• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Main Menu

Cisco IOS inspect filters

Started by mikea, March 04, 2010, 08:54:56 PM

Previous topic - Next topic

lobotiger

Here's what I have for my ACL:

ipv6 access-list IPV6_EXTERNAL_ACL
permit icmp any any nd-na
permit icmp any any nd-ns
permit icmp any any echo-reply
permit icmp any any hop-limit
permit icmp any any time-exceeded
permit tcp any host 2001:470:xxxx::2 eq 51720
permit udp any host 2001:470:xxxx::2 eq 51720
deny ipv6 any any log
!

Should there be a line to add or remove then?  FYI, I mostly see these logs being generated when bittorrent traffic is running.

LoboTiger

jimb

#16
Everything you deny is being logged as per your deny statement.  The BT traffic is probably causing lots of echo requests because some BT clients, namely uTorrent, have an option to turn on Teredo and lots of people switch it on.

If you want to get rid of the log entries, you can allow echo requests.  But this will also allow your IPv6 hosts to be pinged of course.  Alternatively, if you want to get rid of the log entries while still disallowing ping, you can put a separate deny entry in there before the last deny to specifically deny echo request, and not put the log option in.  Then pings will be silently dropped.