IPv6 counter operation with multiple interface assignments
The examples of counters in this section use small values to help illustrate counter operation. The counters in real-time network applications are much more active and show higher values.
IPv6 counter operation with multiple interface assignments
-
An ACL named "V6-01" is configured as shown in the following example, to block Telnet access to a workstation at FE80::20:2, which is connected to a port belonging to VLAN 20.
-
The ACL is assigned as a PACL (port ACL) on port 2, which is also a member of VLAN 20:
ACL "V6-01" and command for PACL assignment on port 2
Switch(config)# show access-list V6-01 config
ipv6 access-list "V6-01"
10 permit icmp ::/0 fe80::20:2/128 128
20 deny tcp ::/0 fe80::20:2/128 eq 23 log
30 permit ipv6 ::/0 ::/0
exit
Switch(config)# int b2 ipv access-group V6-01 in1
1 Assigns the ACL to port 2
Using the topology shown, a workstation at FE80::20:117 on port B2 attempting to ping and Telnet to the workstation at FE80::20:2 is filtered through the PACL instance of the "V6-01" ACL assigned to port B2, resulting in the following:
Ping and Telnet from FE80::20:117 to FE80::20:2 filtered by the assignment of "V6-01" as a PACL on port B2
Switch# ping6 fe80::20:2%vlan20
fe80:0000:0000:0000:0000:0000:0020:0002 is alive, time = 5 ms
Switch# telnet fe80::20:2%vlan20
Telnet failed: Connection timed out.
Switch#
Resulting ACE hits on ACL "V6-01"
Switch# show statistics aclv6 IP-01 port 2
Hit Counts for ACL IPV6-ACL
Total
(1)1 10 permit icmp fe80::20:3/128 fe80::20:2/128 128
(5)2 20 deny tcp ::/0 fe80::20:2/128 eq 23 log
(4)3 30 permit ipv6 ::/0 ::/0
1 Shows the successful ping permitted by ACE 10
2 Indicates denied attempts to Telnet to FE80::20:2 via the instance of the "V6-01" PACL assignment on port 2
3 Indicates permitted attempts to reach any accessible destination via the instance of the “V6-01”PACL assignment on port 2