Wireless Access

Reply
Contributor I

Filter ICMPv6 Traffic by Type

Is there a way to allow only specific ICMPv6 types on the controllers? MLD traffic is affecting performanc on our large v6 VLAN space and blocking all by the necessary ICMPv6 types should help alleviate the traffic congestion, but I do not see a way to filter based on type.

Aruba Employee

Re: Filter ICMPv6 Traffic by Type

What firmware version are you running? Is multicast filtering enabled? 


Charlie Clemmer
Aruba Customer Engineering
Contributor I

Re: Filter ICMPv6 Traffic by Type

Firmware 6.5.4.4. BCMC Ontimization and MLD Snooping are both enabled. I did find a way to create an extended ACL to limit ICMPv6 traffic to only types required (1,2,3,4,128,133,134,135,136), but I'm not sure how to apply that extended ACL to a policy.

Aruba Employee

Re: Filter ICMPv6 Traffic by Type

The extended ACL is a policy. It would need to be applied to the interface.


Charlie Clemmer
Aruba Customer Engineering
Contributor I

Re: Filter ICMPv6 Traffic by Type

I don't see the extended ACL I created available in any Firewall Policy drop-down lists. I did apply/save the configuration - I can see the extended ACL when I show running-config.

Aruba Employee

Re: Filter ICMPv6 Traffic by Type

Can you attach a screen shot of what you see when trying to add the extended ACL to the interface?


Charlie Clemmer
Aruba Customer Engineering
Contributor I

Re: Filter ICMPv6 Traffic by Type

I may have made some progress. When I select the drop-down for "In" or "Out" on Network -> Port -> Firewall Policy, I can see the extended ACL I created. However, this is on the mobility controller only - I do not see the extended ACL on the individual controllers. Do I need to create the extended ACL on each controller and apply to the interface individually?

Aruba Employee

Re: Filter ICMPv6 Traffic by Type

This is a master/local deployment? Assuming you added the extended ACL on the master controller, then saving the config on the master will trigger the config sync out to the locals.


Charlie Clemmer
Aruba Customer Engineering
Contributor I

Re: Filter ICMPv6 Traffic by Type

Yes - master/local. I did add the extended ACL on the master, but I do not see it on any of the local controllers.

 

Also in the extended ACL I have a drop any/any as the last rule - should this be in place or not? We have a number of session and user-based roles with various firewall policies applied. I don't want to affect anything but ICMPv6 traffic and not break other rules. I'm not sure how this rule, placed on the interface will affect other rule precedence.

Aruba Employee

Re: Filter ICMPv6 Traffic by Type

At the interface layer, the ACL affects traffic as it flows in or out of the physical interface. The extended ACL is not a stateful firewall policy, but a traditional stateless ACL like what would be applied to a switch or router. The user role will determine what traffic uesrs can put onto the VLAN, the ACL on the interface affects whether that traffic can pass through the interface.

 

For the any/any drop rule, is that specific for icmpv6, or for all traffic? There is an implicit deny all at the end of the policy, so you'll want to verify that needed traffic isn't also getting blocked (explicit permit).

 


Charlie Clemmer
Aruba Customer Engineering
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: