beautypg.com

Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

Page 216

background image

198

Multi-Service IronWare Security Configuration Guide

53-1003035-02

Extended IPv6 ACLs

4

Syntax: [no] [sequence num] permit | deny protocol

ipv6-source-prefix/prefix-length | any | host source-ipv6_address
ipv6-destination-prefix/prefix-length | any | host ipv6-destination-address
[ipv6-operator [value]]
[copy-sflow] | [drop-precedence dp-value] | [drop-precedence-force dp-value] |
[dscp-marking number] | [dscp dscp-value] | [mirror] | [priority-force number]

Syntax: regenerate-seq-num [num]

The ipv6 access-list acl name parameter enables the IPv6 configuration level and defines the
name of the IPv6 ACL. The acl name variable can contain up to 199 characters and numbers, but
cannot begin with a number and cannot contain any spaces or quotation marks. The string "test" is
a reserved string and cannot be used to form creation of a named standard or extended ACL.

The permit keyword indicates that the ACL permits (forwards) packets that match a policy in the
ACL.

The deny keyword indicates that the ACL denies (drops) packets that match a policy in the ACL.

The protocol parameter indicates the type of IPv6 packet you are filtering. You can specify a
well-known name for some protocols with number lower than 255. For other protocols, you must
enter the number. Enter “?” instead of a protocol to list the well-known names recognized by the
CLI. IPv6 protocols include:

AHP – Authentication Header

ESP – Encapsulating Security Payload

IPv6 – Internet Protocol version 6

SCTP – Stream Control Transmission Protocol

The ipv6-source-prefix/prefix-length and ipv6-destination-prefix/prefix-length parameters specify a
source or destination prefix and prefix length that a packet must match for the specified deny or
permit action to occur. You must specify the ipv6-source-prefix and ipv6-destination-prefix
parameters in hexadecimal using 16-bit values between colons, as documented in RFC 2373. You
must specify the prefix-length parameter as a decimal value. A slash (/) must follow the ipv6-prefix
parameter and precede the prefix-length parameter.

The any keyword, when specified instead of the ipv6-source-prefix/prefix-length or
ipv6-destination-prefix/prefix-length parameters, matches any IPv6 prefix and is equivalent to the
IPv6 prefix::/0

The host ipv6-source-address and host ipv6-destination-address parameter lets you specify a host
IPv6 address. When you use this parameter, you do not need to specify the prefix length. A prefix
length of all 128 is implied.

The ipv6-operator [value] parameter allows you to further filter packets using one of the following
options:

dscp-marking – Use the dscp-marking number dscp-cos-mapping parameters to specify a
DSCP value and map that value to an internal QoS table to obtain the packet new QoS value.
The following occurs when you use these parameters.

You enter 0 – 63 for the dscp-marking number parameter.

The dscp-cos-mapping parameter takes the DSCP value you specified and compares it to
an internal QoS table, which is indexed by DSCP values. The corresponding 802.1p priority,
internal forwarding priority, and DSCP value is assigned to the packet.

See also other documents in the category Brocade Computer Accessories: