Configuration Guide Configuring ACL
For example:
ipv6 access-list ipv6_acl
10 permit ipv6 any any
20 deny ipv6 host 200::1 any
As the first rule statement permits all IPv6 packets, all IPv6 packets sent from the host 200::1 does not match the
subsequent deny rule with the serial number of 20, and therefore will not be denied. After the device finds that packets
match the first rule statement, it does not check the subsequent rule statements any more.
Related Configuration
 Configuring an IPv6 ACL
By default, no IPv6 ACL is configured on a device.
Run the ipv6 access-list acl-name command in global configuration mode to create an IPv6 ACL and enter IPv6 ACL
mode.
 Adding ACEs to an IPv6 ACL
By default, a newly created IPv6 ACL contains an implicit ACE that denies all IPv6 packets. This ACE is hidden from users,
but takes effect when the ACL is applied to an interface. That is, all IPv6 packets will be discarded. Therefore, if you want the
device to receive or send some specific IPv6 packets, add some ACEs to the ACL.
Run the following command in IPv6 ACL mode to add an ACE:
[sn] {permit | deny } protocol{src-ipv6-prefix/prefix-len | hostsrc-ipv6-addr | any} {dst-ipv6-pfix/pfix-len | host dst-ipv6-addr
|any} [rangelower upper] [dscpdscp] [flow-label flow-label] [fragment] [time-rangetm-rng-name]
 Applying an IPv6 ACL
By default, the IPv6 ACL is not applied to any interface, that is, the IPv6 ACL does not filter incoming or outgoing IPv6
packets of a device.
Run the ipv6 traffic-filter acl-name { in| out } command in interface configuration mode to apply an IPv6 ACL to a specified
interface.
11.3.5 Security Channel
In some application scenarios, packets meeting some characteristics may need to bypass the checks of access control
applications. For example, before DOT1X authentication, users are allowed to log in to a specified website to download the
DOT1X authentication client. The security channel can be used for this purpose. When the security channel configuration
command is executed to apply a secure ACL globally or to an interface, this ACL becomes a security channel.
Working Principle
The security channel is also an ACL, and can be configured globally or for a specified interface. When arriving at an interface,
packets are check on the security channel. If meeting the matching conditions of the security channel, packets directly enters
To Next Page
Loading...
Need help?
General
