Configuring ACEs in an ACL

Configuring ACEs is done after using the ipv6 access-list <ascii–str> command to enter the IPv6 ACL (ipv6-acl) context of an ACL.

Syntax:

<deny|permit> <ipv6>

<any|host <SA>|SA/prefix–length> <any|host <DA>|DA/prefix–length> [log]

<deny|permit> <ipv6|ipv6-protocol|ipv6-protocol-nbr>

<any|host <SA>|SA/prefix–length> <any|host <DA>|DA/prefix–length> [dscp <tos-bits|precedence] [log]

Appends an ACE to the end of the list of ACEs in the current ACL. In the default configuration, ACEs are automatically assigned consecutive sequence numbers in increments of 10 and can be renumbered using resequence, Resequencing the ACEs in an IPv6 ACL.

NOTE:

To insert a new ACE between two existing ACEs in an ACL, precede deny or permit with an appropriate sequence number. See Inserting an ACE in an existing ACL.

For a match to occur, a packet must have the source and destination IPv6 addressing criteria specified in the ACE, as well as:
  • The protocol-specific criteria configured in the ACE, including any optional elements (described later in this section)

  • Any (optional) DSCP settings configured in the ACE

<deny|permit>

These keywords are used in the IPv6 (ipv6-acl) context to specify whether the ACE denies or permits a packet matching the criteria in the ACE, as described below.

<ipv6|ipv6-protocol|ipv6-protocol-nbr>

ipv6 - Any IPv6 packet.

ipv6-protocol -Any one of the following IPv6 protocol names:
  • esp
  • ah
  • sctp
  • icmp*
  • tcp*
  • udp*
*For TCP, UDP, and ICMP, additional, optional criteria can be specified, as described in Options for TCP and UDP traffic in IPv6 ACLs and subsequent sections.

ipv6-protocol-nbr -The protocol number of an IPv6 packet type, such as “8” for Exterior Gateway Protocol or 121 for Simple Message Protocol. (Range: 0–255)

(For a listing of IPv6 protocol numbers and their corresponding protocol names, refer to the IANA protocol number assignments at www.iana.com.)

<any|host <SA>|SA/<prefix-length>

This is the first instance of IPv6 addressing in an ACE. It follows the protocol specifier and defines the source IPv6 address (SA) a packet must carry for a match with the ACE.

any -Allows IPv6 packets from any IPv6 SA.

host <SA> - Specifies only packets having a single address as the SA. Use this criterion when you want to match only the IPv6 packets from a single SA.

SA prefix–length - Specifies packets received from one or more contiguous subnets or contiguous addresses within a single subnet. The prefix length is in CIDR format and defines the number of leftmost bits to use in determining a match. (See Using CIDR notation to enter the IPv6 ACL prefix length.) In a given ACE, the SA prefix length defines how many leftmost bits in a packet’s SA must exactly match the SA configured in the ACE.

Prefix-length applications

  • 2001:db8:0:e102::10:100/120 matches any IPv6 address in the range of 2001:db8:0:e102::10:<0100 - 01FF>

  • 2001:db8:a0:e102::/64 matches any IPv6 address having a prefix of 2001:db8:a0:e102.

  • FE80::/16 matches any link-local address on an interface.

NOTE:

For more information on how prefix lengths are used in IPv6 ACLs, see How an ACE uses a mask to screen packets for matches.

<any|host <DA>|DA/prefix-length>

This is the second instance of addressing in an IPv6 ACE. It follows the first (SA) instance, described earlier in this section, and defines the destination IPv6 address (DA) that a packet must carry to have a match with the ACE.

any -Allows IPv6 packets to any IPv6 DA.

host <DA> - Specifies only packets having DA as the destination address. Use this criterion when you want to match only the IPv6 packets for a single DA.

DA/prefix–length - Specifies packets intended for one or more contiguous subnets or contiguous addresses within a single subnet. The prefix length is in CIDR format and defines the number of leftmost bits to use in determining a match. (See Using CIDR notation to enter the IPv6 ACL prefix length.) In a given ACE, the DA prefix length defines how many leftmost bits in a packet’s DA must exactly match the DA configured in the ACE.

[dscp <codepoint|precedence]

This option follows the DA to include a DSCP codepoint or precedence as a matching criteria.

codepoint : Supports these codepoint selection options:

0-63: Select a specific DSCP codepoint by entering its decimal equivalent.

Assured Forwarding (AF) codepoint matches:

AF

DSCPMatch

af11

001010

af12

001100

af13

001110

af21

010010

af22

010100

af23

010110

af31

011010

af32

011100

af33

011110

af41

100010

af42

100100

af43

100110

default: Matches with the 000000 (default) DSCP.

ef: Expedited forwarding (EF; 000000) DSCP match.

precedence: Supports selection of a precedence setting in the DSCP.

Option

Precedence Bits

Name

cs1

001

priority

cs2

010

immediate

cs3

011

flash

cs4

100

flash-override

cs5

101

critical

cs6

110

internet (for internetwork control)

cs7

111

network (for network control)

NOTE:

The precedence criteria described in this section are applied in addition to any other selection criteria configured in the same ACE. Also, where dscp is configured in a given ACE, the established keyword and the optional TCP control bits cannot be configured.

[dscp <codepoint|precedence] [log]

This option can be used after the DA to generate an Event Log message if:

For a given ACE, if log is used, it must be the last keyword entered.

Table 11: DSCP codepoints with decimal equivalents

DSCP bits

Decimal

000000

0 (default)

000001

1

000010

2

000011

3

000100

4

000101

5

000110

6

000111

7

001000

8

001001

9

001010

10 (1)

001011

11

001100

12 (11)

001101

13

001110

14 (21)

001111

15

010000

16

010001

17

010010

18 (01)

010011

19

010100

20 (01)

010101

21

010110

22 (31)

010111

23

011000

24

011001

25

011010

26 (41)

011011

27

011100

28 (41)

011101

29

011110

30 (51)

011111

31

100000

32

100001

33

100010

34 (61)

100011

35

100100

36 (61)

100101

37

100110

38 (71)

100111

39

101000

40

101001

41

101010

42

101011

43

101100

44

101101

45

101110

46 (7)

101111

47

110000

48

110001

49

110010

50

110011

51

110100

52

110101

53

110110

54

110111

55

111000

56

111001

57

111010

58

111011

59

111100

60

111101

61

111110

62

111111

63

1

Assured Forwarding codepoint and 802.1p precedence.