Creating an IPv6 ACL

TABLE 18 Syntax descriptions (Continued)

IPv6 ACL arguments

Description

 

 

ipv6-source-prefix/prefix-length

The ipv6-source-prefix/prefix-lengthparameter specify a source prefix and

 

prefix length that a packet must match for the specified action (deny or

 

permit) to occur. You must specify the ipv6-source-prefixparameter in

 

hexadecimal using 16-bit values between colons as documented in RFC

 

2373. You must specify the prefix-lengthparameter as a decimal value. A

 

slash mark (/) must follow the ipv6-prefixparameter and precede the

 

prefix-length parameter.

 

 

ipv6-destination-prefix/prefix-lengt

The ipv6-destination-prefix/prefix-length parameter specify a destination

prefix and prefix length that a packet must match for the specified action

h

(deny or permit) to occur. You must specify the ipv6-destination-prefix

 

parameter in hexadecimal using 16-bit values between colons as

 

documented in RFC 2373. You must specify the prefix-lengthparameter as a

 

decimal value. A slash mark (/) must follow the ipv6-prefixparameter and

 

precede the prefix-lengthparameter

 

 

any

When specified instead of the ipv6-source-prefix/prefix-lengthor

 

ipv6-destination-prefix/prefix-length parameters, matches any IPv6 prefix

 

and is equivalent to the IPv6 prefix::/0.

 

 

host

Allows you specify a host IPv6 address. When you use this parameter, you do

 

not need to specify the prefix length. A prefix length of all128 is implied.

 

 

tcp-udp-operator

The tcp-udp-operatorparameter can be one of the following:

 

eq – The policy applies to the TCP or UDP port name or number you

 

enter after eq.

 

gt – The policy applies to TCP or UDP port numbers greater than the

 

port number or the numeric equivalent of the port name you enter after

 

gt. Enter "?" to list the port names.

 

lt – The policy applies to TCP or UDP port numbers that are less than

 

the port number or the numeric equivalent of the port name you enter

 

after lt.

 

neq – The policy applies to all TCP or UDP port numbers except the port

 

number or port name you enter after neq.

 

range – The policy applies to all TCP port numbers that are between

 

the first TCP or UDP port name or number and the second one you

 

enter following the range parameter. The range includes the port

 

names or numbers you enter. For example, to apply the policy to all

 

ports between and including 23 (Telnet) and 53 (DNS), enter the

 

following range 23 53. The first port number in the range must be

 

lower than the last number in the range.

 

The source-port number and destination-port-number for the

 

tcp-udp-operator is the number of the port.

 

 

ipv6-operator

Allows you to filter the packets further by using one of the following options:

 

dscp – The policy applies to packets that match the traffic class value

 

in the traffic class field of the IPv6 packet header. This operator allows

 

you to filter traffic based on TOS or IP precedence. You can specify a

 

value from 0 – 63.

 

fragments – The policy applies to fragmented packets that contain a

 

non-zero fragment offset.

 

NOTE: This option is not applicable to filtering based on source or

 

destination port, TCP flags, and ICMP flags.

 

routing – The policy applies only to IPv6 source-routed packets.

 

NOTE: This option is not applicable to filtering based on source or

 

destination port, TCP flags, and ICMP flags.

Brocade ICX 6650 Security Configuration Guide

135

53-1002601-01

 

Page 155
Image 155
Brocade Communications Systems 6650 manual Creating an IPv6 ACL Syntax descriptions, IPv6 ACL arguments Description