IPV6 based ACL's (Cisco 3560 switch)

Unanswered Question
May 27th, 2010
User Badges:

Hi there,


I am currently using a C3560-24TS running c3560-ipbase-mz.122-25.SEE2 for a top of rack access switch.


From what I can see, to use ipv6 based access-lists I would need to upgrade to the advanced IP services image.


I was wondering if any one could suggest a ninja like way to enforce the dropping of ipv6 packets without having to change the image running on the switch?


This is to prevent hosts sharing the same switch from making ipv6 based comms.


Best Regards


D

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ganesh Hariharan Thu, 05/27/2010 - 21:05
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016


Hi there,


I am currently using a C3560-24TS running c3560-ipbase-mz.122-25.SEE2 for a top of rack access switch.


From what I can see, to use ipv6 based access-lists I would need to upgrade to the advanced IP services image.


I was wondering if any one could suggest a ninja like way to enforce the dropping of ipv6 packets without having to change the image running on the switch?


This is to prevent hosts sharing the same switch from making ipv6 based comms.


Best Regards


D

Hi D,


IOS are the codes in the switches which can perform the commands which are designed in those IOS,If ipv6 needs advanced ip services image you need to have that image in order to use ip v6 acl in the switch because ip services image is not build to understand the ip v6 commands.


Hope to Help !!


Ganesh.H

Dale Sanderson Thu, 06/03/2010 - 07:37
User Badges:

A colleague suggsted possibly doing this on the ethernet header type instead :


/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

mac access-list extended IPV6_PACKET

permit any any 0x86dd 0x0

vlan access-map BLOCK_IPV6 10

match mac address IPV6_PACKET

action drop

vlan access-map BLOCK_IPV6 20

action forward

vlan filter BLOCK_IPV6 vlan-list <...>


Does anyone have any experience in using the above before I have a go in a test environment?


Cheers

Actions

This Discussion