[c-nsp] Blocking IPV6 with VACL ???

Jeff Fitzwater jfitz at Princeton.EDU
Thu Oct 29 15:10:22 EDT 2009 

I saw that and it works, but IPV6 "ICMPV6 Multicast Listener Reports"  
still get by.   Not sure why.

I am also not sure what the impact of adding this to a VLAN interface,  
has on the normal function of an L3 routed VLAN interface.   It has to  
break something!... Right?


The following is from the config manual....
-----------------------------------

mac packet-classify

To classify Layer 3 packets as Layer 2 packets, use the mac packet- 
classify command in interface configuration mode. To return to the  
default settings, use the no form of this command.

mac packet-classify

no mac packet-classify
Syntax Description

This command has no arguments or keywords.
Defaults

Disabled
Command Modes

Interface configuration
Command History
Release
	
Modification

12.2(18)SXD
	

Support for this command was introduced on the Supervisor Engine 720.

12.2(33)SRA
	

This command was integrated into Cisco IOS Release 12.2(33)SRA.

Usage Guidelines

This command is not supported on Cisco 7600 series routers that are  
configured with a Supervisor Engine 2.

You can configure these interface types for multilayer MAC access  
control list (ACL) quality of service (QoS) filtering:

•VLAN interfaces without Layer 3 addresses

•Physical LAN ports that are configured to support Ethernet over  
Multiprotocol Label Switching (EoMPLS)

•Logical LAN subinterfaces that are configured to support EoMPLS

The ingress traffic that is permitted or denied by a MAC ACL on an  
interface configured for multilayer MAC ACL QoS filtering is processed  
by egress interfaces as MAC-layer traffic. You cannot apply egress IP  
ACLs to traffic that was permitted or denied by a MAC ACL on an  
interface configured for multilayer MAC ACL QoS filtering.

Microflow policing does not work on interfaces that have the mac  
packet-classify command enabled.

The mac packet-classify command causes the Layer 3 packets to be  
classified as Layer 2 packets and disables IP classification.

Traffic is classified based on 802.1Q class of service (CoS), trunk  
VLAN, EtherType, and MAC addresses.


--------------



Thanks for the help.


Jeff Fitzwater
OIT Network Systems
Princeton University

On Oct 29, 2009, at 11:40 AM, Phil Mayers wrote:

> Jeff Fitzwater wrote:
>> My goal is to block IPV4 MDNS (This works) and now block all IPV6  
>> from  crossing between vlan ports on a 6500 running sup 720-CXL   
>> SXI.    We  are not routing IPV6 on this 6500.
>> Does anybody use MAC ACCESS-LIST within an VACL?
>
> You need "mac packet-classify" or something similar on the SVI i.e.
>
> int Vlan10
> mac packet-classify
>
> IIRC

More information about the cisco-nsp mailing list