beautypg.com

Default and implicit ipv6 acl action – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 157

background image

device(config-if-4/3)# ipv6 traffic-filter netw in

device(config)# write memory

Here is another example.

device(config)# ipv6 access-list nextone

device(config-ipv6-access-list rtr)# deny tcp 2001:DB8:21::/24

2001:DB8:22::/24

device(config-ipv6-access-list rtr)# deny udp any range 5 6 2001:DB8:22::/24

device(config-ipv6-access-list rtr)# permit ipv6 any any

device(config-ipv6-access-list rtr)# write memory

The first condition in this ACL denies TCP traffic from the 2001:DB8:21::x network to the
2001:DB8:22::x network.

The next condition denies UDP packets from any source with source UDP port in ranges 5 to 6 and
whose destination is to the 2001:DB8:22::/24 network.

The third condition permits all packets containing source and destination addresses that are not
explicitly denied by the first two. Without this entry, the ACL would deny all incoming IPv6 traffic on the
ports to which you assign the ACL.

A show running-config command displays the following.

device(config)# show running-config

ipv6 access-list rtr

deny tcp 2001:DB8:21::/24 2001:DB8:22::/24

deny udp any range rje 6 2001:DB8:22::/24

permit ipv6 any anyy

A show ipv6 access-list command displays the following.

device(config)# sh ipv6 access-list rtr

ipv6 access-list rtr: 3 entries

10: deny tcp 2001:DB8:21::/24 2001:DB8:22::/24

20: deny udp any range rje 6 2001:DB8:22::/24

30: permit ipv6 any any

The following commands apply the ACL "rtr" to the incoming traffic on ports 2/1 and 2/2.

device(config)# int eth 2/1

device(config-if-2/1)# ipv6 enable

device(config-if-2/1)# ipv6 traffic-filter rtr in

device(config-if-2/1)# exit

device(config)# int eth 2/2

device(config-if-2/2)# ipv6 enable

device(config-if-2/2)# ipv6 traffic-filter rtr in

device(config)# write memory

Default and implicit IPv6 ACL action

The default action when no IPv6 ACLs are configured on an interface is to permit all IPv6 traffic.
However, once you configure an IPv6 ACL and apply it to an interface, the default action for that
interface is to deny all IPv6 traffic that is not explicitly permitted on the interface.

• If you want to tightly control access, configure ACLs consisting of permit entries for the access you

want to permit. The ACLs implicitly deny all other access.

• If you want to secure access in environments with many users, you might want to configure ACLs

that consist of explicit deny entries, then add an entry to permit all access to the end of each ACL.
The permit entry permits packets that are not denied by the deny entries.

Every IPv6 ACL has the following implicit conditions as its last match conditions.

Default and implicit IPv6 ACL action

FastIron Ethernet Switch Security Configuration Guide

157

53-1003088-03

See also other documents in the category Brocade Computer Accessories: