ACL - IPv6 implicit statements

IPv6 access lists have three invisible implicit statements at the very end of each access list. These are:

  • permit icmp any any nd-na
  • permit icmp any any nd-ns
  • deny ipv6 any any

They are there to ensure that the operation of IPv6 neighbor discovery is not hindered in any way. Specifically, these implicit statements permit neighbor advertisement (NA) and neighbor solicitation (NS) messages.

These implicit statements require some additional care when implementing related services. For example, router solicitation (RS) and router advertisements (RA) messages would be denied by an IPv6 ACL by default, so if you need such messages to be exchanged, ensure that these have been permitted as well.

Similarly, if you apply a deny ipv6 any any statement explicitly at the end of your IPv6 ACL, make sure to explicitly add the two permit statements for neighbor discovery just before this final statement, otherwise such traffic will be dropped.

Remember, ACLs will not filter locally generated traffic, so any ACLs applied on the interface of a router will not affect RS, RA, NS or NA messages created and sent from the router itself.


Links to this page: