[c-nsp] I can't seem to get this 3750 to properly filter IPv6 on a VLAN ACL.

Paul Wozney paul at wozney.ca
Thu Apr 26 12:35:52 EDT 2012


Thanks Klaus,

> > mac access-list extended macl-ipv6
> >  deny   any any 0x86DD 0x0
> >  permit any any
>
> IRC MAC ACLs on CAT2K/3K (12.2SE) only match "non-IP" traffic.
> IPv4 packets match only in the IP ACL,
> IPv6 packets match only in the IPv6 ACL.
>
> So even with a "deny any any" in the MAC ACL IPv4 and IPv6 packets
> won't be blocked. (IPv4 won't work because ARP will match under non-IP)

That pretty much explains the mystery.  I was confused as to why I could
match some ethertypes and not others, and even though the confusion is gone
the frustration isn't.  Maybe there's an architectural reason that we can't
do this but I don't know it.

I guess I'm going to use the ipv6 template and filter on L3 like Nick
Hilliard suggested.

Paul


More information about the cisco-nsp mailing list