Configuration Guide Configuring ACL
 Applying an Expert Extended ACL
By default, the expert extended ACL is not applied to any interface, that is, the created expert extended ACL does not filter
incoming or outgoing L2 or L3 packets of a device.
Run the expert access-group { acl-id | acl-name } { in| out } command in interface configuration mode to apply an expert
extended ACL to a specified interface.
11.3.4 IPv6 ACL
The IPv6 ACL implements refined control on incoming and outgoing IPv6 packets of a device. You can permit or deny the
entry of specific IPv6 packets to a network according to actual requirements to control access of IPv6 users to network
resources.
Working Principle
Define a series of IPv6 access rules in the IPv6 ACL, and then apply the ACL in the incoming or outgoing direction of an
interface. The device checks whether the incoming or outgoing IPv6 packets match the rules and accordingly forwards or
blocks these packets.
To configure an IPv6 ACL, you must specify a unique name for this ACL.
Unlike the IP ACL, MAC extended ACL, and expert extended ACL, you can specify only a name but not an ID for the
IPv6 ACL created.
Only one IP ACL, or one MAC extended ACL, or one expert extended ACL can be applied to the incoming or outgoing
direction of an interface. Besides, one more IPv6 ACL can be applied.
 Implicit "Deny All Traffic" Rule Statement
At the end of every IPv6 ACL is an implicit "deny all IPv6 traffic" rule statement. Therefore, if a packet does not match any
rule, the packet will be denied.
For example:
ipv6 access-list ipv6_acl
10 permit ipv6 host 200::1 any
This ACL permits only IPv6 packets from the source host 200::1, and denies IPv6 packets from all other hosts. This is
because the following statement exists at the end of this ACL: deny ipv6 any any.
Although the IPv6 ACL contains the implicit "deny all IPv6 traffic" rule statement by default, it does not filter ND packets.
 Input Sequence of Rule Statements
Every new rule is added to the end of an ACL and in front of the default rule statement. The input sequence of statements in
an ACL is very important. It determines the priority of each statement in the ACL. When determining whether to forward or
block packets, a device compares packets with rule statements based on the sequence that rule statements are created.
After locating a matched rule statement, the device does not check any other rule statement.
If a rule statement is created and permits all IPv6 traffic, all subsequent statements will not be checked.
To Next Page
Loading...
Need help?
General
