Adding a comment to an IPv6 ACL entry

This example applies the IPv6 ACL “access1” to incoming IPv6 packets on Ethernet interface 1/3/1. As a result, Ethernet interface 1/3/1 denies all incoming packets from the site-local prefix 2001:db8:0:2::/64 and the global prefix 2001:db8:1::/48 and permits all other incoming packets.

Syntax for applying an IPv6 ACL

Syntax: .ipv6 traffic-filter ipv6-ACL-namein

For the ipv6-ACL-nameparameter, specify the name of an IPv6 ACL created using the ipv6 access-listcommand.

The in keyword applies the specified IPv6 ACL to incoming IPv6 packets on the interface.

Applying an IPv6 ACL to a trunk group

When applying an IPv6 ACL to a trunk group, apply it to the primary port of the trunk, as described under “Applying an IPv6 ACL to an interface” on page 137. IPv6 ACLs cannot be applied to secondary ports. When an IPv6 ACL is applied to a primary port in a trunk, it filters the traffic on the secondary ports of the trunk as well as the traffic on the primary port.

Applying an IPv6 ACL to a virtual interface in a protocol-based or subnet-based VLAN

As with IPv4 ACLs, by default, when you apply an IPv6 ACL to a virtual interface in a protocol-based or subnet-based VLAN, the ACL takes effect on all protocol or subnet VLANs to which the untagged port belongs. To prevent the Brocade device from denying packets on other virtual interfaces that do not have an ACL applied, configure an ACL that permits packets in the IP subnet of the virtual interface in all protocol-based or subnet-based VLANs to which the untagged port belongs.

Adding a comment to an IPv6 ACL entry

You can optionally add a comment to describe entries in an IPv6 ACL. The comment appears in the output of show commands that display ACL information.

You can add a comment by entering the remark command immediately preceding an ACL entry, For example, to enter comments preceding an ACL entry, enter commands such as the following.

Brocade(config)# ipv6 access-list rtr

Brocade(config-ipv6-access-list rtr)# remark This entry permits ipv6 packets from 3002::2 to any destination

Brocade(config-ipv6-access-list rtr)# permit ipv6 host 2001:db8::2 any Brocade(config-ipv6-access-list rtr)# remark This entry denies udp packets from any source to any destination

Brocade(config-ipv6-access-list rtr)# deny udp any any Brocade(config-ipv6-access-list rtr)# remark This entry denies IPv6 packets from any source to any destination

Brocade(config-ipv6-access-list rtr)# deny ipv6 any any Brocade(config-ipv6-access-list rtr)# write memory

Syntax: remark comment-text

138

Brocade ICX 6650 Security Configuration Guide

 

53-1002601-01

Page 158
Image 158
Brocade Communications Systems 6650 manual Adding a comment to an IPv6 ACL entry, Syntax for applying an IPv6 ACL