786
Configuring IPv6 ACLs
Configuring IPv6 ACLs
EXAMPLE
The following example:
Creates an IPv6 ACL named CISCO.
Defines one deny entry that denies all packets that have a destination TCP port number greater than 5000 and a
second deny entry that denies packets that have a source UDP port number less than 5000. The second deny entry
also logs all matches to the console.
Defines a permit entry to permit all ICMP packets and another permit entry that allows all other traffic. The second
permit entry is necessary because an implicit deny-all condition is at the end of each IPv6 access list.
Switch(config)# ipv6 access-list CISCO
Switch(config-ipv6-acl)# deny tcp any any gt 5000
Switch config-ipv6-acl)# deny ::/0 lt 5000 ::/0 log
Switch(config-ipv6-acl)# permit icmp any any
Switch(config-ipv6-acl)# permit any any
Step
3c
{deny | permit} udp
{source-ipv6-prefix/prefix-length | any |
host source-ipv6-address} [operator
[port-number]]
{destination-ipv6-prefix/prefix-length |
any | host destination-ipv6-address}
[operator [port-number]] [dscp value]
[log] [log-input] [neq {port | protocol}]
[range {port | protocol}] [routing]
[sequence value] [time-range name]
(Optional) Define a UDP access list and the access
conditions.
Enter udp for the User Datagram Protocol. The UDP
parameters are the same as those described for TCP,
except that the [operator [port]] port number or name
must be a UDP port number or name, and the established
parameter is not valid for UDP.
Step
3d
{deny | permit} icmp
{source-ipv6-prefix/prefix-length | any |
host source-ipv6-address} [operator
[port-number]]
{destination-ipv6-prefix/prefix-length |
any | host destination-ipv6-address}
[operator [port-number]] [icmp-type
[icmp-code] | icmp-message] [dscp
value] [log] [log-input] [routing]
[sequence value] [time-range name]
(Optional) Define an ICMP access list and the access
conditions.
Enter icmp for Internet Control Message Protocol. The
ICMP parameters are the same as those described for
most IP protocols in Step 3a, with the addition of the ICMP
message type and code parameters. These optional
keywords have these meanings:
icmp-type—Enter to filter by ICMP message type, a
number from 0 to 255.
icmp-code—Enter to filter ICMP packets that are
filtered by the ICMP message code type, a number
from 0 to 255.
icmp-message—Enter to filter ICMP packets by the
ICMP message type name or the ICMP message type
and code name. To see a list of ICMP message type
names and code names, use the ? key.
4. end Return to privileged EXEC mode.
5. show ipv6 access-list Verify the access list configuration.
6. copy running-config startup-config (Optional) Save your entries in the configuration file.
Command Purpose
To Next Page
Loading...
Need help?
General
