[c-nsp] Blocking IPV6 with VACL ???
Jeff Fitzwater
jfitz at Princeton.EDU
Thu Oct 29 10:56:34 EDT 2009
My goal is to block IPV4 MDNS (This works) and now block all IPV6 from
crossing between vlan ports on a 6500 running sup 720-CXL SXI. We
are not routing IPV6 on this 6500.
Does anybody use MAC ACCESS-LIST within an VACL?
! This config is used to try and block ipv4 mdns and also all ipv6
traffic. The mdns piece works fine but when I add the mac access-list
it doesn't block the IPV6.
!
! I cannot get the mac access-list to work for any proto-type.
!
! These are the ACL used in the vlan access-map block-mdns-data
!-----------------------------------------
!
! BLOCK IPV6
mac access-list extended vsix
permit any any 86DD 0
!
! BLOCK MDNS
ip access-list extended ipv4-mdns-data
permit udp any host 224.0.0.251 eq 5353
!
! PERMIT THE REST OF IPV4
ip access-list extended ipv4-mdns-data
permit ip any any
!
!-----------------------------------------
!
!
vlan access-map block-mdns-data 5
match mac address vsix
action drop
!
vlan access-map block-mdns-data 10
match ip address ipv4-mdns-data
action drop
!
vlan access-map block-mdns-data 20
match ip address ipv4-any
action forward
vlan filter block-mdns-data vlan-list 2000
Need help!!!
Thanks
Jeff Fitzwater
OIT Network Systems
Princeton University
More information about the cisco-nsp
mailing list