beautypg.com

Re-sequencing an ipv6 acl table – Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

Page 198

background image

180

Multi-Service IronWare Security Configuration Guide

53-1003035-02

Configuring an IPv6 ACL

4

The first permit statement permits ICMP traffic from hosts in the 2000:2383:e0bb::x network to
hosts in the 2001:3782::x network.

The deny statement denies ICMP neighbor discovery acknowledgement.

The last command permits all packets that are not explicitly denied by the other entries. Without
this entry, the ACL denies all incoming or outgoing IPv6 traffic on the ports to which you assigned
the ACL.

Furthermore, if you add the statement deny icmp any any in the access list, then all neighbor
discovery messages will be denied. You must explicitly enter the permit icmp any any nd-na and
permit icmp any any nd-ns statements just before the deny icmp statement if you want the ACLs to
permit neighbor discovery as in this example.

Re-sequencing an IPv6 ACL table

To allow new ACL entries to be inserted between ACL entries that have consecutive sequence
numbers, you can create space between sequence numbers of adjacent filters by regenerating the
ACL table.

To re-sequence ACL table “

ipv6_acl

”, use the following commands.

Brocade(config)# ipv6 access-list ipv6_acl

Brocade(config-ipv6-access-list-ipv6_acl)# regenerate-seq-num

This command regenerates the filter sequence numbers in steps of 10, assigning the default
sequence number “10” to the first entry in the table. Any unused IPv6 remarks will be deleted after
executing this command. For further information about remarks refer to

“Adding a comment to an

IPv6 ACL entry”

on page 209.

NOTE

If sequence numbers generated by the regenerate-seq-num command cross the limit (214748364),
then re-sequencing of ACL filters will not take place and the following error message is displayed.

"Error: Valid range for sequence is 1 to 214748364".

NOTE

The regenerate-seq-num command is not allowed while tftp copy in progress.

Brocade(config)# ipv6 access-list netw

Brocade(config-ipv6-access-list-netw)# permit icmp 2000:2383:e0bb::/64

2001:3782::/64

Brocade(config-ipv6-access-list-netw)# deny icmp any any nd-na

Brocade(config-ipv6-access-list-netw)# permit ipv6 any any

Brocade(config)# ipv6 access-list netw

Brocade(config-ipv6-access-list-netw)# permit icmp 2000:2383:e0bb::/64

2001:3782::/64

Brocade(config-ipv6-access-list-netw)# permit icmp any any nd-na

Brocade(config-ipv6-access-list-netw)# permit icmp any any nd-ns

Brocade(config-ipv6-access-list-netw)# deny icmp any any

Brocade(config-ipv6-access-list-netw)# permit ipv6 any any

See also other documents in the category Brocade Computer Accessories: