For icmp – Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual
Page 217
Multi-Service IronWare Security Configuration Guide
199
53-1003035-02
Extended IPv6 ACLs
4
•
dscp – Applies to packets that match the traffic class value in the traffic class field of the IPv6
packet header. Allows you to filter traffic based on TOS or IP precedence. You can specify a
value from 0 through 63.
•
fragments – Applies to fragmented packets that contain a non-zero fragment offset.
NOTE
This option is supported only when the protocol parameter is IPv6. This option is not applicable
to filtering based on source or destination ports, TCP flags, and ICMP flags.
•
priority-force – Forces packet outgoing priority.
•
routing – Applies only to IPv6 source-routed packets.
•
routing-header-type – matches specific routing header.
•
sequence – Specifies where the conditional statement is to be added in the ACL. You can add
a conditional statement at particular place in an ACL by specifying the entry number using the
sequence keyword. You can specify a value from 1 through 4294967295, as shown in this
example.
Brocade(config)# ipv6 access-list ipv6-sip-dip-sample1
deny 183 any 5001::/32
deny 185 any host 6001::50b9
permit 187 7017::/32 any copy-sflow
permit 189 8017:abdc::/64 7001::/32 mirror
permit tcp host 1616:1000:1000:1000:1000:1000:1000:1011 host
8800:1000:2000:2000:2000:2000:2000:2022 drop-precedence 2
deny udp host 1717:1000:1000:1000:1000:1000:1000:1011 host
9900:2000:2000:2000:2000:2000:2000:2022 drop-precedence-force 1
permit ahp host 202::12 host 201::101
permit esp host 202::12 host 202::102
permit ipv6 host 202::12 host 203::103 dscp 8
permit sctp host aaa:1:202::12 host bbb::2
permit ipv6 host 3003::110 any
deny ipv6 dd17::/32 any fragments
permit ipv6 a3b1:7551::/32 any priority-force 4
permit ipv6 b3b1:7552::/32 any routing
permit ipv6 any any routing-header-type 51
deny 53 any 9001:a001::/32 sequence 10000
For ICMP
Syntax: [no] ipv6 access-list acl name
Syntax: permit | deny [ vlan vlan-id] icmp
ipv6-source-prefix/prefix-length | any | host source-ipv6_address
ipv6-destination-prefix/prefix-length | any | host ipv6-destination-address
[ipv6-operator [value]]
[ [icmp-type][icmp-code] ] | [icmp-message] | beyond-scope | destination-unreachable |
echo-reply | echo-request | header | hop-limit | mld-query | mld-reduction | mld-report |
nd-na | nd-ns | next-header | no-admin | no-route | packet-too-big | parameter-option |
parameter-problem | port-unreachable | reassembly-timeout | renum-command |
renum-result | renum-seq-number | router-advertisement | router-renumbering |
router-solicitation] | [copy-sflow] | | [drop-precedence dp-value] | [drop-precedence-force
dp-value] | [dscp-marking number] | [dscp dscp-value] | [mirror] | [priority-force number]
| [sequence num]