- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Comware Based
- >
- A5120: setting acl IPv6: "Error"
-
- Forums
-
- Advancing Life & Work
- Advantage EX
- Alliances
- Around the Storage Block
- HPE Ezmeral: Uncut
- OEM Solutions
- Servers & Systems: The Right Compute
- Tech Insights
- The Cloud Experience Everywhere
- HPE Blog, Austria, Germany & Switzerland
- Blog HPE, France
- HPE Blog, Italy
- HPE Blog, Japan
- HPE Blog, Middle East
- HPE Blog, Russia
- HPE Blog, Saudi Arabia
- HPE Blog, South Africa
- HPE Blog, UK & Ireland
-
Blogs
- Advancing Life & Work
- Advantage EX
- Alliances
- Around the Storage Block
- HPE Blog, Latin America
- HPE Blog, Middle East
- HPE Blog, Saudi Arabia
- HPE Blog, South Africa
- HPE Blog, UK & Ireland
- HPE Ezmeral: Uncut
- OEM Solutions
- Servers & Systems: The Right Compute
- Tech Insights
- The Cloud Experience Everywhere
-
Information
- Community
- Welcome
- Getting Started
- FAQ
- Ranking Overview
- Rules of Participation
- Tips and Tricks
- Resources
- Announcements
- Email us
- Feedback
- Information Libraries
- Integrated Systems
- Networking
- Servers
- Storage
- Other HPE Sites
- Support Center
- Aruba Airheads Community
- Enterprise.nxt
- HPE Dev Community
- Cloud28+ Community
- Marketplace
-
Forums
-
Blogs
-
Information
-
English
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
06-08-2011 11:32 PM
06-08-2011 11:32 PM
A5120: setting acl IPv6: "Error"
Hi,
I want to setup an ACL
acl ipv6 number 3900 name blocking-faked-ra
rule 10 deny icmpv6 icmpv6-type router-advertisement
after that, I get an:
Error: The IPv6 acl has been applied, and can not be deleted or changed.
Well, "display this" doesn´t show "rule 10" at all.
Having A5120 with firmware 5.20 Release 1505P1.
Does anyone have similar issues?
- Tags:
- IPv6
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
06-09-2011 01:06 AM
06-09-2011 01:06 AM
Re: A5120: setting acl IPv6: "Error"
Some features do not allow dynamic ACL editing. For example, if the ACL is used in a QoS policy applied to an enabled user profile, you cannot edit the ACL.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
06-09-2011 07:12 AM - edited 06-09-2011 07:12 AM
06-09-2011 07:12 AM - edited 06-09-2011 07:12 AM
Re: A5120: setting acl IPv6: "Error"
Thanks for your help. I indeed had to remove the QoS rule before editing the ACL
I try to get the rule running from here:
http://h30499.www3.hp.com/t5/A-Series/Securing-IPv6-on-A-series-Comware-5-2/td-p/2380573
Now I receive an error while applying:
QOS/4/QOS_POLICY_APPLYIF_CBFAIL: Classifier-behavior c_RA in policy p_RA applied on interface GigabitEthernet1/0/22 failed.
Reason: Part of ACL rules are not supported
I also did a:
packet-filter ipv6 name blocking-faked-ra inbound
which resulted in:
PFLT/5/FLT_SET_POLICY_NOTSUPPORT_FAIL: Failed to apply the filter policy to or refresh the filter policy 3900:10 on interface GigabitEthernet1/0/23.Not supported.
Well, what's the problem with the ACL?
acl ipv6 number 3900 name blocking-faked-ra
rule 10 deny icmpv6 icmpv6-type router-advertisement
rule 20 deny udp destination fe80::/64 destination-port eq 546 source-port eq 547
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
06-13-2011 01:30 AM
06-13-2011 01:30 AM
Re: A5120: setting acl IPv6: "Error"
The ACL configuration you pasted is ok and I've tried your configuration on Release 1505P05, but could not find any problem.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
06-15-2011 10:49 PM
06-15-2011 10:49 PM
Re: A5120: setting acl IPv6: "Error"
I played a little
rule 30 deny icmpv6 fragment rule 50 deny ipv6 fragment
is indeed working, but
rule 30 deny icmpv6 fragment logging rule 50 deny ipv6 fragment logging
isnt´t.
This gives me a
PFLT/5/FLT_SET_POLICY_NOTSUPPORT_FAIL: Failed to apply the filter policy to or refresh the filter policy test on interface GigabitEthernet1/0/10.Not supported.
on a S5120 with R1505P01 and even on a E4800 with R2208.
Btw, where did you get 1505P05? I can only find R1505P01 on the homepages of HP and H3C.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
06-16-2011 03:45 AM
06-16-2011 03:45 AM
Re: A5120: setting acl IPv6: "Error"
I don't think you can use the fragment keyword in an IPv6 ACL for QoS classification. The keyword can cause class-behavior application failure.
To my knowledge, the logging keyword is currently not supported. This keyword is problably the reason that you got an application failure with packet filter.
1505P05 probably hasn't been release yet.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
06-16-2011 05:04 AM
06-16-2011 05:04 AM
Re: A5120: setting acl IPv6: "Error"
Hi, I don´t user "QoS classification". I simply did a "packet-filter ipv6 test inbound" on an ethernet interface .
About the "logging" feature. It seems to work, i.e. there´s no application failure when applying, at least for
rule 10 deny icmpv6 icmp6-type router-advertisement logging rule 80 deny icmpv6 icmp6-type unknown-next-hdr logging rule 90 deny icmpv6 icmp6-type unknown-ipv6-opt logging
Btw, where is the output of the "logging" feature (if it exists)? Logbuffer isn´t used
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
06-17-2011 01:19 AM
06-17-2011 01:19 AM
Re: A5120: setting acl IPv6: "Error"
It seems that neither QoS policies nor packet filters support the fragment in IPv6 ACL rules.
To my knowledge, to use ACL rule logging, your switch must also support the acl ipv6 logging frequence frequence command, which is available on 58 but not 5120. The logging keyword, even if you can configure it, does not take effect.
If the packet filter on your switch supports ACL logging, the log output destinations depend on your Information Center settings (info-center source command). I think the severity of ACL rule log messages is informational.
Hewlett Packard Enterprise International
- Communities
- HPE Blogs and Forum
© Copyright 2021 Hewlett Packard Enterprise Development LP