Mailing List Archive: Cisco: NSP

I can't seem to get this 3750 to properly filter IPv6 on a VLAN ACL.

Index | Next | Previous | View Threaded

paul at wozney

Apr 25, 2012, 9:58 AM

Post #1 of 5 (726 views)
Permalink

I can't seem to get this 3750 to properly filter IPv6 on a VLAN ACL.

Here's what I'm working with. I'm filtering all ethertype 0x86DD which
matches IPv6. I'm sniffing traffic leaving this VLAN and I can see that
there's IPv6 traffic coming out and it does indeed have this ethertype.

> mac access-list extended macl-ipv6
> deny any any 0x86DD 0x0
> permit any any
> !
> vlan access-map vacl-ipv6 10
> action forward
> match mac address macl-ipv6
> !
> vlan filter vacl-ipv6 vlan-list 888

I've also tried filtering on destination MAC address 3333.0000.0000
0000.ffff.ffff and that didn't seem to work either. It seems like the 3750
is completely ignoring anything to do with IPv6, as if to spite me for not
running the ipv4-and-ipv6 sdm template.

I want this to completely filter out all IPv6, but nothing I'm doing seems
to be working. Any guesses? I found a post on this list from 2009
(subject:filtering IPV6 for L2 bridged traffic) suggesting that other
people have had this problem with the 3750 platform but I'm hoping that a
solution has trickled down.

I don't really want to run the ipv6 sdm template because my particular
application requires the vlan template - the ipv6 sdm template doesn't
support enough MAC addresses.

Paul
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

gert at greenie

Apr 25, 2012, 10:20 AM

Post #2 of 5 (685 views)
Permalink

Re: I can't seem to get this 3750 to properly filter IPv6 on a VLAN ACL. [In reply to]

Hi,

On Wed, Apr 25, 2012 at 09:58:34AM -0700, Paul Wozney wrote:
> Here's what I'm working with. I'm filtering all ethertype 0x86DD which
> matches IPv6. I'm sniffing traffic leaving this VLAN and I can see that
> there's IPv6 traffic coming out and it does indeed have this ethertype.
>
> > mac access-list extended macl-ipv6
> > deny any any 0x86DD 0x0
> > permit any any
> > !
> > vlan access-map vacl-ipv6 10
> > action forward
> > match mac address macl-ipv6
> > !
> > vlan filter vacl-ipv6 vlan-list 888

I wouldn't bet on a "default-deny" at the end of a vacl access-map...

What you're doing now is "permit everything that is not 0x86dd, and
for the rest, do the default action".

Try with an explicit drop rule?

(Or just turn on IPv6 everywhere, and arrive in the 21st century...)

gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert [at] greenie
fax: +49-89-35655025 gert [at] net

kka at netuse

Apr 25, 2012, 1:46 PM

Post #3 of 5 (685 views)
Permalink

Re: I can't seem to get this 3750 to properly filter IPv6 on a VLAN ACL. [In reply to]

Hi Paul,

> > mac access-list extended macl-ipv6
> > deny any any 0x86DD 0x0
> > permit any any

IRC MAC ACLs on CAT2K/3K (12.2SE) only match "non-IP" traffic.
IPv4 packets match only in the IP ACL,
IPv6 packets match only in the IPv6 ACL.

So even with a "deny any any" in the MAC ACL IPv4 and IPv6 packets
won't be blocked. (IPv4 won't work because ARP will match under non-IP)

Best regards,
Klaus Kastens

--
Klaus Kastens NetUSE AG
Dr.-Hell-Str. 6, D-24107 Kiel, Germany
Fon: +49 431 2390 400 (07:00 UTC - 17:00 UTC)
Fax: +49 431 2390 499

Vorstand: Dr. Joerg Posewang (Vorsitz), Dr. Roland Kaltefleiter, Andreas Seeger
Aufsichtsrat: Dr. Dirk Lukas (Vorsitz)
Sitz der AG: Kiel, HRB 5358 USt.ID: DE156073942

Diese E-Mail enthaelt vertrauliche oder rechtlich geschuetzte Informationen.
Das unbefugte Kopieren dieser E-Mail oder die unbefugte Weitergabe der
enthaltenen Informationen ist nicht gestattet.

The information contained in this message is confidential or protected by
law. Any unauthorised copying of this message or unauthorised distribution
of the information contained herein is prohibited.

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

paul at wozney

Apr 26, 2012, 9:35 AM

Post #4 of 5 (667 views)
Permalink

Re: I can't seem to get this 3750 to properly filter IPv6 on a VLAN ACL. [In reply to]

Thanks Klaus,

> > mac access-list extended macl-ipv6
> > deny any any 0x86DD 0x0
> > permit any any
>
> IRC MAC ACLs on CAT2K/3K (12.2SE) only match "non-IP" traffic.
> IPv4 packets match only in the IP ACL,
> IPv6 packets match only in the IPv6 ACL.
>
> So even with a "deny any any" in the MAC ACL IPv4 and IPv6 packets
> won't be blocked. (IPv4 won't work because ARP will match under non-IP)

That pretty much explains the mystery. I was confused as to why I could
match some ethertypes and not others, and even though the confusion is gone
the frustration isn't. Maybe there's an architectural reason that we can't
do this but I don't know it.

I guess I'm going to use the ipv6 template and filter on L3 like Nick
Hilliard suggested.

Paul
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

diosbejgli at gmail

Apr 29, 2012, 1:53 PM

Post #5 of 5 (628 views)
Permalink

Re: I can't seem to get this 3750 to properly filter IPv6 on a VLAN ACL. [In reply to]

Hi Paul,

It's also mentioned in the config guide.

The switch does not support VLAN ACLs (VLAN maps) for IPv6 traffic.

IPv6 ACL Limitations
This release supports only port ACLs and router ACLs for IPv6; it does
not support VLAN ACLs (VLAN maps).

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_52_se/configuration/guide/swv6acl.html

Best regards,
Andras

On Thu, Apr 26, 2012 at 6:35 PM, Paul Wozney <paul [at] wozney> wrote:
> Thanks Klaus,
>
>> > mac access-list extended macl-ipv6
>> > �deny � any any 0x86DD 0x0
>> > �permit any any
>>
>> IRC MAC ACLs on CAT2K/3K (12.2SE) only match "non-IP" traffic.
>> IPv4 packets match only in the IP ACL,
>> IPv6 packets match only in the IPv6 ACL.
>>
>> So even with a "deny any any" in the MAC ACL IPv4 and IPv6 packets
>> won't be blocked. (IPv4 won't work because ARP will match under non-IP)
>
> That pretty much explains the mystery. �I was confused as to why I could
> match some ethertypes and not others, and even though the confusion is gone
> the frustration isn't. �Maybe there's an architectural reason that we can't
> do this but I don't know it.
>
> I guess I'm going to use the ipv6 template and filter on L3 like Nick
> Hilliard suggested.
>
> Paul
> _______________________________________________
> cisco-nsp mailing list �cisco-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads