ArubaOS and Controllers

Reply
Contributor I

show acls hits - command question

I just implemented an eth ACL to dump IPv6:

ip access-list eth NO_IPV6_ACL
deny 0x86dd
permit any

When I check the ACL hits, I don't see the IPv6 ACL entry..only the permit any entry:


Port ACL Hits
-------------
ACL ACE New Hits Total Hits Index
--- --- -------- ---------- -----
NO_IPV6_ACL permit any 156180 1785409 10549


Am I missing something here..?

Thanks
Guru Elite

Re: show acls hits - command question

The easier way to do this would be:

config t
no ipv6 firewall
no ipv6 enable

Use "show ipv6 firewall" to see what you have configured:

(3600.arubanetworks.com) (config) #show ipv6 firewall 

Global IPv6 Packet Processing is Disabled

Global IPv6 firewall policies
-----------------------------
Policy Action Rate Slot/Port
------ ------ ---- ---------
Monitor ping attack Disabled
Monitor TCP SYN attack Disabled
Monitor IPv6 sessions attack Disabled
Deny inter user bridging Disabled
Deny all IPv6 fragments Disabled
Per-packet logging Disabled
Enforce TCP handshake before allowing data Disabled
Prohibit RST replay attack Disabled
Session Idle Timeout Disabled
Session mirror destination Disabled
Prohibit IPv6 Spoofing Disabled
Enable IPv6 Stateful Firewall Disabled


The ACL that you have configured will only work if you have both options above enabled.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I

Re: show acls hits - command question

then all IPv6 traffic will be dumped by default?

I have options under: no ipv6 firewall...

(aruba-master) (config) #no ipv6 firewall ?
attack-rate Configure attack rates
deny-inter-user-bridg.. Disallow forwarding non-IP frames between untrusted users
drop-ip-fragments Drop all IP fragments
enable-per-packet-log.. Enable per-packet logging. Default is per-session logging.
enforce-tcp-handshake Enforce TCP handshake before allowing data
prohibit-ip-spoofing Prohibit IP spoofing
prohibit-rst-replay Prohibit TCP RST replay attack
session-mirror-destin.. Configure destination for a mirrored session
Guru Elite

Re: show acls hits - command question

Those options are not used when the "no ipv6 firewall"command is executed.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I

Re: show acls hits - command question

I'm running 6.1.1.0 and "no ipv6 firewall" is an incomplete command:

(M3-Controller) (config) #no ipv6 firewall
% Incomplete command.


(BW10-Controller) (config) #no ipv6 firewall ?
attack-rate Configure attack rates
deny-inter-user-bridg.. Disallow forwarding non-IP frames between untrusted users
drop-ip-fragments Drop all IP fragments
enable-per-packet-log.. Enable per-packet logging. Default is per-session logging.
enforce-tcp-handshake Enforce TCP handshake before allowing data
prohibit-ip-spoofing Prohibit IP spoofing
prohibit-rst-replay Prohibit TCP RST replay attack
session-mirror-destin.. Configure destination for a mirrored session


Controller) #show ipv6 firewall

Global IPv6 Packet Processing is Disabled

Global IPv6 firewall policies
-----------------------------
Policy Action Rate Slot/Port
------ ------ ---- ---------
Monitor ping attack Disabled
Monitor TCP SYN attack Disabled
Monitor IPv6 sessions attack Disabled
Deny inter user bridging Disabled
Deny all IPv6 fragments Disabled
Per-packet logging Disabled
Enforce TCP handshake before allowing data Disabled
Prohibit RST replay attack Disabled
Session Idle Timeout Disabled
Session mirror destination Disabled
Prohibit IPv6 Spoofing Disabled
Enable IPv6 Stateful Firewall Enabled
Guru Elite

Re: show acls hits - command question

The "no ipv6 firewall" command is not valid, sorry about that.

You should just use the ipv6 enable command as the master switch for everything ipv6


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: