ACL configuration structure
General structure options for an IPv6 ACL
After you enter an ACL command, you may want to inspect the resulting configuration. This is especially true where you are entering multiple ACEs into an ACL. Also, it will be helpful to understand the configuration structure when using later sections in this chapter.
Optional remark statements
A permit/deny statement
Source and destination IPv6 addressing
Choice of IPv6 criteria
Optional ACL
logcommand (fordenyentries)
ipv6 access-list <identifier>
[seq–#]
[remark <remark–str]
<permit|deny>
0–255
esp
ah
sctp
icmp
<SA> [operator <value>]
<DA> [operator <value>][type [code]|icmp–msg] [dscp <codepoint|precedence>]
ipv6
tcp
<SA> [operator <value>]
<DA> [operator <value>]
[dscp <codepoint|precedence]
[established]
[ack|fin|rst|syn]
udp
<SA> [operator <value>]
<DA> [operator <value>] [dscp <codepoint|precedence>]
[log]
. . .
<Implicit Deny Any Any>
exit
The ACL in the example below filters traffic for individual hosts in some instances and all hosts in others:
Displayed ACL configuration
Switch# show run
.
.
.
ipv6 access-list "Sample–List–1"
10 permit ipv6 2001:db8:0:130::55/128 2001:db8:0:130::240/128
20 permit tcp ::/0 ::/0 eq 23
30 remark "ALLOWS HTTP FROM SINGLE HOST."
30 permit tcp 2001:db8:0:140::14/128 eq 80 ::/0 eq 3871
40 remark "DENIES HTTP FROM ANY TO ANY."
40 deny tcp ::/0 ::/0 eq 80 log
50 deny udp 2001:db8:0:150::44/128 eq 69 2001:db8:0:120::19/128
range 3680 3690 log
60 deny udp ::/0 2001:db8:0:150::121/128 log
70 permit ipv6 2001:db8:0:01::/56 ::/0
exit
Line |
Action |
|---|---|
10 |
Permits all IPv6 traffic from the host at 2001:db8:0:130::55 to the host at 2001:db8:0:130::240. |
20 |
Permits all Telnet traffic from any source to any destination. |
30 |
Includes a remark and permits TCP port 80 traffic received at any destination as port 3871 traffic. |
40 |
Includes a remark and denies TCP port 80 traffic received at any destination, and causes a log message to be generated when a match occurs. |
50 |
Denies UDP port 69 (TFTP) traffic sent from the host at 2001:db8:0:150::44 to the host at 2001:db8:0:120::19 with a destination port number in the range of 3680–3690 and causes a log message to be generated when a match occurs. |
60 |
Denies UDP traffic from any source to the host at 2001:db8:0:150::121 and causes a log message to be generated when a match occurs. |
70 |
Permits all IPv6 traffic with an SA prefix of 2001:db8:0:01/56 that is not already permitted or denied by the preceding ACEs in the ACL. |
NOTE:
An implicit
|
|
ACL identity: This is a string of up to 64 characters specifying the ACL name.
Optional
remarkentries.- One or more deny/permit list entries (ACEs): One entry per line.
Element
Notes
Identifier
Alphanumeric; up to 64 characters, including spaces
Remark
Allows up to 100 alphanumeric characters, including blank spaces. (If any spaces are used, the remark must be enclosed in a pair of single or double quotes.)A remark is associated with a particular ACE and has the same sequence number as the ACE. (One remark is allowed per ACE.) See Attaching a remark to an ACE.
Maximum ACEs per switch
The maximum number of ACEs supported by the switch is up to 3072 for IPv6 ACEs and up to 3072 for IPv4 ACEs. The maximum number of ACEs applied to a VLAN or port depends on the concurrent resource usage by multiple configured features. For more information, use the
show <qos|access-list> resourcescommand. Implicit deny: Where an ACL is applied to an interface, it denies any packets that do not have a match with any of the ACEs explicitly configured in the list. The implicit deny does not appear in ACL configuration listings, but always functions when the switch uses an ACL to filter packets. (You cannot delete the implicit deny, but you can supersede it with a
permit ipv6 any anyACE.)