Posted on February 26, 2020 11:26 pm
 |  Asked by Thomas
 |  36 views
0
0
Print Friendly, PDF & Email

Hello,

I have a DCS-7050T-64-R. I use IPv6 DNS Servers. I have an IPv6 ACL that allows dns over tcp/udp. When I do not apply the acl I can resolve a dns name, when I apply the acl, I can’t. Output

ipv6 access-list dns
10 permit tcp any any eq domain
20 permit udp any any eq domain

ip name-server vrf default 2a01:4f8:0:1::add:1010
ip name-server vrf default 2a01:4f8:0:1::add:9898
ip name-server vrf default 2a01:4f8:0:1::add:9999

interface Port-Channel3
switchport mode trunk
ipv6 access-group dns in
spanning-tree portfast

arista#conf t
arista(config)#int po 3
arista(config-if-Po3)#no ipv6 access-group dns in
arista(config-if-Po3)#
arista#ping ab34.de
PING ab34.de (88.198.237.220) 72(100) bytes of data.
80 bytes from infra.glanzmann.de (88.198.237.220): icmp_seq=1 ttl=64 time=0.217 ms
80 bytes from infra.glanzmann.de (88.198.237.220): icmp_seq=2 ttl=64 time=0.211 ms
80 bytes from infra.glanzmann.de (88.198.237.220): icmp_seq=3 ttl=64 time=0.142 ms
80 bytes from infra.glanzmann.de (88.198.237.220): icmp_seq=4 ttl=64 time=0.182 ms
80 bytes from 88.198.237.220: icmp_seq=5 ttl=64 time=0.173 ms

— ab34.de ping statistics —
5 packets transmitted, 5 received, 0% packet loss, time 3ms
rtt min/avg/max/mdev = 0.142/0.185/0.217/0.027 ms, ipg/ewma 0.766/0.200 ms

Is the ACL implementation broken or do I overlook something? If I do a permit entry for one of the dns servers, it works.

Cheers,

Thomas

0
Answered on February 26, 2020 11:28 pm

Hi Thomas,

Thank you for writing to the forum.

May I know the route for ab34.de (88.198.237.220)?
Is it also via Port-channel 3?

Could you attach a copy of the show running here?

Thanks,

Post your Answer

You must be logged in to post an answer.