Configuring ACEs in an ACL

Configuring ACEs is done after using the ipv6 access-list <ascii–str> command to enter the IPv6 ACL (ipv6-acl) context of an ACL.

Syntax:

<deny|permit> <ipv6|ipv6-protocol|ipv6-protocol-nbr>

Appends an ACE to the end of the list of ACEs in the current ACL. In the default configuration, ACEs are automatically assigned consecutive sequence numbers in increments of 10 and can be renumbered using resequence, Resequencing the ACEs in an IPv6 ACL.

NOTE:

To insert a new ACE between two existing ACEs in an ACL, precede deny or permit with an appropriate sequence number. See Inserting an ACE in an existing ACL.

For a match to occur, a packet must have the source and destination IPv6 addressing criteria specified in the ACE, as well as:

The protocol-specific criteria configured in the ACE, including any optional elements (described later in this section)
Any (optional) DSCP settings configured in the ACE

<deny|permit>

These keywords are used in the IPv6 (ipv6-acl) context to specify whether the ACE denies or permits a packet matching the criteria in the ACE, as described below.

<ipv6|ipv6-protocol|ipv6-protocol-nbr>

ipv6 - Any IPv6 packet.

ipv6-protocol

-Any one of the following IPv6 protocol names:

esp
ah
sctp
icmp*
tcp*
udp*

*For TCP, UDP, and ICMP, additional, optional criteria can be specified, as described in Options for TCP and UDP traffic in IPv6 ACLs and subsequent sections.

ipv6-protocol-nbr -The protocol number of an IPv6 packet type, such as “8” for Exterior Gateway Protocol or 121 for Simple Message Protocol. (Range: 0–255)

(For a listing of IPv6 protocol numbers and their corresponding protocol names, refer to the IANA protocol number assignments at www.iana.com.)

<any|host <SA>|SA/<prefix-length>

This is the first instance of IPv6 addressing in an ACE. It follows the protocol specifier and defines the source IPv6 address (SA) a packet must carry for a match with the ACE.

any -Allows IPv6 packets from any IPv6 SA.

host <SA> - Specifies only packets having a single address as the SA. Use this criterion when you want to match only the IPv6 packets from a single SA.

SA prefix–length - Specifies packets received from one or more contiguous subnets or contiguous addresses within a single subnet. The prefix length is in CIDR format and defines the number of leftmost bits to use in determining a match. (See Using CIDR notation to enter the IPv6 ACL prefix length.) In a given ACE, the SA prefix length defines how many leftmost bits in a packet’s SA must exactly match the SA configured in the ACE.

Prefix-length applications

2001:db8:0:e102::10:100/120 matches any IPv6 address in the range of 2001:db8:0:e102::10:<0100 - 01FF>
2001:db8:a0:e102::/64 matches any IPv6 address having a prefix of 2001:db8:a0:e102.
FE80::/16 matches any link-local address on an interface.

NOTE:

For more information on how prefix lengths are used in IPv6 ACLs, see How an ACE uses a mask to screen packets for matches.

<any|host <DA>|DA/prefix-length>

This is the second instance of addressing in an IPv6 ACE. It follows the first (SA) instance, described earlier in this section, and defines the destination IPv6 address (DA) that a packet must carry to have a match with the ACE.

any -Allows IPv6 packets to any IPv6 DA.

host <DA> - Specifies only packets having DA as the destination address. Use this criterion when you want to match only the IPv6 packets for a single DA.

DA/prefix–length - Specifies packets intended for one or more contiguous subnets or contiguous addresses within a single subnet. The prefix length is in CIDR format and defines the number of leftmost bits to use in determining a match. (See Using CIDR notation to enter the IPv6 ACL prefix length.) In a given ACE, the DA prefix length defines how many leftmost bits in a packet’s DA must exactly match the DA configured in the ACE.

[dscp <codepoint|precedence]

This option follows the DA to include a DSCP codepoint or precedence as a matching criteria.

codepoint: Supports these codepoint selection options:

0-63: Select a specific DSCP codepoint by entering its decimal equivalent.

Assured Forwarding (AF) codepoint matches:
AF	DSCPMatch
af11	001010
af12	001100
af13	001110
af21	010010
af22	010100
af23	010110
af31	011010
af32	011100
af33	011110
af41	100010
af42	100100
af43	100110

default: Matches with the 000000 (default) DSCP.

ef: Expedited forwarding (EF; 000000) DSCP match.

precedence: Supports selection of a precedence setting in the DSCP.

Option	Precedence Bits	Name
cs1	001	priority
cs2	010	immediate
cs3	011	flash
cs4	100	flash-override
cs5	101	critical
cs6	110	internet (for internetwork control)
cs7	111	network (for network control)

NOTE:

The precedence criteria described in this section are applied in addition to any other selection criteria configured in the same ACE. Also, where dscp is configured in a given ACE, the established keyword and the optional TCP control bits cannot be configured.

[dscp <codepoint|precedence] [log]

This option can be used after the DA to generate an Event Log message if:

The action is deny. (Not applicable to permit actions.)
There is a match.
ACL logging is enabled. (See Enabling ACL logging on the switch.)

For a given ACE, if log is used, it must be the last keyword entered.

DSCP codepoints with decimal equivalents
DSCP bits	Decimal
000000	0 (default)
000001	1
000010	2
000011	3
000100	4
000101	5
000110	6
000111	7
001000	8
001001	9
001010	10 (1)
001011	11
001100	12 (1¹)
001101	13
001110	14 (2¹)
001111	15
010000	16
010001	17
010010	18 (0¹)
010011	19
010100	20 (0¹)
010101	21
010110	22 (3¹)
010111	23
011000	24
011001	25
011010	26 (4¹)
011011	27
011100	28 (4¹)
011101	29
011110	30 (5¹)
011111	31
100000	32
100001	33
100010	34 (6¹)
100011	35
100100	36 (6¹)
100101	37
100110	38 (7¹)
100111	39
101000	40
101001	41
101010	42
101011	43
101100	44
101101	45
101110	46 (7)
101111	47
110000	48
110001	49
110010	50
110011	51
110100	52
110101	53
110110	54
110111	55
111000	56
111001	57
111010	58
111011	59
111100	60
111101	61
111110	62
111111	63

Assured Forwarding codepoint and 802.1p precedence.