gert at greenie
Apr 25, 2012, 10:20 AM
Post #2 of 5
Re: I can't seem to get this 3750 to properly filter IPv6 on a VLAN ACL.
[In reply to]
On Wed, Apr 25, 2012 at 09:58:34AM -0700, Paul Wozney wrote:
> Here's what I'm working with. I'm filtering all ethertype 0x86DD which
> matches IPv6. I'm sniffing traffic leaving this VLAN and I can see that
> there's IPv6 traffic coming out and it does indeed have this ethertype.
> > mac access-list extended macl-ipv6
> > deny any any 0x86DD 0x0
> > permit any any
> > !
> > vlan access-map vacl-ipv6 10
> > action forward
> > match mac address macl-ipv6
> > !
> > vlan filter vacl-ipv6 vlan-list 888
I wouldn't bet on a "default-deny" at the end of a vacl access-map...
What you're doing now is "permit everything that is not 0x86dd, and
for the rest, do the default action".
Try with an explicit drop rule?
(Or just turn on IPv6 everywhere, and arrive in the 21st century...)
USENET is *not* the non-clickable part of WWW!
Gert Doering - Munich, Germany gert [at] greenie
fax: +49-89-35655025 gert [at] net