cancel
Showing results for 
Search instead for 
Did you mean: 

ACL not working

kransom
New Contributor

Hi,

I am configuring ACLs for IPv6, and it is not going as expected. There must be something I am missing as the logic, in my mind, is making sense but it is not working. I have VE 10 (Vlan 10) connected to ISP (internet), VE 20 (Vlan 20), VE 30 (Vlan 30). I want to allow Vlan 20 to access the internet. I only added rules for the subnet on ve 20 since there is an implicit deny at the end of an ACL.

int ve 10
2600:f600:0:10001::c3/126

int ve 20
2600:f600:3600:1::/64

int ve 30
2600:f600:4600:1::/64

#ipv6 access-list inboundv6
permit ipv6 any 2600:f600:3600:1::/64

#ipv6 access-list outboundv6
permit ipv6 2600:f600:3600:1::/64  any

(int-vif-10)#ipv6 traffic-filter inboundv6 in
(int-vif-10)#ipv6 traffic-filter otuboundv6 out

This s h o u l d permit Vlan 20 to get out to the internet (do ping, ssh, dns, etc.), but for some reason it is being blocked.

5 REPLIES 5

Chandini
RUCKUS Team Member

Hi Kransom

Thank you for reaching us

Could you please help me with below outputs from the switch 

  • show running-config access-list ipv6
  • show ipv6 access-list inboundv6
  • show ipv6 access-list outboundv6
  • show ipv6 access-lists brief
  • show logging | inc ACL

Thanks 

 

I believe I have provided the necessary information. It is in a pseudo-ish format but that is it really.

To give more context, for what it's worth, I was trying to make our IPv6 network be default DENY and permit known good addresses, ports, and protocols. It seems like that's not possible since the ACL is stateless. Which would make configuring the ACL very complex. Correct me if I'm wrong.

Squozen
Contributor III

Traffic is coming OUT of VLAN 20 and INTO VLAN 10. You have no valid rule allowing INBOUND traffic from the VLAN 20 subnet to VLAN 10. 

Could you provide an example of such rule?
In outboundv6 I have a rule permitting traffic from VLAN 20 to any host on VLAN 10. That is applied outbound on int ve 10.