ACL Configuration Structure
-
Optional remark statements
-
A permit/deny statement
-
Source and destination IPv6 addressing
-
Choice of IPv6 criteria
-
Optional ACL
log
command (fordeny
orpermit
entries)
General structure options for an IPv6 ACL
ipv6 access-list identifier [ seq-# ] [ remark remark-str ] permit | deny 0 - 255 esp ah sctp icmp SA [operator value ] DA [operator value ] [type [code] | icmp-msg ] [dscp codepoint | precedence ] ipv6 tcp SA [operator value ] DA [operator value ] [dscp codepoint | precedence] [established] [ack | fin | rst | syn] udp SA [operator value ] DA [operator value ] [log] (Allowed only with “deny” or "permit" ACEs.) Implicit Deny Any Any exit
Displayed ACL configuration
Switch# show run
.
.
.
ipv6 access-list "Sample-List-1"
10 permit ipv6 2001:db8:0:130::55/128 2001:db8:0:130::240/128
20 permit tcp ::/0 ::/0 eq 23
30 remark "ALLOWS HTTP FROM SINGLE HOST."
30 permit tcp 2001:db8:0:140::14/128 eq 80 ::/0 eq 3871
40 remark "DENIES HTTP FROM ANY TO ANY."
40 deny tcp ::/0 ::/0 eq 80 log
50 deny udp 2001:db8:0:150::44/128 eq 69 2001:db8:0:120::19/128 range 3680 3690 log
60 deny udp ::/0 2001:db8:0:150::121/128 log
70 permit ipv6 2001:db8:0:01::/56 ::/0
exit
Line |
Action |
---|---|
10 |
Permits all IPv6 traffic from the host at 2001:db8:0:130::55 to the host at 2001:db8:0:130::240. |
20 |
Permits all Telnet traffic from any source to any destination. |
30 |
Includes a remark and permits TCP port 80 traffic received at any destination as port 3871 traffic. |
40 |
Includes a remark and denies TCP port 80 traffic received at any destination, and causes a log message to be generated when a match occurs. |
50 |
Denies UDP port 69 (TFTP) traffic sent from the host at 2001:db8:0:150::44 to the host at 2001:db8:0:120::19 with a destination port number in the range of 3680 to 3690 and causes a log message to be generated when a match occurs. |
60 |
Denies UDP traffic from any source to the host at 2001:db8:0:150::121 and causesa log message to be generated when a match occurs. |
70 |
Permits all IPv6 traffic with an SA prefix of 2001:db8:0:01/56 that is not already permitted or denied by the preceding ACEs in the ACL. |
NOTE:
An implicit
|