[c-nsp] Why WiSM appears to ignore IPv6 ACLs that should override interface ACLs?

Christopher Werny cwerny at ernw.de
Tue May 23 08:17:21 EDT 2017


which code version are you currently running? I have a similar setup where I
get rid of all the link local multicast packets (mDNS/LLMNR etc.) as we do
not have any use case for them. The IPv6 (and IPv4) ACL is working fine. The
only difference to the configuration example is that I have bound the ACL on
the SSID Level (and not on the Interface). 

I am running this on a 2504 WLC with

 Shameless self-plug:

I am responsible for setting up a fully IPv6 enabled conference network
(around 500 attendees) and presented the setup and (IPv6 relevant)
configuration here:


Maybe it helps ;-).


-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
Matti Saarinen
Sent: Dienstag, 23. Mai 2017 13:52
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Why WiSM appears to ignore IPv6 ACLs that should override
interface ACLs?


Has anyone managed to get IPv6 ACLs working on WiSM/WLC? I followed the
instruction described here:


but I wasn't able to get a working setup.

My aim is to prevent IPv6 mDNS packets from being forwarded between
associated clients. And the reason is that there are some host firewall
software that will misinterpret the mDNS packets as some kind of attacks
and this generates support tickets.

The WiSM accepts the config but the ACLs see no hits and I can see
packets destined to FF02::FB after I have applied the ACL. What can be
causing this effect? I tried searching for matching bugs but I found

I wish there would be a way to configure an IPv6 ACL on the interface
level but currently there aren't any and I don't will there ever be.


cisco-nsp mailing list  cisco-nsp at puck.nether.net
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list