即使 IPV6 全局禁用,桥模式下user-table 中也有用户的 IPV6 条目

即使在控制器中全局禁用 IPv6,为什么控制器会在 user-table 中列出具有 IPv6 的用户?

  • 配置AP转发模式为bridge的 SSID
  • 在下面的输出中,一个用户在桥接模式下连接到 SSID,显示有 2 个条目 (IPv4 和 IPv6)
  • 根据以下配置,IPv6 是全局禁用的
(LAB-MM) [mynode] (config) #show ipv6 global 
Wed Apr 22 11:23:42.213 2020
Global IPv6 Packet Processing is Disabled

但是检查user-table会发现2个条目(IPv4 和 IPv6)

show user-table

Users

IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type Host Name User Type
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ---- --------- ---------

fe80::4bc:a7c6:4e8f:a676              18:64:72:c6:ea:ec                             authenticated  00:21:22                    535-Upstairs  Associated(Remote)  usdert/00:1a:1e:01:f8:e8/a-VHT  bertew  bridge        OS X               WIRELESS
172.21.1.2                            18:64:72:c6:ea:ec                             authenticated  00:45:21                    535-Upstairs  Associated(Remote)  usdert/00:1a:1e:01:f8:e8/a-VHT  bertew  bridge        OS X               WIRELESS

由于转发模式设置为桥接,因此在“authenticated”角色下配置的ACL规则不会生效,因此我们必须检查IP Access-List Session “VALIDUSER”

(LABMM) [mynode] (config) #show running-config | begin valid

ip access-list session validuser
    network 127.0.0.0 255.0.0.0 any any deny 
    network 169.254.0.0 255.255.0.0 any any deny 
    network 224.0.0.0 240.0.0.0 any any deny 
    host 255.255.255.255 any any deny 
    network 240.0.0.0 240.0.0.0 any any deny 
    any any any permit                             
    ipv6 host fe80:: any any deny 
    ipv6 network fc00::/7 any any permit 
    ipv6 network fe80::/64 any any permit 
    ipv6 alias ipv6-reserved-range any any deny 
    ipv6 any any any permit 
!
  • 如上所述,IPv6被全局禁用,但此选项仅影响控制器测的用户,也就是转发模式设置为“Tunnel”和“Split-Tunnel”的情况下
  • 此配置不会推送到以bridge模式广播SSID的AP
  • 因此,为了避免向控制器报告IPv6的桥接用户条目,我们必须在IP访问列表添加如下命令:add “ipv6 any any any deny” in IP Access-List Session “VALIDUSER”
(LAB-MM) [mynode] (config) #ip access-list session validuser
(LAB-MM) ^[mynode] (config-submode)#no ipv6 any any any permit
(LAB-MM) ^[mynode] (config-submode)#ipv6 any any any deny position 11
(LAB-MM) ^[mynode] (config-submode)#write memory 

Saving Configuration...

Configuration Saved.
(LAB-MM) [mynode] (config-submode)#show running-config | begin valid
Building Configuration...

ip access-list session validuser
    network 127.0.0.0 255.0.0.0 any any deny 
    network 169.254.0.0 255.255.0.0 any any deny 
    network 224.0.0.0 240.0.0.0 any any deny 
    host 255.255.255.255 any any deny 
    network 240.0.0.0 240.0.0.0 any any deny 
    any any any permit                             
    ipv6 host fe80:: any any deny 
    ipv6 network fc00::/7 any any permit 
    ipv6 network fe80::/64 any any permit 
    ipv6 alias ipv6-reserved-range any any deny 
    ipv6 any any any deny 
!

使用上述配置后,在user-table表中仅显示ipv4条目

show user-table

Users

IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type Host Name User Type
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ---- --------- ---------

172.21.1.2                            18:64:72:c6:ea:ec                             authenticated  00:50:12                    535-Upstairs  Associated(Remote)  usdert/00:1a:1e:01:f8:e8/a-VHT  bertew  bridge        OS X               WIRELESS

发表评论

电子邮件地址不会被公开。 必填项已用*标注