Wireless Access

Reply
Contributor II

Re: Filter ICMPv6 Traffic by Type

Understood - thanks. Any idea why we're not seeing that policy on the local controllers? It is only appearing in the extended policies on the master - nothing on any of the local controllers.

 

The deny rule at the end isn't working the way we hoped. We cannot explicitly deny ICMPv6 traffic without declaring a type. I don't want to have to deny all by the explicit types I want to allow, so that's another problem.

 

Re: Filter ICMPv6 Traffic by Type

I just confirmed I was wrong on the extended ACL sync from master to locals. Because the extended ACL is applied to an interface, and interface data is not send down from master to locals (VLANs, IP addresses, etc, are locally configured on the locals), the same holds true for extended ACLs.

 

On the extended ACL, I just noticed it's not possible to filter on icmpv6 specifically and not specify an option. Instead, can you use an ipv6 filter for protocol option 58 (ipv6-icmp) to permit icmpv6 in general, while having higher ordered rules to block the specific icmpv6 types you want blocked? 


Charlie Clemmer
Aruba Customer Engineering
Contributor II

Re: Filter ICMPv6 Traffic by Type

Thanks for the info on the local controllers - makes sense.

 

What we're attempting to do is allow specific ICMPv6 types - only 10 in all. Writing deny rules for all other possibilities is a lot of overhead and not very scalable.

Re: Filter ICMPv6 Traffic by Type

Then the reverse of what I described should work:

 

(where type1-type10 are the 10 icmpv6 types you want to allow)

any/any icmpv6 type1 permit

any/any icmpv6 type2 permit

...

any/any icmpv6 type10 permit

any/any ipv6 protocol 58 drop

any/any ipv6 any permit


Charlie Clemmer
Aruba Customer Engineering
Contributor II

Re: Filter ICMPv6 Traffic by Type

Thank you - I'll give that a shot and see how things go. Appreciate your help!

Re: Filter ICMPv6 Traffic by Type

You bet! Let me know how it goes.


Charlie Clemmer
Aruba Customer Engineering
Contributor II

Re: Filter ICMPv6 Traffic by Type

I don't seem to be able to drop protocol 58 (ICMPv6) without declaring an ICMPv6 type, which we don't want.

 

Our existing ACL looks like this:

 

ip access-list extended ICMPv6-Specific
  ipv6 permit icmpv6 any any no-route-to-dest
  ipv6 permit icmpv6 any any packet-too-big
  ipv6 permit icmpv6 any any hop-limit-exceeded
  ipv6 permit icmpv6 any any header-field-error
  ipv6 permit icmpv6 any any rtr-solicitation
  ipv6 permit icmpv6 any any rtr-adv
  ipv6 permit icmpv6 any any nb-solicitation
  ipv6 permit icmpv6 any any nb-adv
  ipv6 permit icmpv6 any any echo-request
!

 

I tried "ipv6 deny icmpv6 any any", but I get an error of incomplete command - it seems to want a specific type, but I want to drop all types at this stage in the ACL. I also tried "ipv6 deny 58 any any" and I get another error message Invalid ICMPv6 message (null).

Re: Filter ICMPv6 Traffic by Type

I'm seeing the same error message with the "ipv6 deny 58 any any" entry as well. Using other protocol numbers seems to work. Please open a ticket with support so they can identify if it's functioning as expected, or a bug.


Charlie Clemmer
Aruba Customer Engineering
Contributor II

Re: Filter ICMPv6 Traffic by Type

Thank you - I've opened a ticket and I'll let you know if I make any progress.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: