86 ServerIron ADX Security Guide
53-1002440-03
IACL overview
3
Transmission Control Protocol (TCP)
User Datagram Protocol (UDP)
NOTE
TCP and UDP filters will be matched only if they are listed as the first option in the extension header.
For TCP and UDP, you also can specify a comparison operator and port name or number. For
example, you can configure a policy to block web access to a specific website by denying all TCP
port 80 (HTTP) packets from a specified source IPv6 address to the website’s IPv6 address.
This chapter contains the following sections:
“Configuring an IPv6 ACL” on page87
“Applying an IPv6 ACL to an interface” on page93
“Displaying ACLs” on page94
Configuration Notes
Either IPv6 must be enabled globally or an IPV6 address must be configured on an interface
before IPv6 ACLs can be configured.
An IPv6 ACL can include up to 1024 entries or statements.
Only named ACLs are supported.
Only Inbound ACLs are supported.
If an IPv6 ACL has the implicit deny condition, make sure it also permits the IPv6 link-local
address, in addition to the global unicast address. Otherwise, routing protocols such as OSPF
will not work. To view the link-local address, use the show ipv6 interface command.
You cannot disable IPv6 on an interface to which an ACL is bound. Attempting to do so will
cause the system to return the following error message.
ServerIronADX(config-if-e1000-7)#no ipv6 enable
Error: Port 7 has IPv6 ACL configured. Cannot disable IPv6
To disable IPv6, first remove the ACL from the interface.
Processing of IPv6 ACLs
There are two ways that IPv6 ACLs are processed in Brocade devices: in software and in hardware.
This processing differs depending on the software release that you are running. These differences
are described in the following sections.

Prior to release 12.3.01

Prior to release 12.3.01, IPv6 ACLs were processed as described in the following:
For deny and permit actions:
All permit and deny packets are forwarded to the BPs and the BPs perform the ACL processing.

Beginning with release 12.3.01 and later

Beginning with release 12.3.01, IPv6 ACLs are processed as described in the following: