Chapter 37
Configuring IPv6 ACLs
Command
Step 3a
deny | permit protocol
{source-ipv6-prefix/prefix-length
| any | host source-ipv6-address}
[operator [port-number]]
{destination-ipv6-prefix/
prefix-length | any |
host destination-ipv6-address}
[operator [port-number]]
[dscp value] [fragments] [log]
[log-input] [sequence value]
[time-range name]
OL-26520-01
Purpose
Enter deny or permit to specify whether to deny or permit the packet if
conditions are matched. These are the conditions:
•
For protocol, enter the name or number of an Internet protocol: ahp, esp,
icmp, ipv6, pcp, stcp, tcp, or udp, or an integer in the range 0 to 255
representing an IPv6 protocol number. For additional specific parameters for
ICMP, TCP, and UDP, see Steps 3b through 3d.
The source-ipv6-prefix/prefix-length or destination-ipv6-prefix/
•
prefix-length is the source or destination IPv6 network or class of networks
for which to set deny or permit conditions, specified in hexadecimal and
using 16-bit values between colons (see RFC 2373).
Note
Although the CLI help shows a prefix-length range of /0 to /128, the
switch supports IPv6 address matching only for prefixes in the range of
/0 to /64 and EUI-based /128 prefixes for aggregatable global unicast and
link-local host addresses.
Enter any as an abbreviation for the IPv6 prefix ::/0.
•
For host source-ipv6-address or destination-ipv6-address, enter the source
•
or destination IPv6 host address for which to set deny or permit conditions,
specified in hexadecimal using 16-bit values between colons.
(Optional) For operator, specify an operand that compares the source or
•
destination ports of the specified protocol. Operands are lt (less than), gt
(greater than), eq (equal), neq (not equal), and range.
If the operator follows the source-ipv6-prefix/prefix-length argument, it must
match the source port. If the operator follows the destination-ipv6-
prefix/prefix-length argument, it must match the destination port.
•
(Optional) The port-number is a decimal number from 0 to 65535 or the
name of a TCP or UDP port for filtering TCP or UDP, respectively.
(Optional) Enter dscp value to match a differentiated services code point
•
value against the traffic class value in the Traffic Class field of each IPv6
packet header. The acceptable range is from 0 to 63.
(Optional) Enter fragments to check noninitial fragments. This keyword is
•
visible only if the protocol is ipv6.
(Optional) Enter log to cause an logging message to be sent to the console
•
about the packet that matches the entry. Enter log-input to include the input
interface in the log entry. Logging is supported only for router ACLs.
•
(Optional) Enter sequence value to specify the sequence number for the
access list statement. The acceptable range is from 1 to 4294967295.
•
(Optional) Enter time-range name to specify a time range for the statement.
Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE
Configuring IPv6 ACLs
37-5