Wireless Access

Is there a way to allow only specific ICMPv6 types on the controllers? MLD traffic is affecting performanc on our large v6 VLAN space and blocking all by the necessary ICMPv6 types should help alleviate the traffic congestion, but I do not see a way to filter based on type.

What firmware version are you running? Is multicast filtering enabled? 

Firmware 6.5.4.4. BCMC Ontimization and MLD Snooping are both enabled. I did find a way to create an extended ACL to limit ICMPv6 traffic to only types required (1,2,3,4,128,133,134,135,136), but I'm not sure how to apply that extended ACL to a policy.

The extended ACL is a policy. It would need to be applied to the interface.

I don't see the extended ACL I created available in any Firewall Policy drop-down lists. I did apply/save the configuration - I can see the extended ACL when I show running-config.

Can you attach a screen shot of what you see when trying to add the extended ACL to the interface?

I may have made some progress. When I select the drop-down for "In" or "Out" on Network -> Port -> Firewall Policy, I can see the extended ACL I created. However, this is on the mobility controller only - I do not see the extended ACL on the individual controllers. Do I need to create the extended ACL on each controller and apply to the interface individually?

This is a master/local deployment? Assuming you added the extended ACL on the master controller, then saving the config on the master will trigger the config sync out to the locals.

Yes - master/local. I did add the extended ACL on the master, but I do not see it on any of the local controllers.

Also in the extended ACL I have a drop any/any as the last rule - should this be in place or not? We have a number of session and user-based roles with various firewall policies applied. I don't want to affect anything but ICMPv6 traffic and not break other rules. I'm not sure how this rule, placed on the interface will affect other rule precedence.

At the interface layer, the ACL affects traffic as it flows in or out of the physical interface. The extended ACL is not a stateful firewall policy, but a traditional stateless ACL like what would be applied to a switch or router. The user role will determine what traffic uesrs can put onto the VLAN, the ACL on the interface affects whether that traffic can pass through the interface.

For the any/any drop rule, is that specific for icmpv6, or for all traffic? There is an implicit deny all at the end of the policy, so you'll want to verify that needed traffic isn't also getting blocked (explicit permit).

Understood - thanks. Any idea why we're not seeing that policy on the local controllers? It is only appearing in the extended policies on the master - nothing on any of the local controllers.

The deny rule at the end isn't working the way we hoped. We cannot explicitly deny ICMPv6 traffic without declaring a type. I don't want to have to deny all by the explicit types I want to allow, so that's another problem.

I just confirmed I was wrong on the extended ACL sync from master to locals. Because the extended ACL is applied to an interface, and interface data is not send down from master to locals (VLANs, IP addresses, etc, are locally configured on the locals), the same holds true for extended ACLs.

On the extended ACL, I just noticed it's not possible to filter on icmpv6 specifically and not specify an option. Instead, can you use an ipv6 filter for protocol option 58 (ipv6-icmp) to permit icmpv6 in general, while having higher ordered rules to block the specific icmpv6 types you want blocked? 

Thanks for the info on the local controllers - makes sense.

What we're attempting to do is allow specific ICMPv6 types - only 10 in all. Writing deny rules for all other possibilities is a lot of overhead and not very scalable.

Then the reverse of what I described should work:

(where type1-type10 are the 10 icmpv6 types you want to allow)

any/any icmpv6 type1 permit

any/any icmpv6 type2 permit

...

any/any icmpv6 type10 permit

any/any ipv6 protocol 58 drop

any/any ipv6 any permit

Thank you - I'll give that a shot and see how things go. Appreciate your help!

You bet! Let me know how it goes.

I don't seem to be able to drop protocol 58 (ICMPv6) without declaring an ICMPv6 type, which we don't want.

Our existing ACL looks like this:

ip access-list extended ICMPv6-Specific
  ipv6 permit icmpv6 any any no-route-to-dest
  ipv6 permit icmpv6 any any packet-too-big
  ipv6 permit icmpv6 any any hop-limit-exceeded
  ipv6 permit icmpv6 any any header-field-error
  ipv6 permit icmpv6 any any rtr-solicitation
  ipv6 permit icmpv6 any any rtr-adv
  ipv6 permit icmpv6 any any nb-solicitation
  ipv6 permit icmpv6 any any nb-adv
  ipv6 permit icmpv6 any any echo-request
!

I tried "ipv6 deny icmpv6 any any", but I get an error of incomplete command - it seems to want a specific type, but I want to drop all types at this stage in the ACL. I also tried "ipv6 deny 58 any any" and I get another error message Invalid ICMPv6 message (null).

I'm seeing the same error message with the "ipv6 deny 58 any any" entry as well. Using other protocol numbers seems to work. Please open a ticket with support so they can identify if it's functioning as expected, or a bug.

Thank you - I've opened a ticket and I'll let you know if I make any progress.