Hi there,
sorry I did not read your entire config completely.
What is wrote is still valid, the connectivity issue you saw is due to the 'reverse' logic you applied to your vlan maps (called vacl on other platforms). My answer applies specifically to the mac acl and not to the logic applied by the switch when a mac acl is tied to a vacl. In other words what I wrote applies to the MAC acl only, but when you configure a vlan map which include IP and MAC ACLs you need to pay attention to the vlan map logic itself too.
you configured
vlan access-map filter 10
action forward
match mac address Drop-traffic
vlan access-map filter 20
action drop
Basically with this vlan map you get the opposite result as you forward anything defined in Drop-traffic (action is forward) while you drop all the rest with sequence 20, which is dropping what is not matched on sequence 10.
proper syntax would have been
vlan access-map filter 10
action drop
match mac address Drop-traffic
vlan access-map filter 20
action forward (which is the default)
With this you would have filtered arp-non-ipv4 traffic and forwarded the rest, INCLUDED the ipv6 traffic.
To also filter ipv6 traffic you would have to add a sequence dropping it specifically before the final forward any any.
The logic is the following:
"If the VLAN map has a match clause for the type of packet (IP or MAC) and the packet does not match the type, the default is to drop the packet. If there is no match clause in the VLAN map for that type of packet, and no action specified, the packet is forwarded."
With your final config what you get is the following instead
Vlan access-map "drop-things" 10
Match clauses:
mac address: Drop-traffic
Action:
forward
you allow arp-non-ipv4 traffic
Vlan access-map "drop-things" 20
Match clauses:
ip address: Allow-V4
Action:
forward
you allow IP traffic
Vlan access-map "drop-things" 30
Match clauses:
Action:
drop
you drop all the rest (IPv6 included).
Is this what you need?
Riccardo
