beautypg.com

Controlling access to a brocade device – Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

Page 226

background image

208

Multi-Service IronWare Security Configuration Guide

53-1003035-02

Applying an IPv6 ACL

4

When an IPv6 VRF is dynamically configured on an interface port, all IPv6 addresses on that
interface are deleted. IPv6 ACL binding on the interface is not be cleared because IPv6 ACL
programming is independent of the VRF membership of the interface.

To apply an IPv6 ACL, for example “access1”, to a VRF interface, enter commands such as the
following.

Brocade

(config)# vif 20

Brocade

(config-vif-20)#ipv6 traffic-filter access1 in

Syntax: [no] ipv6 traffic-filter ipv6-acl-name in | out

For the ipv6-acl-name parameter, specify the name of an IPv6 ACL created using the ipv6
access-list command.

The in keyword applies the specified IPv6 ACL to incoming IPv6 packets on the Brocade device
interface.

The out keyword applies the specified IPv6 ACL to outgoing IPv6 packets on the Brocade device
interface.

Controlling access to a Brocade device

You can use an IPv6 ACL to filter control incoming and outgoing connections to and from a Brocade
device. To do so, you must create an ACL and then specify the sequence in which the ACL is applied
to incoming or outgoing connections to the Brocade device.

For example, to permit incoming connections from remote hosts (2000:2383:e0bb::2/128 and
2000:2383:e0bb::3/128) to a Brocade device (30ff:3782::ff89/128), enter the following
commands.

Brocade(config)# ipv6 access-list remote-hosts permit 2000:2383:e0bb::2/128

30ff:3782::ff89/128 sequence 10

Brocade(config)# ipv6 access-list remote-hosts permit 2000:2383:e0bb::3/128

30ff:3782::ff89/128 sequence 20

Brocade(config)# ipv6 access-class remote-hosts in

Because of the implicit deny command at the end of each IPv6 ACL, the Brocade device denies
incoming connections from all other IPv6 hosts.

NOTE

The ipv6 access-class command is applicable only to traffic coming in or going out the management
port.

Syntax: [no] ipv6 access-list name deny | permit ipv6-source-prefix/prefix-length | any

ipv6-destination-prefix/prefix-length | any [sequence number]

The sequence number parameter specifies the order in which a statement appears in an IPv6 ACL
and is therefore applied to a request. You can specify a value from 0 – 4294967295.

For more information on the syntax, refer to

“ACL syntax”

.

See also other documents in the category Brocade Computer Accessories: