Symptom
A VLAN access-List (VACL) applied to a VLAN that is configured to drop all traffic does not drop ICMPv6 Neighbor Solicitation or Neighbor Advertisement packets as expected.
Consider the following set of IPv4/IPv6 ACLs and MAC access-lists applied to VLAN 10 through a VLAN access-list (VACL):
switch# show run aclmgr
ip access-list drop-all-ipv4
10 permit ip any any
ipv6 access-list drop-all-ipv6
10 permit ipv6 any any
mac access-list drop-all-mac
10 permit any any
vlan access-map drop-all-traffic 10
match ip address drop-all-ipv4
match ipv6 address drop-all-ipv6
match mac address drop-all-mac
action drop
vlan filter drop-all-traffic vlan-list 10
If two hosts are connected to each other through this switch in VLAN 10, ICMPv6 Neighbor Solicitation and ICMPv6 Neighbor Advertisement packets generated by either host traverse this switch, even though they should be dropped.
Conditions
This issue is observed on Nexus 9000 switches that have a VLAN access-list applied to a VLAN that should drop all traffic.
Workaround
There is no known workaround to this issue.
Further Problem Description
This is not a bug, Control plane traffic is not designed to be filtered using VACL
