IPv6 ACL Blocking NDP — Neighbor Discovery Fails
Presenting Symptom
Hosts on the same VLAN cannot communicate via IPv6; pings fail and neighbor solicitations are unanswered.
Network Context
A small branch office with a single Cisco Catalyst 2960 switch (IOS 15.2) and a Cisco 4321 router. Hosts are connected to the switch and configured with static IPv6 addresses on the same /64 subnet. The router provides default gateway and is configured with an IPv6 ACL applied inbound on the VLAN interface to filter traffic. The issue occurs after applying the ACL.
Diagnostic Steps
Check IPv6 neighbor table on the router
show ipv6 neighborsIPv6 Address Age Link-layer Addr State Interface 2001:db8:1::1 - aaaa.bbbb.cccc REACH GigabitEthernet0/0.10 2001:db8:1::100 0 xxxx.yyyy.zzzz STALE GigabitEthernet0/0.10
If the neighbor entry for the host remains INCOMPLETE or never reaches REACH, the router is not receiving Neighbor Advertisements. This suggests the ACL might be blocking NDP messages.
Verify IPv6 ACL configuration on the router
show ipv6 access-listIPv6 access-list BLOCK-NDP
deny ipv6 any any (10 matches) sequence 10
permit icmp any any (0 matches) sequence 20If the ACL has a 'deny ipv6 any any' entry before any permit statements, it will block all IPv6 traffic including NDP (Neighbor Solicitation and Advertisement). Look for the order of entries; NDP uses ICMPv6 type 135 and 136.
Check if NDP packets are being dropped by the ACL
show ipv6 interface GigabitEthernet0/0.10 | include ACLInbound access list is BLOCK-NDP Outbound access list is not set
Confirms the ACL is applied inbound. Then check ACL counters to see if NDP packets are matched by deny entries.
Enable debug to see NDP packet flow (optional, with caution)
debug ipv6 ndICMPv6-ND: Sending NS for 2001:db8:1::100 on GigabitEthernet0/0.10 ICMPv6-ND: Received NA from 2001:db8:1::100 on GigabitEthernet0/0.10
If only NS are sent but no NA received, the ACL is likely blocking incoming NAs. If no NS are sent, the issue may be elsewhere.
Root Cause
The IPv6 ACL applied inbound on the router's VLAN interface has a 'deny ipv6 any any' statement before any permit statements, which blocks all IPv6 traffic including Neighbor Discovery Protocol (NDP) messages (Neighbor Solicitations and Advertisements). This prevents hosts from resolving each other's MAC addresses and establishing communication.
Resolution
Verification
1. Check ACL counters: 'show ipv6 access-list' should show matches on the permit entries for NDP. 2. Check neighbor table: 'show ipv6 neighbors' should show REACH state for hosts. 3. Test connectivity: ping between hosts should succeed.
Prevention
1. Always permit necessary ICMPv6 types (especially NDP: 133-137) before any deny statements in IPv6 ACLs. 2. Use the 'remark' command to document ACL entries. 3. Test ACLs in a lab before deploying to production.
CCNA Exam Relevance
On the CCNA 200-301 exam, this scenario may appear as a troubleshooting question where you must identify why IPv6 hosts cannot communicate. The exam tests understanding that IPv6 relies on NDP (ICMPv6) and that ACLs must permit these messages. Expect multiple-choice or drag-and-drop questions asking to order ACL entries correctly.
Exam Tips
Remember that NDP uses ICMPv6 types 135 (NS) and 136 (NA).
In IPv6 ACLs, the implicit deny at the end blocks all traffic, so you must explicitly permit NDP.
Use 'show ipv6 access-list' to check hit counts and identify which entry is blocking traffic.
Commands Used in This Scenario
Test Your CCNA Knowledge
Practice with scenario-based questions to prepare for the CCNA 200-301 exam.
Practice CCNA Questions