Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual
Page 190
172
Multi-Service IronWare Security Configuration Guide
53-1003035-02
Configuring an IPv6 Access Control List
4
Brocade devices support IPv6 access control lists (ACLs), which you can use for traffic filtering. You
can configure up to 200 IPv6 ACLs. For details on Layer 2 ACLs, refer to
. For details on IPv4 ACLs, refer to
.
An IPv6 ACL is composed of one or more conditional statements that identify an action (permit or
deny) if a packet matches a specified source or destination prefix. There can be up to 20,480
(20K) statements per device.
In ACLs with multiple statements, you can specify a priority sequence number for each
statement.The specified priority sequence number determines the order in which the statement
appears in the ACL. The last statement is an implicit deny statement for all packets that do not
match the previous statements in the ACL.
#You can configure an IPv6 ACL on a global basis, then apply it to the incoming or outgoing IPv6
packets on specified Brocade device interfaces. You can apply only one IPv6 ACL to incoming traffic
for an interface and only one IPv6 ACL to outgoing traffic on an interface. When an interface sends
or receives an IPv6 packet, it applies the statements within the ACL (in their order of occurrence in
the ACL) to the packet. When a match occurs, the Brocade device takes the specified action
(permits or denies the packet) and stops further comparison for that packet.
On Brocade NetIron CES and Brocade NetIron CER devices, each port supports one inbound L2 ACL
and one inbound IP ACL. If both an inbound L2 ACL and an inbound IP ACL are bound to the same
port, incoming packets are evaluated first by the IP ACL. If you do not include a “permit any any”
statement at the end of the IP ACL, the implicit deny prevents any packets not explicitly permitted
from being evaluated by the L2 ACL.
For dynamic LAG creation and deletion using IPv6 ACLs, before a LAG is formed, all ports which will
be part of the LAG must have the same configuration. After the LAG is removed, all ACL bindings (if
any) are propagated to all of the secondary ports.
IPv6 ACLs enable traffic filtering based on the following information:
•
IPv6 protocol
•
Source IPv6 address
•
Destination IPv6 address
•
ICMP message type (if the protocol is ICMP)
•
Source TCP or UDP port (if the IPv6 protocol is TCP or UDP)
•
Destination TCP or UDP port (if the IPv6 protocol is TCP or UDP)
The IPv6 protocol can be one of the following well-known names, or any IPv6 protocol number from
0 – 255:
•
Authentication Header (AHP)
•
Encapsulating Security Payload (ESP)
•
Internet Control Message Protocol (ICMP)
•
Internet Protocol Version 6 (IPv6)
•
Stream Control Transmission Protocol (SCTP)
•
Transmission Control Protocol (TCP)
•
User Datagram Protocol (UDP)
For TCP and UDP, you also can specify a comparison operator and port name or number. For
example, you can configure a policy to block Web access to a specific site by denying all TCP port
80 (HTTP) packets from a specified source IPv6 address to the IPv6 address of the site.