beautypg.com

Ipv6 acl traffic filtering criteria, Ipv6 protocol names and numbers – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 154

background image

with 4000 entries, two ACLs with 2000 and 2093 entries respectively (combining IPv4 and IPv6 ACLs),
etc.

An IPv6 ACL is composed of one or more conditional statements that pose an action (permit or deny)
if a packet matches a specified source or destination prefix. For FSX devices, there can be up to 1024
statements per port region, including IPv6, IPv4, MAC address filters, and default statements. For FCX
devices, there can be up to 4096 statements per port region, including IPv6, IPv4, MAC address filters,
and default statements. For ICX devices, there can be up to 1536 statements per port region, including
IPv6, IPv4, MAC address filters, and default statements. ICX 6650 and ICX 7750 devices have 2048
TCAM rules per-port region. When the maximum number of ACL rules allowed per port region is
reached, an error message will display on the console.

In ACLs with multiple statements, you can specify a priority for each statement.The specified priority
determines the order in which the statement appears in the ACL. The last statement in each IPv6 ACL
is an implicit deny statement for all packets that do not match the previous statements in the ACL.

You can configure an IPv6 ACL on a global basis, then apply it to the incoming or outgoing IPv6
packets on specified interfaces. You can apply only one incoming and only one outgoing IPv6 ACL to
an interface. When an interface sends or receives an IPv6 packet, it applies the statements within the
ACL in their order of appearance to the packet. As soon as a match occurs, the Brocade device takes
the specified action (permit or deny the packet) and stops further comparison for that packet.

IPv6 ACLs are supported on:

• Gbps Ethernet ports
• 10 Gbps Ethernet ports
• Trunk groups
• Virtual routing interfaces

NOTE
IPv6 ACLs are supported on inbound and outbound traffic and are implemented in hardware, making it
possible for the Brocade device to filter traffic at line-rate speed on 10 Gbps interfaces.

IPv6 ACL traffic filtering criteria

The Brocade implementation of IPv6 ACLs enable traffic filtering based on the following information:

• IPv6 protocol
• Source IPv6 address
• Destination IPv6 address
• IPv6 message type
• Source TCP or UDP port (if the IPv6 protocol is TCP or UDP)
• Destination TCP or UDP port (if the IPv6 protocol is TCP or UDP)

NOTE
When setting the ACL rule to filter specific ICMP packets, the IPv6 ACL mirroring option is not
supported. Hence, the permit icmp any any echo-request mirror command cannot be used.

IPv6 protocol names and numbers

The IPv6 protocol can be one of the following well-known names or any IPv6 protocol number from 0 -
255:

IPv6 ACL traffic filtering criteria

154

FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

See also other documents in the category Brocade Computer Accessories: