Configuration considerations for layer 2 ipv6 acls, Acl syntax – Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

204

Multi-Service IronWare Security Configuration Guide

53-1003035-02

Extended IPv6 ACLs

4

Configuration considerations for Layer 2 IPv6 ACLs

NOTE

This feature is supported on Brocade NetIron CES and Brocade NetIron CER devices only.

The following configuration considerations apply when configuring layer 2 IPv6 ACLs:

•

A layer 2 ACL supports two lookups in the ingress direction. When a layer 2 ACL configured with
ether type IPv6 is bound to an ingress port, all other layer 2 ACLs are denied on the ingress
port.

•

The egress direction supports only one lookup. When a layer 2 ACL configured with ether type
IPv6 is bound to an egress port, all other IPv4, IPv6, or layer 2 ACLs are allowed on the egress
port.

•

For all NetIron devices, if a port has an IPv4 or IPv6 ACL applied, you must remove the ACL
bindings before adding that port to a VLAN that has a VE interface.

NOTE

For all NetIron devices running any previous version than 5.5, you must remove the ACL
bindings before adding a port to any VLAN and then re-apply the ACL bindings after VLAN is
configured on the port.

•

Layer 2 ACLs filter incoming traffic based on IPv6 packet header fields, which include:

-

Source address

-

Destination address

-

VLAN ID

-

802.1p priority

•

The following actions apply to ingress ACLs:

-

Permit

-

Deny

-

Drop-precedence

-

Drop-precedence-force

-

Priority-force

-

Mirror

•

The following actions apply to egress ACLs:

-

Permit

-

Deny

ACL syntax

Use this syntax to configure a layer 2 IPv6 ACL.

Syntax: [no} access-list num permit | deny src-mac mask | any dest-mac mask | any [vlan-id | any

] [etype etype-str ] [ priority queue-value | priority-force queue-value | priority-mapping
queue-value ]

The following example configures a layer 2 IPv6 ACL on Brocade NetIron CES and Brocade NetIron
CER devices.