Unsolved
This post is more than 5 years old
2 Posts
0
21729
IPv6: management access-list does not apply?!
Hello all,
I am setting up a Powerconnect 6248 switch with IPv6. I noticed that the management access-list does not seem to apply to IPv6! The ACL seems to work just fine against IPv4 clients, but when I use the IPv6 address on the switch, it just bypasses them. Is this a bug? Is there a work around?
I thought I would work around the issue by creating an IPv6 ACL and applying the filter to the VLAN, but again I ran into a bit of a roadblock. If I have a IPv4 access group defined, the switch will not allow me to add an IPv6 traffic filter. It is either one or the other.
Any ideas on how to work around these issues?
pemontto
3 Posts
0
December 6th, 2012 12:00
Currently experiencing the same issue on a PowerConnect 7024. There doesn't seem to be a viable solution to restrict management access to the device's IPv6 addresses without creating an IPv6 ACL including all possible IPv6 address entry points and applying that to all interfaces, an un-wieldy and sub-optimal solution.
Anonymous
5 Practitioner
5 Practitioner
•
274.2K Posts
0
December 6th, 2012 13:00
Looking at the example on page 558 of the user guide.
support.dell.com/.../UG.pdf
We should be able to alter the IPv4 address for IPv6 address.
console#configure
console(config)#management access-list mgmt_ACL
console(config-macl)#permit ipv6 2001:DB8::/32 vlan 1 priority 1
console(config-macl)#permit ipv6 2001:DB8::/32 Gi1/0/9 priority 2
console(config-macl)#exit
console(config)#management access-class mgmt_ACL
console(config)#exit
There is an inherit deny all for all other IP addresses. You can change this to suite your needs for a specific IP address, or deny all IP addresses, etc.
Hope this helps some, Let us know if you have any other questions.
pemontto
3 Posts
0
December 7th, 2012 08:00
Thanks for the response, that was my first avenue but unfortunately there's no IPv6 support under management ACLs. Also supplying an IPv6 address with ip-source is not valid. This seems to be a pretty glaring oversight for a device that supports IPv6 management.
Console(config-macl)#permit ?
Press enter to execute the command.
Gigabitethernet Enter a GigabitEthernet port.
Tengigabitethernet Enter a TenGigabitEthernet port.
mask Specify the source IP address network mask or the
number of bits that comprise the source IP address
prefix. The prefix length must be preceded by a
forward slash (/).
port-channel Specify the port-channel number.
priority To set the priority for rule.
service Define service type condition.
vlan Specify the VLAN number.
Console(config-macl)#permit ip-source ?
Specify the source IP address.
Console(config-macl)#permit ip-source 2001:DB8::/32
Error:Invalid IP address.
Anonymous
5 Practitioner
5 Practitioner
•
274.2K Posts
0
December 10th, 2012 11:00
I've been trying to do some research on this, but there is not a lot of documentation, based on an implementation like this. An idea was to try to change command up just a little, to look more like this.
permit ip-source 2001:DB8::/32 vlan 1 priority 1
See if it will accept the ipv6 address that way.
Thanks.
pemontto
3 Posts
0
December 11th, 2012 07:00
Thanks again, I've tried including the vlan and priority and a number of variations but all return the "Error:Invalid IP address." message when using IPv6 addresses.
jeffgus
2 Posts
0
December 11th, 2012 10:00
Still not working? It has been over a years since I initially posted the issue. When will there be a firmware update that fixes the problem?
Anonymous
5 Practitioner
5 Practitioner
•
274.2K Posts
0
December 11th, 2012 10:00
Sorry that did not work either, If I run across anything else we can try I will chime back in. Hopefully some future firmware revisions will add some support for this.