[c-nsp] I can't seem to get this 3750 to properly filter IPv6 on a VLAN ACL.
Paul Wozney
paul at wozney.ca
Wed Apr 25 12:58:34 EDT 2012
Here's what I'm working with. I'm filtering all ethertype 0x86DD which
matches IPv6. I'm sniffing traffic leaving this VLAN and I can see that
there's IPv6 traffic coming out and it does indeed have this ethertype.
> mac access-list extended macl-ipv6
> deny any any 0x86DD 0x0
> permit any any
> !
> vlan access-map vacl-ipv6 10
> action forward
> match mac address macl-ipv6
> !
> vlan filter vacl-ipv6 vlan-list 888
I've also tried filtering on destination MAC address 3333.0000.0000
0000.ffff.ffff and that didn't seem to work either. It seems like the 3750
is completely ignoring anything to do with IPv6, as if to spite me for not
running the ipv4-and-ipv6 sdm template.
I want this to completely filter out all IPv6, but nothing I'm doing seems
to be working. Any guesses? I found a post on this list from 2009
(subject:filtering IPV6 for L2 bridged traffic) suggesting that other
people have had this problem with the 3750 platform but I'm hoping that a
solution has trickled down.
I don't really want to run the ipv6 sdm template because my particular
application requires the vlan template - the ipv6 sdm template doesn't
support enough MAC addresses.
Paul
More information about the cisco-nsp
mailing list