beautypg.com

Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

Page 196

background image

178

Multi-Service IronWare Security Configuration Guide

53-1003035-02

Configuring an IPv6 ACL

4

The first condition in this ACL denies TCP traffic from the 2001:1570:21::x network to the
2001:1570:22::x network.

The second condition denies UDP packets from any source with source UDP ports in ranges 5 to 6
and with the 2001:1570:22::/24 network as a destination.

The third condition permits all packets containing source and destination addresses that are not
explicitly denied by the first two conditions. Without this entry, the ACL would deny all incoming or
outgoing IPv6 traffic on the ports to which you assign the ACL.

A show running-config command output resembles the following.

A show ipv6 access-list command output resembles the following.

The following commands apply the ACL “rtr” to the incoming traffic on ports 2/1 and 2/2.

The ACL functionality for filtering traffic is enhanced with sequence numbers that enable users to 
insert, modify or delete rules at any position, without having to remove and reapply the entire ACL. A
sequence number is assigned to each ACL entry and ACL rules are applied in the order of lowest to
highest sequence number. Therefore, you can insert a new filter rule at any position you want in the
ACL table, by specifying the sequence number.If you do not specify a sequence number, then the
system automatically generates a sequence number and is applied to each ACL entry. The
sequence number generated by the system is the Smallest number divisible by 10 which is greater
than the sequence number of the last ACL entry provisioned in the ACL table. Therefore, when you
do not specify a sequence number, the rule is added to the end of the ACL table. The default
sequence number assigned to the first ACL entry in the ACL table is “10”.

The following example explains how the system generated sequence number is assigned, when you
do not specify a sequence number.

Brocade(config)#access-list 101 deny esp 2::/64 any

Brocade(config)#access-list 101 sequence 12 permit ipv6 any any

Brocade(config)#access-list 101 permit ipv6 any any

Brocade(config)#access-list 101 deny ip tcp 2001:1570:21::/24

Brocade(config)#access-list 101 sequence 37 permit ipv6 any any

Brocade(config)# ipv6 access-list rtr

Brocade(config-ipv6-access-list rtr)# deny tcp 2001:1570:21::/24

2001:1570:22::/24

Brocade(config-ipv6-access-list rtr)# deny udp any range 5 6 2001:1570:22::/24

Brocade(config-ipv6-access-list rtr)# permit ipv6 any any

Brocade(config-ipv6-access-list rtr)# write memory

Brocade(config)# show running-config

ipv6 access-list rtr

deny tcp 2001:1570:21::/24 2001:1570:22::/24

deny udp any range 5 6 2001:1570:22::/24

permit ipv6 any any

Brocade(config)# show ipv6 access-list rtr

ipv6 access-list rtr: 3 entries

10: deny tcp 2001:1570:21::/24 2001:1570:22::/24

20: deny udp any range 5 6 2001:1570:22::/24

30: permit ipv6 any any

Brocade(config)# int eth 2/1

Brocade(config-if-2/1)# ipv6 traffic-filter rtr in

Brocade(config-if-2/1)# exit

Brocade(config)# int eth 2/2

Brocade(config-if-2/2)# ipv6 traffic-filter rtr in

Brocade(config)# write memory

See also other documents in the category Brocade Computer Accessories: