beautypg.com

Configuring an ipv6 acl, Example ipv6 configurations – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 156

background image

To disable IPv6, first remove the ACL from the interface.

• For notes on applying IPv6 ACLs to trunk ports, see

Applying an IPv6 ACL to a trunk group

on page

165.

• For notes on applying IPv6 ACLs to virtual ports, see

Applying an IPv6 ACL to a virtual interface in

a protocol-based or subnet-based VLAN

on page 165.

• The dscp-cos-mapping option is supported on FSX devices only.

Configuring an IPv6 ACL

Follow the steps given below to configure an IPv6 ACL.

1. Create the ACL.
2. Enable IPv6 on the interface to which the ACL will be applied.
3. Apply the ACL to the interface.

Example IPv6 configurations

To configure an access list that blocks all Telnet traffic received on port 1/1 from IPv6 host
2001:DB8:e0bb::2, enter the following commands.

device(config)# ipv6 access-list fdry

device(config-ipv6-access-list-fdry)# deny tcp host 2001:DB8:e0bb::2 any eq

telnet

device(config-ipv6-access-list-fdry)# permit ipv6 any any

device(config-ipv6-access-list-fdry)# exit

device(config)# int eth 1/1

device(config-if-1/1)# ipv6 enable

device(config-if-1/1)# ipv6 traffic-filter fdry in

device(config)# write memory

The following is another example of commands for configuring an ACL and applying it to an interface.

device(config)# ipv6 access-list netw

device(config-ipv6-access-list-netw)# permit icmp 2001:DB8:e0bb::/64

2001:DB8::/64

device(config-ipv6-access-list-netw)# deny ipv6 host 2001:DB8:e0ac::2 host

2001:DB8:e0aa:0::24

device(config-ipv6-access-list-netw)# deny udp any any

device(config-ipv6-access-list-netw)# permit ipv6 any any

The first condition permits ICMP traffic from hosts in the 2001:DB8:e0bb::x network to hosts in the
2001:DB8::x network.

The second condition denies all IPv6 traffic from host 2001:DB8:e0ac::2 to host 2001:DB8:e0aa:0::24.

The third condition denies all UDP traffic.

The fourth condition permits all packets that are not explicitly denied by the other entries. Without this
entry, the ACL would deny all incoming IPv6 traffic on the ports to which you assigned the ACL.

The following commands apply the ACL "netw" to the incoming traffic on port 1/2 and to the incoming
traffic on port 4/3.

device(config)# int eth 1/2

device(config-if-1/2)# ipv6 enable

device(config-if-1/2)# ipv6 traffic-filter netw in

device(config-if-1/2)# exit

device(config)# int eth 4/3

device(config-if-4/3)# ipv6 enable

Configuring an IPv6 ACL

156

FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

See also other documents in the category Brocade Computer Accessories: