IPv6 advanced ACL configuration example
Network requirements
A company interconnects its departments through Device A. Configure an ACL to do the following:
Permit access from the President's office at any time to the financial database server.
Permit access from the Financial department to the database server only during working hours (from 8:00 to 18:00) on working days.
Deny access from any other department to the database server.
Figure 2: Network diagram
Configuration procedure
# Create a periodic time range from 8:00 to 18:00 on working days.
<DeviceA> system-view [DeviceA] time-range work 8:0 to 18:0 working-day
# Create an IPv6 advanced ACL numbered 3000 and configure three rules in the ACL. One rule permits access from the President's office to the database server, one rule permits access from the Financial department to the database server during working hours, and one rule denies access from other departments to the database server.
[DeviceA] acl ipv6 number 3000 [DeviceA-acl6-adv-3000] rule permit ipv6 source 1001:: 16 destination 1000::100 128 [DeviceA-acl6-adv-3000] rule permit ipv6 source 1002:: 16 destination 1000::100 128 time-range work [DeviceA-acl6-adv-3000] rule deny ipv6 source any destination 1000::100 128 [DeviceA-acl6-adv-3000] quit
# Enable IPv6 firewall, and apply IPv6 advanced ACL 3000 to filter outgoing packets on interface Ethernet 1/1.
[DeviceA] firewall ipv6 enable [DeviceA] interface ethernet 1/1 [DeviceA-Ethernet1/1] firewall packet-filter ipv6 3000 outbound [DeviceA-Ethernet1/1] quit
Verifying the configuration
# Ping the database server from a PC in the Financial department during working hours. (All PCs in this example use Windows XP.)
C:\> ping 1000::100
Pinging 1000::100 with 32 bytes of data:
Reply from 1000::100: time<1ms
Reply from 1000::100: time<1ms
Reply from 1000::100: time<1ms
Reply from 1000::100: time<1ms
Ping statistics for 1000::100:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
The output shows that the database server can be pinged.
# Ping the database server from a PC in the Marketing department during working hours.
C:\> ping 1000::100
Pinging 1000::100 with 32 bytes of data:
Destination net unreachable.
Destination net unreachable.
Destination net unreachable.
Destination net unreachable.
Ping statistics for 1000::100:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
The output shows the database server cannot be pinged.
# Display configuration and match statistics for IPv6 advanced ACL 3000 on Device A during working hours.
[DeviceA] display acl ipv6 3000 Advanced IPv6 ACL 3000, named -none-, 3 rules, ACL's step is 5 rule 0 permit ipv6 source 1001::/16 destination 1000::100/128 rule 5 permit ipv6 source 1002::/16 destination 1000::100/128 time-range work (4 times matched) (Active) rule 10 deny ipv6 destination 1000::100/128 (4 times matched)
The output shows rule 5 is active. Rule 5 and rule 10 have been matched four times as the result of the ping operations.