvious in retrospect, but at the time was a bit of a
head-scratcher.

Mark

-- 
Mark D. Nagel, CCIE #3177 <mnagel at willingminds.com>
Principal Consultant, Willing Minds LLC (http://www.willingminds.com)
cell: 949-279-5817, desk: 714-495-4001, fax: 949-623-9854

*** Please send support requests to support at willingminds.com! *** 

• Previous message (by thread): IPv6 filtering
• Next message (by thread): IPv6 filtering
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]