Configuring IPv6 ACLs
Command
Step 3a
{deny | permit} protocol
{source-ipv6-prefix/prefix-length |
any | host source-ipv6-address}
[operator [port-number]]
{destination-ipv6-prefix/
prefix-length | any |
host destination-ipv6-address}
[operator [port-number]]
[dscp value] [fragments] [log]
[log-input] [routing] [sequence
value] [time-range name]
Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide
35-6
Purpose
Enter deny or permit to specify whether to deny or permit the packet if
conditions are matched. These are the conditions:
•
For protocol, enter the name or number of an Internet protocol: ahp, esp,
icmp, ipv6, pcp, stcp, tcp, or udp, or an integer in the range 0 to 255
representing an IPv6 protocol number.
For additional specific parameters for ICMP, TCP, and UDP, see
Note
Steps 3b through 3d.
•
The source-ipv6-prefix/prefix-length or destination-ipv6-prefix/
prefix-length is the source or destination IPv6 network or class of networks
for which to set deny or permit conditions, specified in hexadecimal and
using 16-bit values between colons (see RFC 2373).
Enter any as an abbreviation for the IPv6 prefix ::/0.
•
For host source-ipv6-address or destination-ipv6-address, enter the source
•
or destination IPv6 host address for which to set deny or permit conditions,
specified in hexadecimal using 16-bit values between colons.
(Optional) For operator, specify an operand that compares the source or
•
destination ports of the specified protocol. Operands are lt (less than), gt
(greater than), eq (equal), neq (not equal), and range.
If the operator follows the source-ipv6-prefix/prefix-length argument, it
must match the source port. If the operator follows the destination-ipv6-
prefix/prefix-length argument, it must match the destination port.
•
(Optional) The port-number is a decimal number from 0 to 65535 or the
name of a TCP or UDP port. You can use TCP port names only when
filtering TCP. You can use UDP port names only when filtering UDP.
•
(Optional) Enter dscp value to match a differentiated services code point
value against the traffic class value in the Traffic Class field of each IPv6
packet header. The acceptable range is from 0 to 63.
•
(Optional) Enter fragments to check noninitial fragments. This keyword is
visible only if the protocol is ipv6.
(Optional) Enter log to cause an logging message to be sent to the console
•
about the packet that matches the entry. Enter log-input to include the input
interface in the log entry. Logging is supported only for router ACLs.
(Optional) Enter routing to specify that IPv6 packets be routed.
•
(Optional) Enter sequence value to specify the sequence number for the
•
access list statement. The acceptable range is from 1 to 4294967295.
(Optional) Enter time-range name to specify the time range that applies to
•
the deny or permit statement.
Chapter 35
Configuring IPv6 ACLs
OL-12247-01