access-list ipv6
Syntax
access-list ipv6 <ACL-NAME>
[<SEQUENCE-NUMBER>]
{permit|deny}
{any|ah|gre|esp|icmpv6|ospf|pim|<IP-PROTOCOL-NUM>}
{any|<SRC-IP-ADDRESS>[/<PREFIX-LENGTH>]}
{any|<DST-IP-ADDRESS>[/<PREFIX-LENGTH>]}
[dscp {AF11|AF12|AF13|AF21|AF22|AF23|AF31|AF32|AF33|AF41|AF42|AF43|
CS0|CS1|CS2|CS3|CS4|CS5|CS6|CS7|EF|<DSCP-VALUE>}]
[ecn <ECN-VALUE>]
[ip-precedence <IP-PRECEDENCE-VALUE>] [tos <TOS-VALUE>]
[fragment] [vlan <VLAN-ID>] [ttl <TTL-VALUE>] [count] [log]
[<SEQUENCE-NUMBER>]
{permit|deny}
{sctp|tcp|udp}
{any|<SRC-IP-ADDRESS>[/<PREFIX-LENGTH>]}
[{eq|gt|lt} <PORT>|range <MIN-PORT> <MAX-PORT>]
{any|<DST-IP-ADDRESS>[/<PREFIX-LENGTH>]}
[{eq|gt|lt} <PORT>|range <MIN-PORT> <MAX-PORT>]
[cwr] [ece] [urg] [ack] [psh] [rst] [syn] [fin] [established]
[dscp {AF11|AF12|AF13|AF21|AF22|AF23|AF31|AF32|AF33|AF41|AF42|AF43|
CS0|CS1|CS2|CS3|CS4|CS5|CS6|CS7|EF|<DSCP-VALUE>}]
[ecn <ECN-VALUE>]
[ip-precedence <IP-PRECEDENCE-VALUE>] [tos <tos-value>]
[fragment] [vlan <VLAN-ID>] [ttl <TTL-VALUE>] [count] [log]
[<sequence-number>] comment <TEXT-STRING>
Description
Creates an IPv6 access control list (ACL). The ACL is made of one or more access control list entries (ACEs) ordered and prioritized by sequence numbers. The lowest sequence number is the highest prioritized ACE.
The
no
form of this command can be used to delete an ACL (use
no
with the
access-list
command). And you can delete an individual ACE (use
no
with the
sequence-number
parameter).
Command context
config
The
access-list ipv6 <ACL-NAME>
command takes you into the named ACL context where you enter the access control entries.
Parameters
<ACL-NAME>
Specifies the name of this ACL.
<SEQUENCE-NUMBER>
Specifies a sequence number for the ACE. Optional, in the range of 1- 4294967295.
{permit|deny}
Specifies whether to permit or deny traffic matching this ACE.
comment
Specifies storing the remaining entered text as an ACE comment.
protocol
Select a protocol from the following (enter one only):
any
- Any IP protocol<IP-PROTOCOL-NUM>
- Enter an IP protocol number, range 1-255.Enter an IP protocol name from the following list:
ah
gre
esp
icmpv6
ospf
(version 3)pim
sctp
tcp
udp
{any|<SRC-IP-ADDRESS>[/<PREFIX-LENGTH>]}
Specifies the source IPv6 host, network address, or the keyword
any
. You can optionally include the following:<PREFIX-LENGTH>
- The address bits to mask (CIDR subnet mask notation), range 1-128.
{any|<DST-IP-ADDRESS>[/<PREFIX-LENGTH>]}
Specifies the destination IP host network address, or the keyword
any
. You can optionally include the following:<PREFIX-LENGTH>
- The address bits to mask (CIDR subnet mask notation), range 1-128.
[{eq|gt|lt} <PORT>|range <MIN-PORT> <MAX-PORT>]
Each port to be matched requires a separate hardware entry. The system can run out of hardware resources before the ACE limit is reached when many Layer 4 ports are to be matched.
For example, the 8400 switch supports a maximum of 24,000 ACEs per egress ACL. One ACE containing a source or destination Layer 4 port range of
gt 10
results in 4,293,525,625 (65535-10)*(65535-10) hardware entries. This ACE exceeds the hardware capacity of the 8400 switch and cannot be applied.Specifies matching using one of the following keywords:eq
- Layer 4 port is equal to the specified port.gt
- Layer 4 port is greater than the specified port.lt
- Layer 4 port is less than the specified port.
Relative to either a single port or from a port range:<PORT>
- A single Layer 4 port (range 0-65535).range <MIN-PORT> <MAX-PORT>
- A layer 4 port from the minimum to the maximum port inclusive.
cwr, ece, urg, ack, psh, rst, syn, fin, established
These TCP flag matching parameters are not supported.
dscp
Specifies a Differentiated Services Code Point (DSCP) value. Enter either a numeric
<DSCP-VALUE>
(0-63) or a keyword as follows:AF11
- DSCP 10 (Assured Forwarding Class 1, low drop probability)AF12
- DSCP 12 (Assured Forwarding Class 1, medium drop probability)AF13
- DSCP 14 (Assured Forwarding Class 1, high drop probability)AF21
- DSCP 18 (Assured Forwarding Class 2, low drop probability)AF22
- DSCP 20 (Assured Forwarding Class 2, medium drop probability)AF23
- DSCP 22 (Assured Forwarding Class 2, high drop probability)AF31
- DSCP 26 (Assured Forwarding Class 3, low drop probability)AF32
- DSCP 28 (Assured Forwarding Class 3, medium drop probability)AF33
- DSCP 30 (Assured Forwarding Class 3, high drop probability)AF41
- DSCP 34 (Assured Forwarding Class 4, low drop probability)AF42
- DSCP 36 (Assured Forwarding Class 4, medium drop probability)AF43
- DSCP 38 (Assured Forwarding Class 4, high drop probability)CS0
- DSCP 0 (Class Selector 0: Default)CS1
- DSCP 8 (Class Selector 1: Scavenger)CS2
- DSCP 16 (Class Selector 2: OAM)CS3
- DSCP 24 (Class Selector 3: Signaling)CS4
- DSCP 32 (Class Selector 4: Realtime)CS5
- DSCP 40 (Class Selector 5: Broadcast video)CS6
- DSCP 48 (Class Selector 6: Network control)CS7
- DSCP 56 (Class Selector 7)EF
- DSCP 46 (Expedited Forwarding)
ecn <ECN-VALUE>
Specifies an Explicit Congestion Notification value. Range: 0- 3.
ip-precedence <IP-PRECEDENCE-VALUE>
Specifies an IP precedence value. Range: 0-7.
tos <TOS-VALUE>
Specifies the traffic class. Range: 0-31.
fragment
Not supported.
vlan <VLAN-ID>
Not supported.
ttl <TTL-VALUE>
Not supported.
count
Keeps the hit counts of the number of packets matching this ACE.
log
Keeps a log of the number of packets matching this ACE. The action log can only be combined with deny, not permit.
Authority
Administrators
Usage
When using multiple ACL types (IPv4, IPv6, or MAC) with logging on the same interface, the first packet that matches an ACE with
log
option is logged. Until the log-timer wait-period is over, any packets matching other ACL types do not create a log. At the end of the wait-period, the switch creates a summary log all the ACLs that were matched, regardless of type.
Examples
Creating an IPv6 ACL with four entries:
switch(config)# access-list ipv6 MY_IPV6_ACL switch(config-acl-ipv6)# 10 permit udp any 2001::1/64 switch(config-acl-ipv6)# 20 permit tcp 2001:2001::2:1/128 gt 1023 any switch(config-acl-ipv6)# 30 permit tcp 2001:2011::1/64 any switch(config-acl-ipv6)# 40 deny any any any count switch(config-acl-ipv6)# exit switch(config)# do show access-list Type Name Sequence Comment Action L3 Protocol Source IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) Additional Parameters ------------------------------------------------------------------------------- IPv6 MY_IPV6_ACL 10 permit udp any 2001::1/64 20 permit tcp 2001:2001::2:1 > 1023 any 30 permit tcp 2001:2011::1/64 any 40 deny any any any Hit-counts: enabled
Adding a comment to an existing IPv6 ACE:
switch(config)# access-list ipv6 MY_IPV6_ACL switch(config-acl-ipv6)# 20 comment Permit all TCP ephemeral ports switch(config-acl-ipv6)# exit switch(config)# do show access-list Type Name Sequence Comment Action L3 Protocol Source IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) Additional Parameters ------------------------------------------------------------------------------- IPv6 MY_IPV6_ACL 10 permit udp any 2001::1/64 20 Permit all TCP ephemeral ports permit tcp 2001:2001::2:1 > 1023 any 30 permit tcp 2001:2011::1/64 any 40 deny any any any Hit-counts: enabled
Removing a comment from an existing IPv6 ACE:
switch(config)# access-list ipv6 MY_IPV6_ACL switch(config-acl-ipv6)# no 20 comment switch(config-acl-ipv6)# exit switch(config)# do show access-list Type Name Sequence Comment Action L3 Protocol Source IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) Additional Parameters ------------------------------------------------------------------------------- IPv6 MY_IPV6_ACL 10 permit udp any 2001::1/64 20 permit tcp 2001:2001::2:1 > 1023 any 30 permit tcp 2001:2011::1/64 any 40 deny any any any Hit-counts: enabled
Adding an ACE to an existing IPv6 ACL:
switch(config)# access-list ipv6 MY_IPV6_ACL switch(config-acl-ipv6)# 25 permit icmpv6 2001::1/64 any switch(config-acl-ipv6)# exit switch(config)# do show access-list Type Name Sequence Comment Action L3 Protocol Source IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) Additional Parameters ------------------------------------------------------------------------------- IPv6 MY_IPV6_ACL 10 permit udp any 2001::1/64 20 permit tcp 2001:2001::2:1 > 1023 any 25 permit icmpv6 2001::1/64 any 30 permit tcp 2001:2011::1/64 any 40 deny any any any Hit-counts: enabled
Replacing an ACE in an existing IPv6 ACL:
switch(config)# access-list ipv6 MY_IPV6_ACL switch(config-acl-ipv6)# 25 permit icmpv6 2001::2:1/64 any switch(config-acl-ipv6)# exit switch(config)# do show access-list Type Name Sequence Comment Action L3 Protocol Source IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) Additional Parameters ------------------------------------------------------------------------------- IPv6 MY_IPV6_ACL 10 permit udp any 2001::1/64 20 permit tcp 2001:2001::2:1 > 1023 any 25 permit icmpv6 2001::2:1/64 any 30 permit tcp 2001:2011::1/64 any 40 deny any any any Hit-counts: enabled
Removing an ACE from an IPv6 ACL:
switch(config)# access-list ipv6 MY_IPV6_ACL switch(config-acl-ipv6)# no 25 switch(config-acl-ipv6)# exit switch(config)# do show access-list Type Name Sequence Comment Action L3 Protocol Source IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) Additional Parameters ------------------------------------------------------------------------------- IPv6 MY_IPV6_ACL 10 permit udp any 2001::1/64 20 permit tcp 2001:2001::2:1 > 1023 any 30 permit tcp 2001:2011::1/64 any 40 deny any any any Hit-counts: enabled
Removing an IPv6 ACL:
switch(config)# no access-list ipv6 MY_IPV6_ACL switch(config)# do show access-list Type Name Sequence Comment Action L3 Protocol Source IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) Additional Parameters ------------------------------------------------------------------------------- IPv6 MY_IPV6_ACL2 1 permit udp any 2001::1/64 2 Permit all TCP ephemeral ports permit tcp 2001:2001::2:1 > 1023 any 3 permit tcp 2001:2011::1/64 any 4 deny any any any Hit-counts: enabled