[c-nsp] I can't seem to get this 3750 to properly filter IPv6 on a VLAN ACL.
Paul Wozney
paul at wozney.ca
Thu Apr 26 12:35:52 EDT 2012
Thanks Klaus,
> > mac access-list extended macl-ipv6
> > deny any any 0x86DD 0x0
> > permit any any
>
> IRC MAC ACLs on CAT2K/3K (12.2SE) only match "non-IP" traffic.
> IPv4 packets match only in the IP ACL,
> IPv6 packets match only in the IPv6 ACL.
>
> So even with a "deny any any" in the MAC ACL IPv4 and IPv6 packets
> won't be blocked. (IPv4 won't work because ARP will match under non-IP)
That pretty much explains the mystery. I was confused as to why I could
match some ethertypes and not others, and even though the confusion is gone
the frustration isn't. Maybe there's an architectural reason that we can't
do this but I don't know it.
I guess I'm going to use the ipv6 template and filter on L3 like Nick
Hilliard suggested.
Paul
More information about the cisco-nsp
mailing list