5-8
z You can only modify the existing rules of an ACL that uses the rule order of config. When
modifying a rule of such an ACL, you may choose to change just some of the settings, in which
case the other settings remain the same.
z You cannot create a rule with, or modify a rule to have, the same permit/deny statement as an
existing rule in the ACL.
z When the ACL rule order is auto, a newly created rule will be inserted among the existing rules in
the depth-first order. Note that the IDs of the rules still remain the same.
z You can modify the rule order of an IPv6 ACL with the acl ipv6 number acl6-number [ name
acl6-name ] match-order { auto | config } command, but only when the ACL does not contain any
rules.
z The rule specified in the rule comment command must already exist.
Configuring an Advanced IPv6 ACL
Advanced IPv6 ACLs match packets based on the source IPv6 address, destination IPv6 address,
protocol carried over IPv6, and other protocol header fields such as the TCP/UDP source port number,
TCP/UDP destination port number, ICMP message type, and ICMP message code.
Advanced IPv6 ACLs are numbered in the range 3000 to 3999. Compared with basic IPv6 ACLs, they
allow of more flexible and accurate filtering.
z Configuration Prerequisites
If you want to reference a time range in a rule, define it with the time-range command first.
z Configuration Procedure
Follow these steps to configure an advanced IPv6 ACL:
To do… Use the command… Remarks
Enter system view
system-view
––
Create an advanced IPv6 ACL
and enter its view
acl ipv6
number
acl6-number [
name
acl6-name ] [
match-order
{
auto
|
config
} ]
Required
The default rule order is
config
.
If you specify a name for an IPv6
ACL when creating the ACL, you
can use the
acl
ipv6 name
acl6-name command to enter the
view of the ACL later.
Create or modify a rule
rule
[ rule-id ] {
deny
|
permit
} protocol
[ { {
ack
ack-value |
fin
fin-value |
psh
psh-value |
rst
rst-value |
syn
syn-value |
urg
urg-value } * |
established
} |
counting
|
destination
{ dest dest-prefix
| dest/dest-prefix |
any
} |
destination-port
operator port1 [ port2 ]
|
dscp
dscp |
flow-label
flow-label-value
|
fragment
|
icmpv6-type
{ icmpv6-type
icmpv6-code | icmpv6-message } |
logging
|
source
{ source source-prefix |
source/source-prefix
| any
} |
source-port
operator port1 [ port2 ] |
time-range
time-range-name ] *
Required
To create or modify multiple
rules, repeat this step.
To Next Page
Loading...
Need help?
General