Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Cisco: NSP

c3560 IPv6 and ACL

  

 
Cisco nsp RSS feed   Index | Next | Previous | View Threaded


jp at softnet

Nov 16, 2009, 2:56 AM

Post #1 of 6 (758 views)
Permalink
c3560 IPv6 and ACL
Hi

We are slowly moving toward IPv6 implementation in production, so I
came to ACLs. I would want to have some protection for our servers,
so I went to configure IPv6 ACL, which is based on our IPv4 ACL.
Problem is, that it looks like I can't make host based ACL entries
on c3560. If I try to add line for SMTP server I get following:

interface FastEthernet0/1
no switchport
ipv6 address xxxx:xxxx:0:3::1/64
ipv6 enable
ipv6 traffic-filter fw-ipv6 out

test(config)#ipv6 access-list fw-ipv6
test(config-ipv6-acl)#permit tcp any host xxxx:xxxx:0:3::2 eq 25
% Host address xxxx:xxxx:0:3::2 can not be supported
% ACE can not be added
% Failed to add access list

If I try to do same thing on c12008, it works without problems.

Any idea how to solve this problem?

PS: This c3560 is running Adv. IP services 12.2.40.SE IOS, in case if
this matters. And preffered SDM template is "desktop IPv4 and IPv6 routing".

Have fun,
Primoz Jeroncic
Support - IP Connectivity & Routing
-------------------------------------------------------------------
Softnet d.o.o. tel: +386 1 562 31 40 |
Borovec 2 fax: +386 1 562 18 55 | 1 + 1 = 3
1236 Trzin primoz(at)softnet.si | for larger values of 1
Slovenija http://flea.softnet.si/
-------------------------------------------------------------------
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


sthaug at nethelp

Nov 16, 2009, 3:31 AM

Post #2 of 6 (727 views)
Permalink
Re: c3560 IPv6 and ACL [In reply to]
> We are slowly moving toward IPv6 implementation in production, so I
> came to ACLs. I would want to have some protection for our servers,
> so I went to configure IPv6 ACL, which is based on our IPv4 ACL.
> Problem is, that it looks like I can't make host based ACL entries
> on c3560. If I try to add line for SMTP server I get following:

I seem to remember 3560 has 144 bit TCAM entries - which cannot easily
support 128 bit IPv6 + 16 bit source port + 16 bit destination port.

Steinar Haug, Nethelp consulting, sthaug [at] nethelp
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


olof.kasselstrand at gmail

Nov 16, 2009, 3:43 AM

Post #3 of 6 (735 views)
Permalink
Re: c3560 IPv6 and ACL [In reply to]
Hi,

What happends if you drop the "host" keyword and add /128 to the host address?

// Olof

On Mon, Nov 16, 2009 at 11:56 AM, Primoz Jeroncic <jp [at] softnet> wrote:
> Hi
>
> We are slowly moving toward IPv6 implementation in production, so I came to
> ACLs. I would want to have some protection for our servers,
> so I went to configure IPv6 ACL, which is based on our IPv4 ACL.
> Problem is, that it looks like I can't make host based ACL entries
> on c3560. If I try to add line for SMTP server I get following:
>
> interface FastEthernet0/1
>  no switchport
>  ipv6 address xxxx:xxxx:0:3::1/64
>  ipv6 enable
>  ipv6 traffic-filter fw-ipv6 out
>
> test(config)#ipv6 access-list fw-ipv6
> test(config-ipv6-acl)#permit tcp any host xxxx:xxxx:0:3::2 eq 25
> % Host address xxxx:xxxx:0:3::2 can not be supported
> % ACE can not be added
> % Failed to add access list
>
> If I try to do same thing on c12008, it works without problems.
>
> Any idea how to solve this problem?
>
> PS: This c3560 is running Adv. IP services 12.2.40.SE IOS, in case if
> this matters. And preffered SDM template is "desktop IPv4 and IPv6 routing".
>
> Have fun,
> Primoz Jeroncic
> Support - IP Connectivity & Routing
> -------------------------------------------------------------------
> Softnet d.o.o.  tel:  +386 1 562 31 40   |
> Borovec 2       fax:  +386 1 562 18 55   |       1 + 1 = 3
> 1236 Trzin      primoz(at)softnet.si     | for larger values of 1
> Slovenija       http://flea.softnet.si/
> -------------------------------------------------------------------
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


jp at softnet

Nov 16, 2009, 5:22 AM

Post #4 of 6 (725 views)
Permalink
Re: c3560 IPv6 and ACL [In reply to]
On Mon, 16 Nov 2009, Olof Kasselstrand wrote:

> Hi,
>
> What happends if you drop the "host" keyword and add /128 to the host address?

Hi Olof

Same thing. It doesn't matter if I add this as "host xxxxx" or as xxxx/128.

Primoz

>
> // Olof
>
> On Mon, Nov 16, 2009 at 11:56 AM, Primoz Jeroncic <jp [at] softnet> wrote:
>> Hi
>>
>> We are slowly moving toward IPv6 implementation in production, so I came to
>> ACLs. I would want to have some protection for our servers,
>> so I went to configure IPv6 ACL, which is based on our IPv4 ACL.
>> Problem is, that it looks like I can't make host based ACL entries
>> on c3560. If I try to add line for SMTP server I get following:
>>
>> interface FastEthernet0/1
>>  no switchport
>>  ipv6 address xxxx:xxxx:0:3::1/64
>>  ipv6 enable
>>  ipv6 traffic-filter fw-ipv6 out
>>
>> test(config)#ipv6 access-list fw-ipv6
>> test(config-ipv6-acl)#permit tcp any host xxxx:xxxx:0:3::2 eq 25
>> % Host address xxxx:xxxx:0:3::2 can not be supported
>> % ACE can not be added
>> % Failed to add access list
>>
>> If I try to do same thing on c12008, it works without problems.
>>
>> Any idea how to solve this problem?
>>
>> PS: This c3560 is running Adv. IP services 12.2.40.SE IOS, in case if
>> this matters. And preffered SDM template is "desktop IPv4 and IPv6 routing".
>>
>> Have fun,
>> Primoz Jeroncic
>> Support - IP Connectivity & Routing
>> -------------------------------------------------------------------
>> Softnet d.o.o.  tel:  +386 1 562 31 40   |
>> Borovec 2       fax:  +386 1 562 18 55   |       1 + 1 = 3
>> 1236 Trzin      primoz(at)softnet.si     | for larger values of 1
>> Slovenija       http://flea.softnet.si/
>> -------------------------------------------------------------------
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp [at] puck
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

Have fun,
Primoz Jeroncic
Support - IP Connectivity & Routing
-------------------------------------------------------------------
Softnet d.o.o. tel: +386 1 562 31 40 |
Borovec 2 fax: +386 1 562 18 55 | 1 + 1 = 3
1236 Trzin primoz(at)softnet.si | for larger values of 1
Slovenija http://flea.softnet.si/
-------------------------------------------------------------------


tim at selfnet

Nov 16, 2009, 5:58 AM

Post #5 of 6 (726 views)
Permalink
Re: c3560 IPv6 and ACL [In reply to]
Primoz,

On Mon, Nov 16, 2009 at 11:56:17AM +0100, Primoz Jeroncic wrote:
> test(config-ipv6-acl)#permit tcp any host xxxx:xxxx:0:3::2 eq 25
> % Host address xxxx:xxxx:0:3::2 can not be supported
> % ACE can not be added
> % Failed to add access list
>
> If I try to do same thing on c12008, it works without problems.
>
> Any idea how to solve this problem?

"""
IPv6 ACL Limitations
...
The switch supports most Cisco IOS-supported IPv6 ACLs with some
exceptions:

- IPv6 source and destination addressesā€”ACL matching is supported only on
prefixes from /0 to /64 and host addresses (/128) that are in the
extended universal identifier (EUI)-64 format. The switch supports only
these host addresses with no loss of information:
- aggregatable global unicast addresses
- link local addresses
"""
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_40_se/configuration/guide/swv6acl.html#wp4334642

Cheers,
Tim
Attachments: signature.asc (0.19 KB)


sethm at rollernet

Nov 16, 2009, 9:18 AM

Post #6 of 6 (730 views)
Permalink
Re: c3560 IPv6 and ACL [In reply to]
Primoz Jeroncic wrote:
> On Mon, 16 Nov 2009, Olof Kasselstrand wrote:
>
>> Hi,
>>
>> What happends if you drop the "host" keyword and add /128 to the host
>> address?
>
> Hi Olof
>
> Same thing. It doesn't matter if I add this as "host xxxxx" or as xxxx/128.
>

Not supported. Never will be. Here's why:

http://mailman.nanog.org/pipermail/nanog/2009-October/014101.html

Use EUI-64 or "fake" EUI-64 addressing on this platform.

~Seth
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Cisco nsp RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.