beautypg.com

Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

Page 191

background image

Multi-Service IronWare Security Configuration Guide

173

53-1003035-02

Configuring an IPv6 Access Control List

4

IPv6 ACLs also support the filtering of packets based on DSCP values.

NOTE

IPv6 ACLs are only applied to routed packets.This also includes mirror and deny-log actions.

Configuration considerations for dual inbound ACLS on Brocade
NetIron CES and Brocade NetIron CER devices

You can bind an inbound L2 ACL and an inbound IP ACL to the same port on Brocade NetIron CES
and Brocade NetIron CER devices. The IP ACL is applied first to incoming packets. If an incoming
packet is permitted by the IP ACL it will be examined against the L2 ACL. Deny actions take
precedence (that is, if one ACL permits a packet and the other denies it, the packet is dropped),
and there is an implicit deny at the end of each ACL. When you bind dual inbound ACLs to a single
port, include a permit any any filter as the last clause of the IP ACL to ensure that packets not
explicitly denied by the IP ACL are passed to the L2 ACL.

Configuration considerations for IPv6 ACL and multicast traffic for
2X100GE modules installed on NetIron MLX and NetIron XMR devices

When applied to a 100GE interface, the following behavior will be applicable for IPv6 inbound ACLs:

1. You cannot match IPv6 multicast packets using filters with matching enabled on one or more

of the following fields:

a. TCP/UDP source port

b. TCP/UDP destination port

c. ICMP type/code

The exception to this rule will be ICMP filters to match neighbor solicitation and router
solicitation packets, such as “permit icmp any any nd-ns” and “permit icmp any
any router-solicitation

”, that will be programmed to match all ICMP multicast

packets irrespective of the ICMP type or code value.

2. Implicit “deny ipv6 any any” will not match multicast packets. However explicit “deny ipv6 any

any” or any other filter with matching based on IPv6 header fields only will match multicast
packets.

NOTE

The above rules are only applicable for IPv6 inbound ACLs. They are not applicable for IPv6 outbound
ACLs.

Configuration considerations for IPv6 outbound ACLs
on VPLS, VLL, and VLL-local endpoints

The following considerations apply to IPv6 outbound ACLs on VPLS, VLL, and VLL-local endpoints:

Configure the port as a VPLS, VLL, or VLL-local endpoint and then bind the IPv6 outbound ACL
to the port.

See also other documents in the category Brocade Computer Accessories: