In Packet Tracer, I have a private network with 5 different VLANs and inter-vlan routing enabled on R1. These are connected via an edge router to an ISP. On the interface S0/0/0 of R1 in direction in I have an ipv6 access-list defined as follows:
ipv6 access-list ESTABLISHED_IPv6
permit icmp any any echo-reply
permit udp any host 2001:DB8:6:BC04::3 eq domain
permit tcp any host 2001:DB8:6:BC04::4 eq 443
permit tcp any 2001:DB8:6:BC00::/64 established
permit tcp any 2001:DB8:6:BC01::/64 established
permit tcp any 2001:DB8:6:BC02::/64 established
permit tcp any 2001:DB8:6:BC03::/64 established
The access list allows traffic to the DMZ for DNS and https and to the VLANS If a connection has been opened from within the VLANS.
The problem is that this access-list prevents OSPFv3 packets to reach this router. How can I permit OSPFv3 packets in this access list?
Full config file of R1:
Current configuration : 4811 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R1
!
!
!
enable password class
!
!
!
!
!
!
ip cef
ipv6 unicast-routing
!
no ipv6 cef
!
!
!
username Administrator password 0 Pasw0rd+
!
!
license udi pid CISCO1941/K9 sn FTX1524HE77-
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/1.25
encapsulation dot1Q 25
ip address 1.0.0.4 255.255.255.248
ip access-group DMZ out
ipv6 address FE80::5 link-local
ipv6 address 2001:DB8:6:BC04::1/64
ipv6 ospf 1 area 0
standby 25 ip 1.0.0.1
standby 25 priority 105
standby 25 preempt
standby 25 track Serial0/0/0
!
interface GigabitEthernet0/1.240
encapsulation dot1Q 240
ip address 10.15.240.9 255.255.255.0
ip helper-address 10.15.242.13
ip access-group MITARBEITER in
ipv6 traffic-filter MITARBEITER_IPv6 in
ip nat inside
ipv6 address FE80::1 link-local
ipv6 address 2001:DB8:6:BC00::1/64
ipv6 ospf 1 area 0
standby 240 ip 10.15.240.1
standby 240 priority 105
standby 240 preempt
standby 240 track Serial0/0/0
!
interface GigabitEthernet0/1.241
encapsulation dot1Q 241
ip address 10.15.241.9 255.255.255.0
ip helper-address 10.15.242.13
ip access-group MGMT in
ipv6 traffic-filter MGMT_IPv6 in
ip nat inside
ipv6 address FE80::2 link-local
ipv6 address 2001:DB8:6:BC01::1/64
ipv6 ospf 1 area 0
standby 241 ip 10.15.241.1
standby 241 priority 105
standby 241 preempt
standby 241 track Serial0/0/0
!
interface GigabitEthernet0/1.242
encapsulation dot1Q 242
ip address 10.15.242.9 255.255.255.0
ip access-group SERVER in
ipv6 traffic-filter SERVER_IPv6 in
ip nat inside
ipv6 address FE80::3 link-local
ipv6 address 2001:DB8:6:BC02::1/64
ipv6 ospf 1 area 0
standby 242 ip 10.15.242.1
standby 242 priority 105
standby 242 preempt
standby 242 track Serial0/0/0
!
interface GigabitEthernet0/1.243
encapsulation dot1Q 243
ip address 10.15.243.9 255.255.255.0
ip access-group GAESTE in
ipv6 traffic-filter GAESTE_IPv6 in
ip nat inside
ipv6 address FE80::4 link-local
ipv6 address 2001:DB8:6:BC03::1/64
ipv6 ospf 1 area 0
standby 243 ip 10.15.243.1
standby 243 priority 105
standby 243 preempt
standby 243 track Serial0/0/0
!
interface Serial0/0/0
ip address 209.165.240.10 255.255.255.252
ip access-group ESTABLISHED in
ip nat outside
ipv6 address 2001:DB8:6:BC05::1/64
ipv6 ospf 1 area 0
!
interface Serial0/0/1
no ip address
clock rate 2000000
shutdown
!
interface Vlan1
no ip address
shutdown
!
ipv6 router ospf 1
router-id 1.1.1.1
default-information originate
log-adjacency-changes
!
ip nat inside source list NAT interface Serial0/0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
!
ip flow-export version 9
!
!
ip access-list extended NAT
permit ip 10.15.240.0 0.0.0.255 any
permit ip 10.15.241.0 0.0.0.255 any
permit ip 10.15.242.0 0.0.0.255 any
permit ip 10.15.243.0 0.0.0.255 any
ip access-list extended SERVER
permit ip 10.15.242.0 0.0.0.255 any
ip access-list extended MGMT
permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps
permit ip 10.15.241.0 0.0.0.255 any
ip access-list extended ESTABLISHED
permit icmp any any echo-reply
permit udp any host 1.0.0.2 eq domain
permit tcp any host 1.0.0.3 eq 443
permit tcp any 1.0.0.0 0.0.0.248 established
permit tcp any 10.15.240.0 0.0.0.255 established
permit tcp any 10.15.241.0 0.0.0.255 established
permit tcp any 10.15.242.0 0.0.0.255 established
permit tcp any 10.15.243.0 0.0.0.255 established
ip access-list extended MITARBEITER
permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps
deny ip 10.15.240.0 0.0.0.255 10.15.241.0 0.0.0.255
permit ip 10.15.240.0 0.0.0.255 any
ip access-list extended GAESTE
permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps
deny ip 10.15.243.0 0.0.0.255 10.15.241.0 0.0.0.255
permit ip 10.15.243.0 0.0.0.255 any
ipv6 access-list MITARBEITER_IPv6
deny ipv6 2001:DB8:6:BC00::/64 2001:DB8:6:BC01::/64
permit ipv6 2001:DB8:6:BC00::/64 any
ipv6 access-list MGMT_IPv6
permit ipv6 2001:DB8:6:BC01::/64 any
ipv6 access-list SERVER_IPv6
permit ipv6 2001:DB8:6:BC02::/64 any
ipv6 access-list GAESTE_IPv6
deny ipv6 2001:DB8:6:BC03::/64 2001:DB8:6:BC01::/64
permit ipv6 2001:DB8:6:BC03::/64 any
ipv6 access-list ESTABLISHED_IPv6
permit icmp any any echo-reply
permit udp any host 2001:DB8:6:BC04::3 eq domain
permit tcp any host 2001:DB8:6:BC04::4 eq 443
permit tcp any 2001:DB8:6:BC00::/64
permit tcp any 2001:DB8:6:BC01::/64
permit tcp any 2001:DB8:6:BC02::/64
permit tcp any 2001:DB8:6:BC03::/64
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
EDIT: Router model is 1941. Firmware is version 15.1
Best Answer
OSPF doesn't use a transport-layer protocol but rides as protocol number 89 directly on top of IP.
Depending on the router model, an inbound ACL entry looks like this:
or
or
EDIT: permit ? does return icmp, ipv6, tcp, udp. So it seems that OSPF is not available in packet tracer