Configuration examples, Configuring an advanced ipv6 acl – H3C Technologies H3C WX6000 Series Access Controllers User Manual
Page 419
42-2
To do…
Use the command…
Remarks
Create an IPv6 ACL description
description
text
Optional
By default, no IPv6 ACL
description is present.
Create a rule description
rule rule-id comment text
Optional
By default, no rule description is
present.
Note that:
z
You will fail to create or modify a rule if its permit/deny statement is exactly the same as another
rule. In addition, if the ACL match order is set to auto rather than config, you cannot modify ACL
rules.
z
You may use the display acl command to verify rules configured in an ACL. If the match order for
this ACL is auto, rules are displayed in the depth-first match order rather than by rule number.
z
You can modify the match order of an IPv6 ACL with the acl ipv6 number acl6-number [ name
acl6-name
] match-order { auto | config } command but only when it does not contain any rules.
z
The rule specified in the rule comment command must have existed.
Configuration Examples
# Create IPv6 ACL 2000 to permit IPv6 packets with source address 2030:5060::9050/64 to pass while
denying IPv6 packets with source address fe80:5060::8050/96.
[Sysname] acl ipv6 number 2000
[Sysname-acl6-basic-2000] rule permit source 2030:5060::9050/64
[Sysname-acl6-basic-2000] rule deny source fe80:5060::8050/96
# Verify the configuration.
[Sysname-acl6-basic-2000] display acl ipv6 2000
Basic IPv6 ACL 2000, named -none-, 2 rules,
ACL's step is 5
rule 0 permit source 2030:5060::9050/64
rule 5 deny source FE80:5060::8050/96
Configuring an Advanced IPv6 ACL
Advanced ACLs filter packets based on the source IPv6 address, destination IPv6 address, protocol
carried on IPv6, and other protocol header fields such as the TCP/UDP source port, TCP/UDP
destination port, ICMP message type, and ICMP message code.
Advanced IPv6 ACLs are numbered in the range 3000 to 3999. Compared with basic IPv6 ACLs, they
allow of more flexible and accurate filtering.