[c-nsp] I can't seem to get this 3750 to properly filter IPv6 on a VLAN ACL.

Tóth András diosbejgli at gmail.com
Sun Apr 29 16:53:51 EDT 2012


Hi Paul,

It's also mentioned in the config guide.

The switch does not support VLAN ACLs (VLAN maps) for IPv6 traffic.

IPv6 ACL Limitations
This release supports only port ACLs and router ACLs for IPv6; it does
not support VLAN ACLs (VLAN maps).

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_52_se/configuration/guide/swv6acl.html


Best regards,
Andras

On Thu, Apr 26, 2012 at 6:35 PM, Paul Wozney <paul at wozney.ca> wrote:
> Thanks Klaus,
>
>> > mac access-list extended macl-ipv6
>> >  deny   any any 0x86DD 0x0
>> >  permit any any
>>
>> IRC MAC ACLs on CAT2K/3K (12.2SE) only match "non-IP" traffic.
>> IPv4 packets match only in the IP ACL,
>> IPv6 packets match only in the IPv6 ACL.
>>
>> So even with a "deny any any" in the MAC ACL IPv4 and IPv6 packets
>> won't be blocked. (IPv4 won't work because ARP will match under non-IP)
>
> That pretty much explains the mystery.  I was confused as to why I could
> match some ethertypes and not others, and even though the confusion is gone
> the frustration isn't.  Maybe there's an architectural reason that we can't
> do this but I don't know it.
>
> I guess I'm going to use the ipv6 template and filter on L3 like Nick
> Hilliard suggested.
>
> Paul
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list