Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Pages: 1 [2]

Author Topic: Cisco IOS inspect filters  (Read 13658 times)

lobotiger

  • Newbie
  • *
  • Posts: 25
Re: Cisco IOS inspect filters
« Reply #15 on: April 19, 2010, 11:27:53 AM »

Here's what I have for my ACL:

ipv6 access-list IPV6_EXTERNAL_ACL
 permit icmp any any nd-na
 permit icmp any any nd-ns
 permit icmp any any echo-reply
 permit icmp any any hop-limit
 permit icmp any any time-exceeded
 permit tcp any host 2001:470:xxxx::2 eq 51720
 permit udp any host 2001:470:xxxx::2 eq 51720
 deny ipv6 any any log
!

Should there be a line to add or remove then?  FYI, I mostly see these logs being generated when bittorrent traffic is running.

LoboTiger
Logged

jimb

  • Hero Member
  • *****
  • Posts: 805
  • ^^^ Warped picture
Re: Cisco IOS inspect filters
« Reply #16 on: April 19, 2010, 06:02:50 PM »

Everything you deny is being logged as per your deny statement.  The BT traffic is probably causing lots of echo requests because some BT clients, namely uTorrent, have an option to turn on Teredo and lots of people switch it on.

If you want to get rid of the log entries, you can allow echo requests.  But this will also allow your IPv6 hosts to be pinged of course.  Alternatively, if you want to get rid of the log entries while still disallowing ping, you can put a separate deny entry in there before the last deny to specifically deny echo request, and not put the log option in.  Then pings will be silently dropped.
« Last Edit: April 19, 2010, 06:04:49 PM by jimb »
Logged
Pages: 1 [2]