beautypg.com

Brocade Virtual ADX Security Guide (Supporting ADX v03.1.00) User Manual

Page 65

background image

Brocade Virtual ADX Security Guide

53

53-1003250-01

IPv6 ACL overview

3

Furthermore, if you add the statement deny icmp any any in the access list, then all neighbor
discovery messages will be denied. You must explicitly enter the permit icmp any any nd-na and
permit icmp any any nd-ns statements just before the deny icmp statement if you want the ACLs to
permit neighbor discovery as in the following example.

When creating ACLs, use one of the following syntax for the protocol that you are filtering.

For IPv6 and supported protocols other than ICMP, TCP, or UDP
Syntax: [no] ipv6 access-list acl-name

Syntax: permit | deny protocol

ipv6-source-prefix/prefix-length | any | host source-ipv6_address

ipv6-destination-prefix/prefix-length | any | host ipv6-destination-address [ipv6-operator [value]]
[log]

For ICMP
Syntax: [no] ipv6 access-list acl-name

Syntax: permit | deny icmp ipv6-source-prefix/prefix-length | any | host source-ipv6_address

ipv6-destination-prefix/prefix-length | any | host ipv6-destination-address

For TCP
Syntax: [no] ipv6 access-list acl-name

Syntax: permit | deny tcp ipv6-source-prefix/prefix-length | any | host source-ipv6_address

[tcp-udp-operator [source-port-number]] ipv6-destination-prefix/prefix-length | any | host
ipv6-destination-address [tcp-udp-operator [destination-port- number]]

For UDP
Syntax: [no] ipv6 access-list acl-name

Syntax: permit | deny udp ipv6-source-prefix/prefix-length | any | host source-ipv6_address

[tcp-udp-operator [source port number]] ipv6-destination-prefix/prefix-length | any | host
ipv6-destination-address [tcp-udp-operator [destination port number]]

TABLE 3

Syntax descriptions

Arguments...

Description...

ipv6 access-list acl-name

Enables the IPv6 configuration level and defines the name of the IPv6 ACL.
The acl-name can contain up to 199 characters and numbers, but cannot
begin with a number and cannot contain any spaces or quotation marks.

permit

The ACL will permit (forward) packets that match a policy in the access list.

deny

The ACL will deny (drop) packets that match a policy in the access list.

icmp

Indicates the you are filtering ICMP packets.

Virtual ADX(config)#ipv6 access-list netw

Virtual ADX(config-ipv6-access-list-netw)#permit icmp 2001:db8: 2383:e0bb::/64

2001:db8:3782::/64

Virtual ADX(config-ipv6-access-list-netw)#deny icmp any any

Virtual ADX(config-ipv6-access-list-netw)#permit ipv6 any any

See also other documents in the category Brocade Computer Accessories: