[c-nsp] Why WiSM appears to ignore IPv6 ACLs that should override interface ACLs?
Christopher Werny
cwerny at ernw.de
Tue May 23 08:17:21 EDT 2017
Hi,
which code version are you currently running? I have a similar setup where I
get rid of all the link local multicast packets (mDNS/LLMNR etc.) as we do
not have any use case for them. The IPv6 (and IPv4) ACL is working fine. The
only difference to the configuration example is that I have bound the ACL on
the SSID Level (and not on the Interface).
I am running this on a 2504 WLC with 8.2.130.0.
Shameless self-plug:
I am responsible for setting up a fully IPv6 enabled conference network
(around 500 attendees) and presented the setup and (IPv6 relevant)
configuration here:
https://www.troopers.de/media/filer_public/5b/34/5b340a58-2c8e-46a0-9d96-834
e5edd9154/tr16_ipv6_sec_summit_secure_reliable_guest_wlan_v15.pdf
Maybe it helps ;-).
Cheers,
Christopher
-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
Matti Saarinen
Sent: Dienstag, 23. Mai 2017 13:52
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Why WiSM appears to ignore IPv6 ACLs that should override
interface ACLs?
Hi,
Has anyone managed to get IPv6 ACLs working on WiSM/WLC? I followed the
instruction described here:
http://www.cisco.com/c/en/us/support/docs/wireless/aironet-1100-series-acces
s-point/113443-cuwn-apple-bonjour-dg-00.html#block
but I wasn't able to get a working setup.
My aim is to prevent IPv6 mDNS packets from being forwarded between
associated clients. And the reason is that there are some host firewall
software that will misinterpret the mDNS packets as some kind of attacks
and this generates support tickets.
The WiSM accepts the config but the ACLs see no hits and I can see
packets destined to FF02::FB after I have applied the ACL. What can be
causing this effect? I tried searching for matching bugs but I found
none.
I wish there would be a way to configure an IPv6 ACL on the interface
level but currently there aren't any and I don't will there ever be.
Cheers,
Matti
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list