Configuration Guide Configuring ACL
numbers, including icmp, ipv6, tcp, and udp.
src-ipv6-prefix/prefix-len: Indicates that IP packets sent from hosts in the specified IPv6 network segment
are filtered.
host src-ipv6-addr: Indicates that IPv6 packets sent from a host with the specified source IP address are
filtered.
any: Indicates that IPv6 packets sent from any host are filtered.
dst-ipv6-pfix/pfix-len: Indicates that IPv6 packets sent from hosts in the specified IPv6 network segment are
filtered.
host dst-ipv6-addr: Indicates that IPv6 packets sent to a host with the specified destination IP address are
filtered.
any: Indicates that IPv6 packets sent to any host are filtered.
op dstport: Indicates that TCP or UDP packets are filtered based on the L4 destination port number. The
value of the op parameter can be eq (equal to), neq (not equal to), gt (greater than), or lt (smaller than).
range lower upper: Indicates that TCP or UDP packets with the L4 destination port number in the specified
range are filtered.
dscp dscp: Indicates that IPv6 packets with the specified the dcsp field in the header are filtered.
flow-label flow-label: Indicates that IPv6 packets with the specified the flow label field in the header are
filtered.
fragment: Indicates that only fragmented IPv6 packets except the first fragments are filtered.
time-range time-range-name: Indicates that this ACE is associated with a time range. The ACE takes effect
only within this time range. For details about the time range, see the configuration manual of the time range.
IPv6 ACL configuration mode
Run this command to add ACEs in IPv6 ACL configuration mode.
To filter IPv6 packets except for the TCP or UDP packets, add ACEs to an IPv6 ACL as follows:
[ sn ] { permit | deny } protocol { src-ipv6-prefix/prefix-len | host src-ipv6-addr | any } { dst-ipv6-pfix/pfix-len |
host dst-ipv6-addr | any } [ dscp dscp ] [ flow-label flow-label ] [ fragment ] [ time-rangetm-rng-name ]
sn: Indicates the sequence number of an ACE. The value ranges from 1 to 2,147,483,647. This sequence
number determines the priority of this ACE in the ACL. A smaller sequence number indicates a higher
priority. An ACE with a higher priority will be preferentially used to match packets. If you do not specify the
sequence number when adding an ACE, the system automatically allocates a sequence number, which is
equal to an increment (10 by default) plus the sequence number of the last ACE in the current ACL. For
example, if the sequence number of the last ACE is 100, the sequence number of a newly-added ACE will
be 110 by default. You can adjust the increment using a command.
permit: Indicates that the ACE is a permit ACE.
deny: Indicates that the ACE is a deny ACE.
protocol: Indicates the IPv6 protocol number. The value ranges from 0 to 255. To facilitate the use, the
system provides frequently-used abbreviations of IPv6 protocol numbers to replace the specific IP protocol
To Next Page
Loading...
Need help?
General
