Help me to limit my access list order please?

Similar Questions

• Order of access-list syntax

  Hello

  I have a small question about the order in the syntax for an access list. I made my list of access work now, but I don't understand why.

  It looks like this when it did not work:

  (outside interface incoming traffic)

  access list 100 permit tcp any any established journal

  access-list 100 permit udp any any eq field journal

  access list 100 permit tcp any any eq field journal

  access-list 100 deny ip any any newspaper

  To make this work, I had to add these two lines:

  access-list 100 permit udp any eq field no matter what newspaper

  access list 100 permit tcp any eq field no matter what newspaper

  I do not understand the difference between

  access-list 100 permit udp any eq field all

  and

  access-list 100 permit udp any any eq field

  If you're wondering what the main goal with the list, it is to allow traffic from the inside to the outside and deny all other traffic, except the connections from the inside and the UDP traffic that is necessary because UDP doesn't have a domain.

  Hello

  Again, I think knowing that this 100 ACL is attached to the router's WAN interface in the direction 'in '. This means that its traffic control entering your network LAN.

  When we look at how DNS works now in what concerns this ACL

  • DNS lookup is usually made at the port of destination UDP/53
  • PC uses the random source for the DNS lookup port
  • Responses from DNS server for research with source UDP/53 port
  • Responses from DNS server to the computer on the port that the source PC search DNS

  So naturally you'll see responses from the host source and source UDP/53 port DNS

  If the ACL with the port of destination UDP/53 became all success, this would mean that you would host a DNS server and the DNS lookups were intended for your network.

  Also to your other question. If you set no ports using TCP/UDP in the ACL then he accepts any source/destination port

  Hope this helps

  Be sure to mark it as answered in the affirmative.

  -Jouni

• Need help using the access list blocking a single IP address

  Basically, I'm being attacked by a massive spammer. I managed to deny him access to our mail server, however, his repeated attempts to connect to the same server is in our file of e-mail magazine. What I want to do is set up a block for its specific IP address in our 2621 router. I tried a few different combinations using access-list, but nothing helped. Can anyone suggest something? Thank you!

  Joe

  Joe,

  If you know that the attack came from a particular ip address, you can create an extended access list and deny that IP.

  access-list 101 deny ip host host of attacker_ip_address e-mail_server_ip

  If the source ip address is random then you must put a sniffer or take a look in the syslog to see if there are any model ID as a string. You can then configure NBAR on the router to mark the package and then drop the packets.

  Here is a link that explains the procedure:

  http://www.Cisco.com/en/us/NetSol/ns110/ns170/ns171/ns128/networking_solutions_white_paper09186a008009c8ad.shtml

  Thank you

  Renault

• New to pix, need help with "debug access list of all the" command

  I have a pix 515 v6.3. I am tring to use then "debug access list of all the" command to see what traffic is stopped by my access list. However, I don't get any output. I turn execution of the command, but nothing happens. Other debug commands give the console. Perhaps, I do not understand what "debug to access list of all the" is used for. Any help that can be provided would be greatly appreciated.

  Tim

  Also try following the commands of logging

  LOGG on

  LOGG buff 7

  term Lun

  M.

• Please help: NAT (inside) 0 0 0 and NAT (inside) - access list 0

  I have a problem with my PIX firewall.

  I don't want any NAT to the origin of traffic inside the interface.

  When I give

  NAT (inside) - 0 80 access list

  access ip-list 80 allow a whole

  It works very well

  But when I tried

  NAT (inside) 0 0 0

  ITZ not working is not for my IPsec clients

  According to my knowledge PIX requires input NAT to allow traffic from security interface higher to lower security interface. Can I use NAT 0 by which I can get around the NAT.

  Help, please?

  Hello

  identity nat works with access-list... IE nat 0 statement with an ACL... or you can specify the network... don't know if you can put 0 0... I have not seen that someone put this...

  refer to the documentation of nat for this command:

  http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/PIX/pix_sw/v_63/cmdref/Mr.htm#wp1161298

  to the first config... That's right... who has a list of acess 80!

  REDA

• FWSM firewall context Access-List entry Limitation

  We have recently experienced an error on one of the firewall settings that it has reached the maximum access list entry. Anyone know what is the limit of the ACL entry by context or where can I find the documentaton for her. No work around to this issue? Thanks in advance.

  Hello

  This value changes depending on which version of the FWSM code you run - and Cisco gets not specific on how the FWSM calculates entered ACE to determine the number of entries you have on your own.

  If you run the command (syntax may be different in 3.x code):

  See the np 3 acl County property

  You get a result that looks like this:

  -CLS rule current account-

  CLS filter rule Count: 0

  CLS rule Fixup count: 11

  CLS is Ctl rule Count: 0

  CLS AAA rule count: 2187

  CLS is given rule Count: 0

  CLS Console rule count: 7

  Political CLS NAT rule Count: 0

  County of CLS ACL rule: 3491

  Add CLS uncommitted ACL: 0

  CLS ACL Del uncommitted: 0

  -CLS rule MAX - account

  CLS filter MAX: 3584

  CLS Fixup MAX: 32

  CLS is Ctl rule MAX: 716

  CLS is given rule MAX: 716

  AAA CLS MAX rule: 5017

  CLS Console rule MAX: 2150

  Political CLS NAT rule MAX: 3584

  CLS ACL rule MAX: 56627

  The counts are your real numbers, MAX is the maximum you can have. AAA rules are numbered for how As you can have applied altogether with your orders of "aaa game. For your question, it seems that you should check your 'CLS ACL rule Count' and 'CLS ACL rule MAX' and make sure you get not close to that number. If you are - try to limit the number of host entries (use the networks) where possible and try to use ranges of ports instead of individual ports in your access list statements.

  I'll try to find the syntax 7.x and post here later.

  -Jason

  Rate if this can help.

• access-list with PAT

  Hi guys,.

  I would like to know if the accesslist with PAT, you can refuse statements. IE reject the order under the access list for the traffic that you do not want to be PATed.

  example:

  access list acl-pat deny ip 10.0.0.1 0.0.0.0 all

  permit access-list acl - pat ip 10.0.0.0 0.0.0.255 any

  If I won't 10.0.0.1 PATed.

  Hello

  It's perfectly legal and quite a common practice.

  Hope that help - rate pls post if it does.

  Paresh

• Cisco ISE and WLC Access-List Design/scalability

  Hello

  I have a scenario that wireless clients are authenticated by the ISE and different ACL is applied depending on the rules in the ISE. The problem I have seen is due to the limitation on the Cisco WLC that limit only 64 input access list. As the installer has only a few IVR/interfaces and several different access lists are applied to the same base on user groups interface; I was wondering if there may be an evolutionary design / approach according to which the access list entries can evolve next to create a vlan for each group of users and apply the access list on the interface of layer 3 instead? I illustrated the configuration below for reference:

  Group of users 1 - apply ACL 1 - on Vlan 1

  User 2 group - apply ACL 2 - on the Vlan 1

  3 user group - apply ACL 3 - on the Vlan 1

  The problem appears only for wireless users, he does not see on wired users as the ACLs can be applied successfully without restriction as to the switches.

  Any suggestion is appreciated.

  Thank you.

  In fact, you have limitations on the side of the switch as well. Long ACL can deplete resources AAGR of the switch. Take a look at this link:

  http://www.Cisco.com/c/en/us/support/docs/switches/Catalyst-3750-series-switches/68461-high-CPU-utilization-cat3750.html

  The new WLCs based on IOS XE and not the old OS Wireless/Aironet will provide the best experience in these matters.

  Overall, I see three ways to overcome your current number:

  1. reduce the ACL by making them less specific

  2 use L3 interfaces on a switch L3 or FW and the ACL is applied to them

  3. use the SGT/SGA

  I hope this helps!

  Thank you for evaluating useful messages!

• RVS4000 IP access lists

  Hi all

  I'm trying to block the access of 1 VLAN to another without disable InterVLAN routing.

  In my access list entry, I have the following:

  Deny all protocols, Source LAN interface. Source 192.168.8.0/24 network address (VLAN I want to block); Destination network address of 192.168.1.0.

  It seems like it should work but hosts the 192.168.8.0 network allows access to the 192.168.1.0 network. If I disable InterVLAN routing it blocks traffic between VLANs, as you would expect. In the future I intend to have another VIRTUAL local network that I do not want the route between the VLANS.

  Any help would be appreciated,

  Thank you!

  Brian

  IP based ACL of RVS4000 is designed to limit traffic between LAN and WAN (two-way), but not traffic inter - VLAN. So the scenario is unfortunately not supported.

• access-list [line-num]

  Too often, I see in the access list statement, there is a line number set to 1, like this:

  permit access-list id_test 1...

  Desc the doc said: "The line number to insert a note or an access control element (ACE)."

  I can understand his 'writing' but never 'really' understand. :)

  Someone could it explain by giving an example?

  Thank you for helping.

  Scott

  PIX (config) # access-list id_test sh

  id_test list of access; 5 elements

  id_test of access list row 1 will allow any host 1.1.1.1 (hitcnt = 0)

  id_test of access list row 2 allow accord any host 2.2.2.2 (hitcnt = 0)

  id_test of access list row 3 will allow any host 3.3.3.3 (hitcnt = 0)

  line 4 of the id_test of access list allow accord any host 4.4.4.4 (hitcnt = 0)

  access list id_test line 5 will allow any host 5.5.5.5 (hitcnt = 0)

  PIX (config) # access - list id_test line 2 Note Hello

  PIX (config) # access-list id_test sh

  id_test list of access; 5 elements

  id_test of access list row 1 will allow any host 1.1.1.1 (hitcnt = 0)

  Hello from note access-list id_test line 2

  id_test of access list row 3 will allow any host 2.2.2.2 (hitcnt = 0)

  line 4 of the id_test of access list allow accord any host 3.3.3.3 (hitcnt = 0)

  access list id_test line 5 will allow any host 4.4.4.4 (hitcnt = 0)

  id_test of access list line 6 will allow any host 5.5.5.5 (hitcnt = 0)

  allowed for pix (config) # access - list id_test line 1 icmp any host 1.1.1.1

  PIX (config) # access-list id_test sh

  id_test list of access; 6 items

  allowed to Access-list id_test line 1 icmp any host 1.1.1.1 (hitcnt = 0)

  id_test of access list row 2 allow accord any host 1.1.1.1 (hitcnt = 0)

  Note access-list id_test line 3 Hello

  line 4 of the id_test of access list allow accord any host 2.2.2.2 (hitcnt = 0)

  access list id_test line 5 will allow any host 3.3.3.3 (hitcnt = 0)

  id_test of access list line 6 will allow any host 4.4.4.4 (hitcnt = 0)

  access list id_test line 7 will allow any host 5.5.5.5 (hitcnt = 0)

  TRIS-NOC-FW1 (config) #.

  the golden rule of the acl, is that it works in order, from top to bottom. with the line number, you can precisely insert the new entry of acl or note everywhere where you want.

  for example, imagine you have a 200-entry acl, and now you want to allow one host before the other refuse registration. of course you don't want to interrupt the network by UN-apply and reapply the entire acl. in this case, the line number to save life.

• access list of split tunneling

  Hello

  I have some problems on ASA 5520 split tunneling configuration.

  Here's the scenario:

  Number of remote users connects ipsec with ASA 5520 (in central) using ubuntu vpnc-client.

  Split tunneling is used, in order to allow remote users to surf the Internet using their ISP.

  The goal is to remove the possibility for ssh/telnet servers within the local enterprise network for remote users.

  Here is a part of the config:

  internal REMOTE_gp group strategy
  attributes of Group Policy REMOTE_gp
  VPN-idle-timeout no
  Protocol-tunnel-VPN IPSec
  Group-lock no
  Split-tunnel-policy tunnelspecified
  value of Split-tunnel-network-list REMOTE_split

  tunnel-group type REMOTE access remotely

  tunnel-group REMOTE General attributes

  authentication-server-group RADIUSGR

  Group Policy - by default-REMOTE_gp

  REMOTE tunnel-group ipsec-attributes

  pre-shared-key *.

  ISAKMP keepalive retry threshold 15 10

  RADIUS protocol AAA-server RADIUSGR

  AAA-server RADIUSGR (INSIDE_LAN) 192.168.0.244

  REMOTE_split list extended access deny tcp 192.168.0.0 255.255.255.0 ssh telnet rank everything

  permit access ip 192.168.0.0 scope list REMOTE_split 255.255.255.0 192.168.100.0 255.255.255.0

  ip subnet ##192.168.100.0/24 - where from Radius Server to allocate ip addresses to remote users.

  INSIDE_LAN_in list extended access deny tcp 192.168.0.0 255.255.255.0 eq ssh 192.168.100.0 255.255.255.0

  INSIDE_LAN_in list extended access deny tcp 192.168.0.0 255.255.255.0 eq telnet 192.168.100.0 255.255.255.0

  permit access ip 192.168.0.0 scope list INSIDE_LAN_in 255.255.255.0 any

  It has nat enabled on the interface, but there is a special instruction in nat0 ACL for 192.168.100.0 subnet

  permit access ip 192.168.0.0 scope list INSIDE_LAN_nat0_outbound 255.255.255.0 192.168.100.0 255.255.255.0

  The problem is that the remote users can easily ssh and telnet servers in network INSIDE_LAN. Everything I put in INSIDE_LAN_in ACL, remote users still have full access to this network. Restrictions in the REMOTE_split ACL do not work either.

  You must configure vpn-filter rather to block telnet and ssh access as follows:

  Remote filter access list deny tcp 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0 eq 22

  Remote filter access list deny tcp 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0 eq 23

  distance-filter 192.168.100.0 ip access list allow 255.255.255.0 192.168.0.0 255.255.255.0

  attributes of Group Policy REMOTE_gp

  VPN-value filter-remote control

  Split tunnel acl has the following statement and it should be extended to standard ACLs instead of:

  REMOTE_split list of permitted access 192.168.0.0 255.255.255.0

  Hope that helps.

• In Mail 9.2 OS 10.11.3 the limit between the list of my mailboxes mailbox and my messages keep slipping backward.  Make me feel seasick!  Can I disable this feature?  I want a stable limit!

  In Mail 9.2 OS 10.11.3 the limit between the list of my mailboxes mailbox and my messages keep slipping backward.  Make me feel seasick!  Can I disable this feature?  I want a stable limit!  (I really don't care for any of the new movements of the screen in El Capitan slide-wiggly.)  I don't know if there is

  'fixed' to try!  Help, please!

  Why do you think it is a "feature" as opposed to something to go wrong with your Mac?

  The border between my message list and the display of messages remained constant for several years now.

  Nothing moves, nothing is serrated blade.

  My mailbox list is always hidden, but when I open it, it remains a fixed width.

  I even tried the stupid "full screen" mode and could not see to do random movements, unsolicited.

  I have no idea what would cause the behavior you're seeing.

  No matter what do you do when it happens? Like maybe click on the voicemail of show/hide button?

• Help me disable ease of access.

  You have problems with programs

  • Help me disable ease of access on my acer 1557. I use Windows Vista Home Premium. It drives me crazy, I'm ready to destroy my computer and never buy another on or show me how to go back to the factory setting. Thank you.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Error messages
  • Recent changes to your computer
  • What you have already tried to solve the problem

  Narrator:

  Click on start > go neglects Panel > accessibility > Ease of Access Center > explore all settings > use the computer without a display > untick the checkbox on Narrator byTurn > click Save.

  http://www.Vistax64.com/tutorials/124575-Narrator-turn-off.html

  Read the tutorial above re turning power switch of the Narrator.

  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  On the keyboard of the screen:

  Click Start > Control Panel > accessibility > ease of access Center > use the computer without a mouse or keyboard > uncheck use on-screen keyboard > click Save.

  http://www.Vistax64.com/tutorials/72733-screen-keyboard.html

  Read the info in the tutorial above re turn the on / off of the keyboard on the screen.

  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  Magnifying glass:

  Click Start > go to control panel > accessibility > Ease of Access Center > make computer easier to see > now uncheck turn on Magnifier > Finally, click on apply.

  http://www.Vistax64.com/tutorials/125037-Magnifier-turn-off.html

  Read the tutorial above re turning Magnifier on / off.

  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  Vista recovery media obtain and/or use the Partition Recovery Vista on your computer to the factory settings .

  There is no Vista free download legal available.

  Contact your computer manufacturer and ask them to send a recovery disk/s Vista set.

  Normally, they do this for a cost of $ small.

  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  In addition, ask them if you have a recovery Partition on your computer/laptop to restore it to factory settings.

  See if a manual provided with the computer or go to the manufacturer's website, email or you can call for information on how to make a recovery.

  You have to press F10 or F11, Acer is normally Alt + F10 at startup to start the recovery process...

  Another way I've seen on some models is press F8 and go to a list of startup options, and launch a recovery of standards of plant with it, by selecting the repair option.

  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  Also ask them if it is possible to do the recovery disk/s for the recovery Partition in case of a system Crash or hard drive failure.

  They will tell you how to do this.

  Every computer manufacturer has their own way of making recovery disk/s.

  See you soon.

  Mick Murphy - Microsoft partner

• Access list ASA Error | ERROR: % incomplete command

  Hi all

  I am trying to enter the following rule but I get an error message, I have a similar rule already inside the firewall, so I don't get really what is the problem and how to go about troubleshooting. Can anyone help?

  acl_inside list extended access allowed object-group 16-09-08F 132.235.192.0 255.255.192.0 eq https Journal

  (network-config) # access - list extended acl_inside permitted object-group$

  acl_inside list extended access allowed object-group 16-09-08F 132.235.192.0 255.
  255.192.0 log https eq
  ^
  ERROR: % name host not valid

  SAME THING WITHOUT JOURNAL

  (network-config) # access - list extended acl_inside permitted object-group$

  acl_inside list extended access allowed object-group 16-09-08F 132.235.192.0 255.
  255.192.0 eq https
  ERROR: % incomplete command

  SAME STUPID MISTAKE,

  THE SIMILAR RULE;

  # ACCess-list HS | I have 132.235.192.0
  permit for line acl_inside of access list extended 2767 tcp object-group 16/06/29 X-2 132.235.192.0 255.255.192.0 eq https

  ???????

  I'm not sure that this ensures a case of cisco?

  FW100ABCx (config) # 16-09-08F object-group network
  FW100ABCx(config-Network) # host network-object 172.191.235.136
  Add items (host to network-object 172.191.235.136) to grp has failed (16-09-08F); the object already exists
  FW100ABCx(config-Network) # host network-object 172.191.235.135
  Add items (host to network-object 172.191.235.135) to grp has failed (16-09-08F); the object already exists
  FW100ABCx(config-Network) # host network-object 172.191.235.134
  Add items (host to network-object 172.191.235.134) to grp has failed (16-09-08F); the object already exists
  FW100ABCx(config-Network) # host network-object 172.52.134.76
  Add items (host to network-object 172.52.134.76) to grp has failed (16-09-08F); the object already exists
  FW100ABCx(config-Network) #.
  FW100ABCx(config-Network) # acl_inside of access allowed object-group list $

  acl_inside list extended access allowed object-group 16-09-08F 132.235.192.0 255.255.192.0 eq 443
  ERROR: % incomplete command

  Hello Hassan.

  You're missing the key word of Protocol (tcp/udp)
  Try this:

  the object-group 16-09-08F network
  host of the object-Network 172.191.235.136

  acl_inside list extended access permitted tcp object-group 16-09-08F 132.235.192.0 255.255.192.0

  Concerning
  Dinesh Moudgil

  PS Please rate helpful messages.

• Ipv6 access list does not apply autonomous Aironet 3602I-E

  As you can see in the attached config I configured two SSID (2G & 5 G) for a third (2G only) SSID and PEAP WPA2-Ent on the vlan 2 for 'poor team access as guest '.

  Basically I forced the Dot11Radio0.2 interface in the Group of deck 1 to get all three SSIDS on vlan 1 (since I want just a quick way and dirty to allow its customers access to the internet, without having to configure a vlan separate everywhere).

  The guest SSID (XX COMMENTS) allows tkip in addition to BSE and uses a PSK rather than PEAP. Access lists configured on Dot11Radio0.2 IPv4 allows clients connected to this SSID get an IP by DHCP, use the DNS servers on the local network and access the internet. All other traffic for the local network is blocked by access lists guest_ingress and guest_egress.

  This all works very well, ipv4 is blocked for guests invited as expected. However, ipv6 is something different. For some reason, the ipv6 access list is completely ignored.

  Because I don't need ipv6 for guest access, I thought that I have completely block and do with it. As you can see I have this set:

  interface Dot11Radio0.2
  guest_ingress6 filter IPv6 traffic in
  guest_egress6 filter IPv6 traffic on

  and these ipv6 access lists have a rule of "refuse a whole" only. Yet, the XX COMMENTS SSID connected client gets an ipv6 address of the server on the LAN DHCP6 and has full connectivity. For ipv4, that I had to explicitly allow DHCP packets to the client not even get an IP, so the ipv6 access lists are not clearly applied.

  No matter if I move the access interface Dot11Radio0 instead lists, they don't do anything. I thought that maybe I should add a "enable ipv6" on the Dot11Radio0.2 interface (even if ipv6 traffic was very good, even where it shouldn't), but when I set "enable ipv6" Dot11Radio0 or Dot11Radio0.2 the radio goes into a sort of infinite loop of reset:

  000261: Sep 23 2016 22:32:50.512 it IS: % DOT11-5-EXPECTED_RADIO_RESET: restart Radio Dot11Radio0 interface due to the reset of the interface
  000262: Sep 23 2016 22:32:50.516 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to down
  000263: Sep 23 2016 22:32:50.524 it IS: % LINK-5-CHANGED: Interface Dot11Radio0, changed State to reset
  000264: Sep 23 2016 22:32:51.516 it IS: % LINEPROTO-5-UPDOWN: Line protocol on the Interface Dot11Radio0, state change downstairs
  000265: Sep 23 2016 22:32:51.560 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to
  000266: Sep 23 2016 22:32:51.568 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to down
  000267: Sep 23 2016 22:32:51.576 it IS: % LINK-5-CHANGED: Interface Dot11Radio0, changed State to reset
  000268: Sep 23 2016 22:32:52.608 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to
  000269: Sep 23 2016 22:32:53.608 it IS: % LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed State to
  000270: 22:32:53.608 Sep 23, 2016 it IS: % DOT11-5-EXPECTED_RADIO_RESET: restart Radio Dot11Radio0 interface due to the reset of the interface
  000271: Sep 23 2016 22:32:53.612 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to down
  etc.

  In addition, when creating a list like this ipv6 access:

  guest_egress6 IPv6 access list
  refuse an entire ipv6

  The other is automatically created:

  IPv6-guest_egress6 role-based access list
  refuse an entire ipv6

  A deletion also removes the other.

  What is happening with these ipv6 ACLs, why they are not blocking all traffic? Why do I get an acl "role-based" too? Is associated it with?

  Is there a another way to kill just any ipv6 on the SSID of COMMENTS XX traffic while leaving alone on others? That's all I need at this stage. If the ipv6 ACL do not work, perhaps this can be done (ab) using a service-policy or policy routing? I'm ready to creative solutions :)

  PS. I know this is not the recommended method to configure a guest SSID, but it should still work IMO.

  You have encountered a bug I discovered a few months ago (CSCva17063), in your case, the workaround is to apply the ACL on the physical rather than the void interface interface (because you want to completely block IPv6 in any case). I write (more) my conclusions regarding the traffic that refusal on autonomous APs in a blogpost, might be interesting for you to read as well.

  Remember that the access point used as a bridge between the wired infrastructure and wireless, not as a router. There's some IOS routing of commands (like the "enable IPv6" command you pointed out) , but these are not the characteristics that should be used or need to be enabled on an access point.

  Because the networks internal and customer spend somewhere else, I would perform filtering on this device instead. Also sub gi0.2 interface is missing from your configuration, so I do not think that access as a guest is currently working at all?

  Please rate helpful messages... :-)