[c-nsp] Blocking IPV6 with VACL ???

Jeff Fitzwater jfitz at Princeton.EDU
Thu Oct 29 10:56:34 EDT 2009


My goal is to block IPV4 MDNS (This works) and now block all IPV6 from  
crossing between vlan ports on a 6500 running sup 720-CXL  SXI.    We  
are not routing IPV6 on this 6500.

Does anybody use MAC ACCESS-LIST within an VACL?


! This config is used to try and block ipv4 mdns and also all ipv6  
traffic.  The mdns piece works fine but when I add the mac access-list  
it doesn't block the IPV6.
!
! I cannot get the mac access-list to work for any proto-type.
!
! These are the ACL used in the vlan access-map block-mdns-data
!-----------------------------------------
!
! BLOCK IPV6
mac access-list extended vsix
permit any any 86DD 0
!
! BLOCK MDNS
ip access-list extended ipv4-mdns-data
permit udp any host 224.0.0.251 eq 5353
!
! PERMIT THE REST OF IPV4
ip access-list extended ipv4-mdns-data
permit ip any any
!
!-----------------------------------------
!
!
vlan access-map block-mdns-data 5
match mac address vsix
action drop
!
vlan access-map block-mdns-data 10
match ip address ipv4-mdns-data
action drop
!
vlan access-map block-mdns-data 20
match ip address ipv4-any
action forward



vlan filter block-mdns-data vlan-list 2000



Need help!!!


Thanks


Jeff Fitzwater
OIT Network Systems
Princeton University


More information about the cisco-nsp mailing list