[c-nsp] Why doesn't this IPv6 ACL work?
Alexander Clouter
alex at digriz.org.uk
Tue Jun 22 03:28:09 EDT 2010
Seth Mattinen <sethm at rollernet.us> wrote:
>
> I tried changing the prefix to be out of my old /48 instead as a shot in
> the dark, and it didn't throw an error at me with this entry:
>
> permit tcp any host 2620:0:950:1:2c0:f0ff:fe5a:abe8 eq 25
>
> However, this continues to not work:
>
> permit tcp any host 2607:fe70:0:1:2c0:f0ff:fe5a:abe8 eq 25
>
> I can try switching to "routing" instead of "default" template.
> Otherwise I guess it's iptables/ip6tables time for me if this thing
> won't accept host addresses under my /32.
>
Just to really be a pain, it all seems fine on our 3750 stack:
----
103-1#show sdm prefer | include --useful-stuff
The current template is "desktop IPv4 and IPv6 routing" template.
103-1#show ver | include --useful-stuff
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 52 WS-C3750-48TS 12.2(53)SE1 C3750-IPSERVICESK9-M
2 52 WS-C3750-48TS 12.2(53)SE1 C3750-IPSERVICESK9-M
103-1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
103-1(config)#ipv6 access-list test
103-1(config-ipv6-acl)#permit tcp any host 2620:0:950:1:2c0:f0ff:fe5a:abe8 eq 25
103-1(config-ipv6-acl)#permit tcp any host 2607:fe70:0:1:2c0:f0ff:fe5a:abe8 eq 25
103-1(config-ipv6-acl)#end
----
There seems to be no interesting difference between 53SE1 and 53SE2[1].
Last time I had something 'strange'[2] to resolve when talking to Cisco,
they suggested a "have you tried turning it off and on"...given that a
whirl? :)
Cheers
[1] http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_53_se/release/notes/OL21141.html#wp1036822
[2] the switch was acting like a hub for particular combination of
destination MAC
--
Alexander Clouter
.sigmonster says: BOFH excuse #254:
Interference from lunar radiation
More information about the cisco-nsp
mailing list