beautypg.com

Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

Page 221

background image

Multi-Service IronWare Security Configuration Guide

203

53-1003035-02

Extended IPv6 ACLs

4

Syntax: regenerate-seq-num [num]

The udp protocol indicates the you are filtering the UDP packets.

The vlan_id parameter is the VLAN ID for the VLAN that the ACL filter will be applied to match the
traffic.

The [no] version of the command removes the IPv4 or IPv6 ACL filter from the ACL definition. It
needs an exact match of the command line and a existing filter in the ACL definition to successfully
remove the filter.

The tcp-udp-operator parameter can be one of the following:

eq – Applies to the TCP or UDP port name or number you enter after eq.

gt – Applies to TCP or UDP port numbers greater than the port number or the numeric
equivalent of the port name you enter after gt. Enter “?” to list the port names.

lt – Applies to TCP or UDP port numbers that are less than the port number or the numeric
equivalent of the port name you enter after lt.

neq – Applies to all TCP or UDP port numbers except the port number or port name you enter
after neq.

range – Applies to all UDP port numbers that are between the first and second TCP or UDP port
name or number you enter following the range parameter. The range includes the port names
or numbers you enter. For example, to apply the policy to all ports between and including 23
(Telnet) and 53 (DNS), enter the following: range 23 53. The first port number in the range
must be lower than the last number in the range.

The source-port number and destination-port-number are the numbers of the source port and
destination port.

The following example is a configuration to filterTCP and UDP packet:

Brocade(config)# ipv6 access-list ipv6-tcp-udp-sample3

permit tcp host 3003::11 gt 1023 host 3001::11 range 1024 1026

deny udp host 3003::12 lt 1025 any neq 1024

permit tcp 3001::/32 host 3002::11 syn

permit udp any eq msg-auth 3000::/64

permit tcp host 3003::11 gt 1023 host 3001::11 range 1024 1026 established

deny tcp 3003::/64 range 1023 1025 host 3000::11

Limitations

The ACL keyword VLAN is only intended to be used in PBR.

For an ACL that contains the VLAN keyword and is used as standalone ACL, the following
restrictions apply:

The ACL that contains the VLAN keyword cannot be applied to Virtual Interfaces (VEs).

The VLAN keyword will be ignored and will have no effect if the ACL is:

applied to physical interface or LAG interface.

applied to management interface.

used as IP receive ACL.

used in ACL-based rate-limiting.

See also other documents in the category Brocade Computer Accessories: