Furthermore, if you add the statement deny icmp any any in the access list, then all neighbor
discovery messages will be denied. You must explicitly enter the permit icmp any any nd-na and
permit icmp any any nd-ns statements just before the deny icmp statement if you want the ACLs to
permit neighbor discovery as in the example below.
BigIron RX(config)# ipv6 access-list netw
BigIron RX(config-ipv6-access-list-netw)# permit icmp 2000:2383:e0bb::/64
2001:3782::/64
BigIron RX(config-ipv6-access-list-netw)# permit icmp any any nd-na
BigIron RX(config-ipv6-access-list-netw)# permit icmp any any nd-ns
BigIron RX(config-ipv6-access-list-netw)# deny icmp any any
BigIron RX(config-ipv6-access-list-netw)# permit ipv6 any any
ACL syntax
NOTES:
When creating ACLs, use the appropriate syntax below for the protocol you are filtering.
For IPv6 and supported protocols other than ICMP, TCP, or UDP
Syntax: [no] ipv6 access-list <acl name>
Syntax: permit | deny <protocol>
For ICMP
Syntax: [no] ipv6 access-list <acl name>
Syntax: permit | deny icmp <ipv6-source-prefix/prefix-length> | any | host
BigIron RX Series Configuration Guide
53-1001986-01
The following features are not supported:
•
ipv6-operator flow-label
•
ipv6-operator fragments when any protocol is specified. The option "fragments" can be
specified only when "permit/deny ipv6" is specified. If you specify "tcp" or any other
protocol instead of "ipv6" the keyword, "fragments" cannot be used.
•
ipv6-operator routing when any protocol is specified. (Same limitation as for
ipv6-operator fragments)
<ipv6-source-prefix/prefix-length> | any | host <source-ipv6_address>
<ipv6-destination-prefix/prefix-length> | any | host <ipv6-destination-address>
[ipv6-operator [<value>]]
[802.1p-priority-matching <number>]
[dscp-marking <number> 802.1p-priority-marking <number> internal-priority-marking
<number>] | [dscp-marking <dscp-value> dscp-cos-mapping] | [dscp-cos-mapping]
<source-ipv6_address>
<ipv6-destination-prefix/prefix-length> | any | host <ipv6-destination-address>
[ipv6-operator [<value>]]
[ [<icmp-type>][<icmp-code>] ] | [<icmp-messge>]
[802.1p-priority-matching <number>]
[dscp-marking <number> 802.1p-priority-marking <number> internal-priority-marking
<number>]
[dscp-marking <dscp-value> dscp-cos-mapping]
[dscp-cos-mapping]
Configuring an IPv6 ACL
47
1181