Table of Contents
Advertisement
For the N1100-ON/N1500/N2000/N2100-ON/N3000/N3100-ON series
switches, for ingress (in) ACLs:
•
The IPv6 ACL "fragment" keyword matches only on the first IPv6
extension header for the fragment header (next header code 44). If the
fragment header appears in the second or a subsequent header, it is not
matched.
•
The IPv6 ACL "routing" keyword matches only on the first IPv6 extension
header for the routing header (next header code 43). If the fragment
header appears in the second or a subsequent header, it is not matched.
•
For all series switches, port ranges are not supported on egress (out) ACLs.
Only the eq operator is supported in an egress ACL.
Command History
Updated in 6.3.0.1 firmware.
Example and description updated in the 6.4 release.
Example
The following example creates rules in an IPv6 ACL named "STOP_HTTP"
to discard any HTTP traffic from the 2001:DB8::0/32 network, but allow all
other traffic from that network:
console(config)#ipv6 access-list STOP_HTTP
console(Config-ipv6-acl)#deny tcp 2001:DB8::0/32 any eq http
console(Config-ipv6-acl)#permit every
ipv6 access-list
The ipv6 access-list command creates an IPv6 Access Control List (ACL)
consisting of classification fields defined for the IP header of an IPv6 frame.
The name parameter is a case-sensitive alphanumeric string from 1 to 31
characters uniquely identifying the IPv6 access list.
If an IPv6 ACL with this name already exists, this command enters Ipv6-
Access-List Configuration mode to update the existing IPv6 ACL.
Use the no form of the command to delete an IPv6 ACL from the system.
Layer 2 Switching Commands
504
Advertisement
Table of Contents
