[c-nsp] c3560 IPv6 and ACL

Olof Kasselstrand olof.kasselstrand at gmail.com
Mon Nov 16 06:43:19 EST 2009


Hi,

What happends if you drop the "host" keyword and add /128 to the host address?

// Olof

On Mon, Nov 16, 2009 at 11:56 AM, Primoz Jeroncic <jp at softnet.si> wrote:
> Hi
>
> We are slowly moving toward IPv6 implementation in production, so I came to
> ACLs. I would want to have some protection for our servers,
> so I went to configure IPv6 ACL, which is based on our IPv4 ACL.
> Problem is, that it looks like I can't make host based ACL entries
> on c3560. If I try to add line for SMTP server I get following:
>
> interface FastEthernet0/1
>  no switchport
>  ipv6 address xxxx:xxxx:0:3::1/64
>  ipv6 enable
>  ipv6 traffic-filter fw-ipv6 out
>
> test(config)#ipv6 access-list fw-ipv6
> test(config-ipv6-acl)#permit tcp any host xxxx:xxxx:0:3::2 eq 25
> % Host address xxxx:xxxx:0:3::2 can not be supported
> % ACE can not be added
> % Failed to add access list
>
> If I try to do same thing on c12008, it works without problems.
>
> Any idea how to solve this problem?
>
> PS: This c3560 is running Adv. IP services 12.2.40.SE IOS, in case if
> this matters. And preffered SDM template is "desktop IPv4 and IPv6 routing".
>
> Have fun,
> Primoz Jeroncic
> Support - IP Connectivity & Routing
> -------------------------------------------------------------------
> Softnet d.o.o.  tel:  +386 1 562 31 40   |
> Borovec 2       fax:  +386 1 562 18 55   |       1 + 1 = 3
> 1236 Trzin      primoz(at)softnet.si     | for larger values of 1
> Slovenija       http://flea.softnet.si/
> -------------------------------------------------------------------
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list