Table of Contents
Advertisement
Command Reference Guide
IPv6 Access Control Policies
IPv6 ACPs are used to allow or discard data for each physical interface. Each IPv6 ACP consists of an
action (allow, discard) and a selector (IPv6 ACL). In a sense, the IPv6 ACPs answer the question, "What
should I do?" while the IPv6 ACLs answer the question, "On which packets?"
When IPv6 packets are received on an interface with an IPv6 ACP applied, the ACP is used to determine
whether the data is processed or discarded. Both IPv6 ACLs and ACPs are order dependent. When a
packet is evaluated, the matching engine begins with the first entry in the list and progresses through the
entries until it finds a match. The first entry that matches is executed. The IPv6 ACP has an implicit
discard at the end of the list. Typically, the most specific entries should be at the top and the most general
at the bottom.
IPv6 Access Control Lists
IPv6 ACLs are used as packet selectors by IPv6 ACPs. They must be assigned to an IPv6 ACP in order to
be active.
IPv6 ACPs must use an IPv6 ACL. You cannot apply an IPv4 ACL to an IPv6 ACP, or vice
versa. In addition, all IPv6 ACLs and IPv6 ACPs must have a different name than any
configured IPv4 ACLs or IPv4 ACPs.
IPv6 ACLs are composed of an ordered list of entries. Each entry contains two parts: an action (permit or
deny) and a packet pattern. A permit action is used to allow packets (meeting the specified pattern) to
enter the router system. A deny action is used to disregard packets (that do not match the specified
pattern) and proceed to the next entry on the ACP. In IPv4, packets either match a permit or a deny entry
in the ACL. In IPv6, if no match is found between the packet and the match criteria, a miss entry is passed
to the application using the ACL. Depending on the application, the miss can be processed differently. For
example, with typical IPv6 traffic, access groups treat a miss as a deny, effectually giving a deny any any
at the end of the IPv6 ACL. For IPv6 Neighbor Discovery (ND) protocol messages, however, access
groups treat miss packets as a permit, resulting in a permit for ND before the end of the ACL
The AOS provides two types of IPv6 ACLs: standard and extended. A standard IPv6 ACL allows source
IPv6 address packet patterns only. An extended IPv6 ACL can specify patterns using most fields in the
IPv6 header, as well as the TCP header, UDP header, or ICMPv6 message type or code.
Creating and Assigning IPv6 ACLs and ACPs
Creating IPv6 ACPs and ACLs to regulate traffic through the routed network is a four-step process:
Step 1:
Enable the security features of AOS using the ipv6 firewall command. Refer to the command
on page 1193
for more information.
Step 2:
Create an IPv6 ACP that uses a configured IPv6 ACL by issuing the ipv6 policy-class command. AOS
IPv6 ACPs are used to allow or discard data for each physical interface. Each IPv6 ACP consists of an
action (allow, discard) and a selector (IPv6 ACL). When IPv6 packets are received on an interface, the
configured IPv6 ACPs are applied to determine whether the data will be processed or discarded.
60000CRG0-35E
Copyright © 2012 ADTRAN, Inc.
IPv6 Access Control List Command Set
.
ipv6 firewall
3163
Advertisement
Table of Contents
