Chapter 1
Configuring IPv6 ACLs
Creating IPv6 ACLs
Beginning in privileged EXEC mode, follow these steps to create an IPv6 ACL:
Command
Step 1
configure terminal
Step 2
ipv6 access-list
access-list-name
Step 3a
{deny | permit} protocol
{source-ipv6-prefix/prefix-l
ength | any | host
source-ipv6-address}
[operator [port-number]]
{destination-ipv6-prefix/
prefix-length | any |
host
destination-ipv6-address}
[operator [port-number]]
[dscp value] [fragments]
[log] [log-input] [routing]
[sequence value]
[time-range name]
OL-25303-03
Purpose
Enter global configuration mode.
Use a name to define an IPv6 access list and enter IPv6 access-list configuration mode.
Enter deny or permit to specify whether to deny or permit the packet if conditions are
matched. These are the conditions:
For protocol, enter the name or number of an Internet protocol: ahp, esp, icmp,
•
ipv6, pcp, stcp, tcp, or udp, or an integer in the range 0 to 255 representing an
IPv6 protocol number.
Note
For additional specific parameters for ICMP, TCP, and UDP, see Steps 3b
through 3d.
The source-ipv6-prefix/prefix-length or destination-ipv6-prefix/ prefix-length is
•
the source or destination IPv6 network or class of networks for which to set deny
or permit conditions, specified in hexadecimal and using 16-bit values between
colons (see RFC 2373).
Enter any as an abbreviation for the IPv6 prefix ::/0.
•
•
For host source-ipv6-address or destination-ipv6-address, enter the source or
destination IPv6 host address for which to set deny or permit conditions, specified
in hexadecimal using 16-bit values between colons.
(Optional) For operator, specify an operand that compares the source or
•
destination ports of the specified protocol. Operands are lt (less than), gt (greater
than), eq (equal), neq (not equal), and range.
If the operator follows the source-ipv6-prefix/prefix-length argument, it must
match the source port. If the operator follows the destination-ipv6-
prefix/prefix-length argument, it must match the destination port.
•
(Optional) The port-number is a decimal number from 0 to 65535 or the name of
a TCP or UDP port. You can use TCP port names only when filtering TCP. You
can use UDP port names only when filtering UDP.
(Optional) Enter dscp value to match a differentiated services code point value
•
against the traffic class value in the Traffic Class field of each IPv6 packet header.
The acceptable range is from 0 to 63.
(Optional) Enter fragments to check noninitial fragments. This keyword is visible
•
only if the protocol is ipv6.
(Optional) Enter log to cause an logging message to be sent to the console about
•
the packet that matches the entry. Enter log-input to include the input interface in
the log entry. Logging is supported only for router ACLs.
•
(Optional) Enter routing to specify that IPv6 packets be routed.
(Optional) Enter sequence value to specify the sequence number for the access list
•
statement. The acceptable range is from 1 to 4294967295.
•
(Optional) Enter time-range name to specify the time range that applies to the
deny or permit statement.
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
Configuring IPv6 ACLs
1-5