A5120: setting acl IPv6: "Error"

MichaelM55 · ‎06-08-2011

Hi,

I want to setup an ACL

acl ipv6 number 3900 name blocking-faked-ra
rule 10 deny icmpv6 icmpv6-type router-advertisement

after that, I get an:

Error: The IPv6 acl has been applied, and can not be deleted or changed.

Well, "display this" doesn´t show "rule 10" at all.

Having A5120 with firmware 5.20 Release 1505P1.

Does anyone have similar issues?

pombeii · ‎06-09-2011

Some features do not allow dynamic ACL editing. For example, if the ACL is used in a QoS policy applied to an enabled user profile, you cannot edit the ACL.

MichaelM55 · ‎06-09-2011

Thanks for your help. I indeed had to remove the QoS rule before editing the ACL

I try to get the rule running from here:

http://h30499.www3.hp.com/t5/A-Series/Securing-IPv6-on-A-series-Comware-5-2/td-p/2380573

Now I receive an error while applying:

QOS/4/QOS_POLICY_APPLYIF_CBFAIL: Classifier-behavior c_RA in policy p_RA applied on interface GigabitEthernet1/0/22 failed.
Reason: Part of ACL rules are not supported

I also did a:

packet-filter ipv6 name blocking-faked-ra inbound

which resulted in:

PFLT/5/FLT_SET_POLICY_NOTSUPPORT_FAIL: Failed to apply the filter policy to or refresh the filter policy 3900:10 on interface GigabitEthernet1/0/23.Not supported.

Well, what's the problem with the ACL?

acl ipv6 number 3900 name blocking-faked-ra
rule 10 deny icmpv6 icmpv6-type router-advertisement
rule 20 deny udp destination fe80::/64 destination-port eq 546 source-port eq 547

pombeii · ‎06-13-2011

The ACL configuration you pasted is ok and I've tried your configuration on Release 1505P05, but could not find any problem.

snoms · ‎06-15-2011

I played a little

rule 30 deny icmpv6 fragment
rule 50 deny ipv6 fragment

is indeed working, but

rule 30 deny icmpv6 fragment logging
rule 50 deny ipv6 fragment logging

isnt´t.

This gives me a

PFLT/5/FLT_SET_POLICY_NOTSUPPORT_FAIL: Failed to apply the filter policy to or refresh the filter policy test on interface GigabitEthernet1/0/10.Not supported.

on a S5120 with R1505P01 and even on a E4800 with R2208.

Btw, where did you get 1505P05? I can only find R1505P01 on the homepages of HP and H3C.

pombeii · ‎06-16-2011

I don't think you can use the fragment keyword in an IPv6 ACL for QoS classification. The keyword can cause class-behavior application failure.

To my knowledge, the logging keyword is currently not supported. This keyword is problably the reason that you got an application failure with packet filter.

1505P05 probably hasn't been release yet.

MichaelM55 · ‎06-16-2011

Hi, I don´t user "QoS classification". I simply did a "packet-filter ipv6 test inbound" on an ethernet interface .

About the "logging" feature. It seems to work, i.e. there´s no application failure when applying, at least for

 rule 10 deny icmpv6 icmp6-type router-advertisement logging
 rule 80 deny icmpv6 icmp6-type unknown-next-hdr logging
 rule 90 deny icmpv6 icmp6-type unknown-ipv6-opt logging

Btw, where is the output of the "logging" feature (if it exists)? Logbuffer isn´t used

pombeii · ‎06-17-2011

It seems that neither QoS policies nor packet filters support the fragment in IPv6 ACL rules.

To my knowledge, to use ACL rule logging, your switch must also support the acl ipv6 logging frequence frequence command, which is available on 58 but not 5120. The logging keyword, even if you can configure it, does not take effect.

If the packet filter on your switch supports ACL logging, the log output destinations depend on your Information Center settings (info-center source command). I think the severity of ACL rule log messages is informational.