[c-nsp] I can't seem to get this 3750 to properly filter IPv6 on a VLAN ACL.

Gert Doering gert at greenie.muc.de
Wed Apr 25 13:20:27 EDT 2012


Hi,

On Wed, Apr 25, 2012 at 09:58:34AM -0700, Paul Wozney wrote:
> Here's what I'm working with.  I'm filtering all ethertype 0x86DD which
> matches IPv6.  I'm sniffing traffic leaving this VLAN and I can see that
> there's IPv6 traffic coming out and it does indeed have this ethertype.
> 
> > mac access-list extended macl-ipv6
> >  deny   any any 0x86DD 0x0
> >  permit any any
> > !
> > vlan access-map vacl-ipv6 10
> >  action forward
> >  match mac address macl-ipv6
> > !
> > vlan filter vacl-ipv6 vlan-list 888

I wouldn't bet on a "default-deny" at the end of a vacl access-map...

What you're doing now is "permit everything that is not 0x86dd, and
for the rest, do the default action".

Try with an explicit drop rule?

(Or just turn on IPv6 everywhere, and arrive in the 21st century...)

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20120425/f03e2852/attachment.sig>


More information about the cisco-nsp mailing list