To configure deny conditions for an IPv6 access control list (ACL),
use the deny command in IPv6-ACL configuration submode. To remove the
conditions, use the
no form of the command.
deny {ipv6-protocol-number | ipv6} {source-ipv6-prefix/prefix-length | any | host source-ipv6-address} {dest-ipv6-prefix/prefix-length | any | host dest-ipv6-address} [log-deny]
deny icmp {source-ipv6-prefix/prefix-length | any | host source-ipv6-address} {dest-ipv6-prefix/prefix-length | any | host dest-ipv6-address} [icmp-type [icmp-code] ] [log-deny]
deny tcp {source-ipv6-prefix/prefix-length | any | host source-ipv6-address} [source-port-operator source-port-number | range source-port-number source-port-number] {dest-ipv6-prefix/prefix-length | any | host dest-ipv6-address} [dest-port-operator dest-port-number | range dest-port-number dest-port-number] [established] [log-deny]
deny udp {source-ipv6-prefixprefix-length | any | host source-ipv6-address} [source-port-operator source-port-number | range source-port-number source-port-number] {dest-ipv6-prefixprefix-length | any | host dest-ipv6-address} [dest-port-operator dest-port-number | range dest-port-number dest-port-number] [log-deny]
no deny {ipv6-protocol-number | ipv6 | icmp | tcp | udp}
Syntax Description
ipv6-protocol-number
|
Specifies an IPv6 protocol number. The range is 0 to 255.
|
ipv6
|
Applies the ACL to any IPv6 packet.
|
source-ipv6-prefix/prefix-length
|
Specifies a source IPv6 network or class of networks. The
format is
X:X:X::X/n .
|
any
|
Applies the ACL to any source or destination prefix.
|
host
source-ipv6-address
|
Applies the ACL to the specified source IPv6 host address.
The format is
X:X:X::X .
|
dest-ipv6-prefix/prefix-length
|
Specifies a destination IPv6 network or class of networks.
The format is
X:X:X::X/n .
|
host
dest-ipv6-address
|
Applies the ACL to the specified destination IPv6 host
address. The format is
X:X:X::X .
|
log-deny
|
(Optional) For packets that are dropped, creates an
informational log message about the packet that matches the entry. The message
includes the input interface.
|
icmp
|
Applies the ACL to any Internet Control Message Protocol
(ICMP) packet.
|
icmp-type
|
Specifies an ICMP message type. The range is 0 to 255.
|
icmp-code
|
Specifies an ICMP message code. The range is 0 255.
|
tcp
|
Applies the ACL to any TCP packet.
|
source-port-operator
|
Specifies an operand that compares the source ports of the
specified protocol. The operands are
lt (less than),
gt (greater than), and
eq (equals).
|
source-port-number
|
Specifies the port number of a TCP or UDP port. The number
can be from 0 to 65535. A range requires two port numbers.
|
udp
|
Applies the ACL to any UDP packet.
|
dest-port-operator
|
Specifies an operand that compares the destination ports of
the specified protocol. The operands are
lt (less than),
gt (greater than), and
eq (equals).
|
dest-port-operator
|
Specifies the port number of a TCP or UDP port. The number
can be from 0 to 65535. A range requires two port numbers.
|
range
|
Specifies a range of ports to compare for the specified
protocol.
|
established
|
(Optional) Indicates an established connection, which is
defined as a packet whole SYN flag is not set.
|
Command Modes
IPv6-ACL configuration submode.
Command History
Release
|
Modification
|
3.0(1)
|
This command was introduced.
|
Usage Guidelines
The following guidelines can assist you in configuring an IPv6-ACL.
You can apply IPv6-ACLs to VSAN interfaces, the management interface,
Gigabit Ethernet interfaces on IPS modules and MPS-14/2 modules, and Ethernet
PortChannel interfaces. However, if IPv6-ACLs are already configured in a
Gigabit Ethernet interface, you cannot add this interface to a Ethernet
PortChannel group.
Caution |
Do not apply IPv6-ACLs to just one member of a PortChannel group.
Apply IPv6-ACLs to the entire channel group.
|
- Use only the TCP or ICMP
options when configuring IPv6-ACLs on Gigabit Ethernet interfaces.
- Configure the order of
conditions accurately. Because the IPv6-ACL filters are applied sequentially to
the IP flows, the first match determines the action taken. Subsequent matches
are not considered. Be sure to configure the most important condition first. If
no conditions match, the software drops the packet.
Examples
The following example configures an IPv6-ACL called List1, enters
IPv6-ACL submode, and adds an entry to deny TCP traffic from any source address
to any destination address:
switch# config terminal
switch(config)# ipv6 access-list List1
switch(config-ipv6-acl)# deny tcp any any
The following example removes a deny condition set for any
destination prefix on a specified UDP host:
switch# config terminal
switch(config)# ipv6 access-list List1
switch(config-ipv6-acl)# no deny udp host 2001:db8:200d::4000 any
The following example removes the IPv6-ACL called List1 and all its
entries:
switch# config terminal
switch(config)# no ipv6 access-list List1