I'm using IP Base. However, AFAIK, IP Base lacks stuff like dynamic routing and other enterprise features. IPv6 seems to be now a "standard feature" and not an "add-on feature", not something to buy as extra. It does not make sense to avoid using object-group IPv6 network but allow the same result using individual ACEs. object-group only simplifies ACL management, not a final feature. If it were something that we need to "buy", I would expect it to offer IPv6 prefix/network match before it allows individual IPv6 host match, as the later uses more resources.
... View more
Hello, I'm testing IOS XE 16.12.1 in a WS-C3850-24XS. When I tried to use object-group, it does not accept IPv6 network addresses. IPv4 works as expected: object-group network netA-4
host 10.1.10.1 But if fails to accept IPv6 networks: object-group v6-network netA-6
% Invalid input detected at '^' marker.
switch1(config-v6network-group)# I can only add hosts to object-group v6-network. I tried both ULA and global addresses, different mask and nothing seems to be accepted.
... View more
Hello, I'm facing an interesting bug with IPv6 common ACL with WS-C3850-24XS at least from IOS 16.06.x through 16.12.x. With this simple ACLs: ipv6 access-list allow-icmp
sequence 10 permit icmp any any
sequence 20 permit ipv6 any any
ipv6 access-list deny-icmp
sequence 10 deny icmp any any echo-request
sequence 20 deny icmp any any echo-reply
sequence 30 permit ipv6 any any The first time I assign them to a VLAN interface, it works as expected: interface Vlan200
ipv6 traffic-filter common allow-icmp deny-icmp in But the second time I do it I get no feedback in terminal it did not work but I get log messages like these: Aug 14 14:58:52: %ACL_ERRMSG-3-ERROR: Switch 2 R0/0: fed: Input IPv6 L3 ACL deny-icmp configuration could not be applied on Vlan200. Aug 14 14:58:59: %ACL_ERRMSG-3-ERROR: Switch 2 R0/0: fed: Input IPv6 L3 ACL allow-icmp configuration could not be applied on Vlan200. And it is not applied. The result is that the switch keeps using the last applied ACL although it tells me that it is using the failed one: # show ipv6 interface vlan 200 | grep In
Inbound common access list allow-icmp
Inbound access list deny-icmp The interesting part is that it simply works the first time I do it, coming from startup config or manually configured in terminal. It only fails the second time that config is changed. "ipv6 traffic-filter common COMMON_ACL" without the specific ACL or the specific ACL alone "ipv6 traffic-filter SPECIFIC_ACL" both work. IPv4 also works as expected with out without common. The issue is only with IPv6 with common and specific ACL together. I can only reapply it after a reload. It does not seems to be low resource problem: #show platform hardware fed switch 1 fwd-asic resource tcam utilization 0 | grep Sec | grep Acc
Security Access Control Entries 3072 146 I even opened an support case and the answer was something like "This is not a bug, it is not supported by your device, don't use it"., It is a documented feature, it completes with "?", it works the first time, but support tells me it was not "supposed to be used" even with no docs telling me it does not work. If this feature should not exist, it should be hidden, it should not work the first time and it should give a specific error telling me it is not supported (as reflexive ACL does).
... View more
Hello, SF300-24P is losing the default-gateway config when I change the ip address of the management vlan. It happens for address or mask changes, no matter if the default-gateway is still reachable. switch08p#ping 10.9.1.1 Pinging 10.9.1.1 with 18 bytes of data: 18 bytes from 10.9.1.1: icmp_seq=1. time=0 ms 18 bytes from 10.9.1.1: icmp_seq=2. time=0 ms 18 bytes from 10.9.1.1: icmp_seq=3. time=0 ms 18 bytes from 10.9.1.1: icmp_seq=4. time=0 ms ----10.9.1.1 PING Statistics---- 4 packets transmitted, 4 packets received, 0% packet loss round-trip (ms) min/avg/max = 0/0/0 switch08p#show ip rout Maximum Parallel Paths: 1 (1 after reset) IP Forwarding: disabled Codes: > - best, C - connected, S - static S 0.0.0.0/0 [1/1] via 10.9.12.1, 01:40:17, C 10.9.12.0/23 is directly connected, C 127.0.0.0/8 is directly connected, SuperVlan_20000 switch08p#show running-config ... interface vlan 12 name switches ip address 10.9.13.8 255.255.254.0 ipv6 address autoconfig ... ip default-gateway 10.9.12.1 switch08p(config)#int vlan 12 switch08p(config-if)#ip address 10.9.13.88 255.255.254.0 Please ensure that the port through which the device is managed has the proper settings and is a member of the new management interface. Would you like to apply this new configuration? (Y/N)[N] Y switch08p(config-if)#ip address 10.9.13.8 255.255.254.0 Please ensure that the port through which the device is managed has the proper settings and is a member of the new management interface. Would you like to apply this new configuration? (Y/N)[N] Y switch08p(config-if)#end switch08p#ping 10.9.1.1 Pinging 10.9.1.1 with 18 bytes of data: PING: net-unreachable PING: net-unreachable PING: net-unreachable PING: net-unreachable ----10.9.1.1 PING Statistics---- 4 packets transmitted, 0 packets received, 100% packet loss switch08p#show ip rou Maximum Parallel Paths: 1 (1 after reset) IP Forwarding: disabled Codes: > - best, C - connected, S - static C 10.9.12.0/23 is directly connected, C 127.0.0.0/8 is directly connected, SuperVlan_20000 I have to reapply the "ip default-gateway 10.9.12.1" in order to get network back. This makes a simply ip address change quite difficult for a remote switch. I used ipv6 connection as a workarround but I think this is not a completely final solution. Is this a bug, known issue or simply a limitation?
... View more