Configuration prerequisites – H3C Technologies H3C S3600 Series Switches User Manual
Page 717
1-12
z
dest-ip: Matches the destination IP address field in IPv6 packets.
z
dest-mac: Matches the destination MAC address field in IPv6 packets.
z
double-tag: Matches IPv6 packets with two tags.
z
dscp: Matches the traffic class field in IPv6 packets.
z
ip-protocol: Matches the next header field in IPv6 packets.
z
ipv6-type: Matches IPv6 packets with the Layer 2 protocol being IPv6.
z
src-ip: Matches the source address field in IPv6 packets.
z
dest-ip: Matches the destination address field in IPv6 packets.
z
src-port: Matches the TCP/UDP source port field in IPv6 packets.
z
dest-port: Matches the TCP/UDP destination port field in IPv6 packets.
z
icmpv6-type: Matches the ICMPv6 type field in IPv6 packets.
z
icmpv6-code: Matches the ICMPv6 code field in IPv6 packets.
z
vlan: Matches the VLAN tag field in IPv6 packets.
IPv6 ACLs do not match IPv6 packets with extension headers.
When configuring IPv6 ACL rules, note that:
z
To specify the src-port or dest-port keyword for a rule, you need to specify the
ip-protocol rule-string rule-mask combination as TCP or UDP, that is, 0x06 or 0x11.
To specify the icmpv6-type or icmpv6-code keyword for a rule, you need to specify
the ip-protocol rule-string rule-mask combination as ICMPv6, that is, 0x3a.
z
The total length of the fields in a rule cannot be more than 32 bytes; otherwise, the rule
configuration will fail. For example, if you define the src-ip and dest-ip fields in rule 1,
which are 16 bytes each and 32 bytes in total, you can define no more fields for the
rule.
Configuration prerequisites
z
To configure time range-based IPv6 ACL rules, you need to create the corresponding
time ranges first. For information about time range configuration, refer to section
.
z
The settings to be specified in the rule are determined.