beautypg.com

Ipv6 acl configuration notes – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 155

background image

• Authentication Header (AHP)
• Encapsulating Security Payload (ESP)
• Internet Control Message Protocol (ICMP)
• Internet Protocol Version 6 (IPv6)
• Stream Control Transmission Protocol (SCTP)
• Transmission Control Protocol (TCP)
• User Datagram Protocol (UDP)

NOTE
TCP and UDP filters will be matched only if they are listed as the first option in the extension header.

For TCP and UDP, you also can specify a comparison operator and port name or number. For example,
you can configure a policy to block web access to a specific website by denying all TCP port 80 (HTTP)
packets from a specified source IPv6 address to the website IPv6 address.

IPv6 ACLs also provide support for filtering packets based on DSCP.

IPv6 ACL configuration notes

• IPv4 source guard and IPv6 ACLs are supported together on the same device, as long as they are

not configured on the same port or virtual Interface.

• IPv6 ACLs do not support ACL filtering based on VLAN membership or VE port membership.
• IPv6 ACLs cannot be used with GRE
• IPv6 ACLs cannot be employed to implement a user-based ACL scheme
• If an IPv6 ACL has the implicit deny condition, make sure it also permits the IPv6 link-local address,

in addition to the global unicast address. Otherwise, routing protocols such as OSPF will not work. To
view the link-local address, use the show ipv6 interface command.

• IPv6 must be enabled on interface or an IPv6 address should be configured on the interface before

an ACL can be applied to it. If IPv6 is not enabled or if there is no IPv6 address configured on the
interface, the system will display the following error message.

• On interfaces that have IPv6 ACLs applied on outbound packets, the following features are not

supported:

ACL mirroring

ACL accounting

ACL logging

Traffic policies

Internal priority marking

dscp-cos-mapping

To enable IPv6 on an interface, enter ipv6 enable at the Interface level of the CLI, or assign an IPv6
address to the interface as described in section "IPv6 configuration on each router interface" in the
FastIron Ethernet Switch Administration Guide and further discussed in

Enabling IPv6 on an interface to

which an ACL will be applied

on page 164.

device(config-if-e1000-7)#ipv6 traffic-filter netw in Error: IPv6 is not enabled for

interface 7

• You cannot disable IPv6 on an interface to which an ACL is bound. Attempting to do so will cause the

system to return the following error message.

device(config-if-e1000-7)#no ipv6 enable

Error: Port 7 has IPv6 ACL configured. Cannot disable IPv6

IPv6 ACL configuration notes

FastIron Ethernet Switch Security Configuration Guide

155

53-1003088-03

See also other documents in the category Brocade Computer Accessories: