ipv6 access-list resequence

Use this command to renumber the sequence numbers of the entries for specified IPv6 access list with the given increment value starting from a particular sequence number. The command is used to edit the sequence numbers of ACL (Access Control List) rules in the ACL and change the order in which entries are applied. This command is not saved in startup configuration and is not displayed in running configuration.

Note

Note

If the generated sequence number exceeds the maximum sequence number, the ACL rule creation fails and an informational message is displayed.
Default 10
Format ipv6 access-list resequence {name| id } starting-sequence-number increment
Mode Global Config
Parameter Description
starting-sequence-number The sequence number from which to start. The range is 1–2147483647. The default is 10.
increment The amount to increment. The range is 1–2147483647. The default is 10.

{deny | permit} (IPv6)

This command creates a new rule for the current IPv6 access list. A rule may either deny or permit traffic according to the specified classification fields. At a minimum, either the every keyword or the protocol, source address, and destination address values must be specified. The source and destination IPv6 address fields may be specified using the keyword any to indicate a match on any value in that field. The remaining command parameters are all optional, but the most frequently used parameters appear in the same relative order as shown in the command format.

Format {deny | permit} {every | {{icmpv6 | ipv6 | tcp | udp | 0-255} {source-ipv6-prefix/prefix-length | any | host source-ipv6-address} [{range {portkey | startport} {portkey | endport} | {eq | neq | lt | gt} {portkey | 0-65535} ] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address} [{range {portkey | startport} {portkey | endport} | {eq | neq | lt | gt} {portkey | 0-65535}] [flag [+fin | -fin] [+syn | -syn] [+rst | -rst] [+psh | -psh] [+ack | -ack] [+urg | -urg] [established]] [flow-label value] [icmp-type icmp-type [icmp-code icmp-code] | icmp-message icmp-message] [routing] [fragments] [sequence sequence-number] [dscp dscp]}} [log] [assign-queue queue-id] [rate-limit rate burst-size]
Mode IPv6-Access-List Config
Note

Note

An implicit deny all IPv6 rule always terminates the access list.

The time-range parameter allows imposing time limitation on the IPv6 ACL rule as defined by the parameter time-range-name. If a time range with the specified name does not exist and the IPv6 ACL containing this ACL rule is applied to an interface or bound to a VLAN, then the ACL rule is applied immediately. If a time range with specified name exists and the IPv6 ACL containing this ACL rule is applied to an interface or bound to a VLAN, then the ACL rule is applied when the time-range with specified name becomes active. The ACL rule is removed when the time-range with specified name becomes inactive. For information about configuring time ranges, see Time Range Commands for Time-Based ACLs.

The assign-queue parameter allows specification of a particular hardware queue for handling traffic that matches this rule. The allowed queue-id value is 0-(n-1), where n is the number of user configurable queues available for the hardware platform. The assign-queue parameter is valid only for a permit rule.

The permit command‘s optional attribute rate-limit allows you to permit only the allowed rate of traffic as per the configured rate in kbps, and burst-size in kbytes.

IPv6 ACLs have the following limitations:

  • Port ranges are not supported for egress IPv6 ACLs.
  • The IPv6 ACL fragment keyword matches only on the first IPv6 extension header (next header code 44). If the fragment header appears in the second or subsequent header, it is not matched.
  • The IPv6 ACL routing keyword matches only on the first IPv6 extension header (next header code 43). If the fragment header appears in the second or subsequent header, it is not matched.
  • The rate-limit command is not supported for egress IPv6 ACLs.
    Parameter Description
    {deny | permit} Specifies whether the IPv6 ACL rule permits or denies the matching traffic.
    Every Specifies to match every packet.
    {protocolkey | number} Specifies the protocol to match for the IPv6 ACL rule. The current list is: icmpv6, ipv6, tcp, and udp.
    source-ipv6-prefix/prefix-length | any | host source-ipv6-address Specifies a source IPv6 source address and prefix length to match for the IPv6 ACL rule.

    Specifying any implies specifying “::/0 “

    Specifying host source-ipv6-address implies matching the specified IPv6 address.

    This source-ipv6-address argument must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16-bit values between colons.

    [{range {portkey | startport} {portkey | endport} | {eq | neq | lt | gt} {portkey | 0-65535} ] This option is available only if the protocol is TCP or UDP.

    Specifies the layer 4 port match condition for the IPv6 ACL rule. A port number can be used, in the range 0-65535, or the portkey, which can be one of the following keywords:

    • For TCP: bgp, domain, echo, ftp, ftp-data, http, smtp, telnet, www, pop2, pop3
    • For UDP: domain, echo, ntp, rip, snmp, tftp, time, who.

    Each of these keywords translates into its equivalent port number.

    When range is specified, IPv6 ACL rule matches only if the layer 4 port number falls within the specified portrange. The startport and endport parameters identify the first and last ports that are part of the port range. They have values from 0 to 65535. The ending port must have a value equal or greater than the starting port. The starting port, ending port, and all ports in between are part of the layer 4 port range.

    When eq is specified, IPv6 ACL rule matches only if the layer 4 port number is equal to the specified port number or portkey.

    When lt is specified, IPv6 ACL rule matches if the layer 4 port number is less than the specified port number or portkey. It is equivalent to specifying the range as 0 to specified port number – 1.

    When gt is specified, IPv6 ACL rule matches if the layer 4 port number is greater than the specified port number or portkey. It is equivalent to specifying the range as specified port number + 1 to 65535.

    When neq is specified, IPv6 ACL rule matches only if the layer 4 port number is not equal to the specified port number or portkey.

    Two rules are added in the hardware one with range equal to 0 to specified port number - 1 and one with range equal to specified port number + 1 to 65535.

    destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address Specifies a destination IPv6 source address and prefix length to match for the IPv6 ACL rule.

    Specifying any implies specifying “::/0 “

    Specifying host destination-ipv6-address implies matching the specified IPv6 address.

    This destination-ipv6-address argument must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16-bit values between colons.

    sequence sequence-number Specifies a sequence number for the ACL rule. Every rule receives a sequence number. The sequence number is specified by the user or is generated by the device.

    If a sequence number is not specified for the rule, a sequence number that is 10 greater than the last sequence number in ACL is used and this rule is placed at the end of the list. If this is the first ACL rule in the given ACL, a sequence number of 10 is assigned. If the calculated sequence number exceeds the maximum sequence number value, the ACL rule creation fails. It is not allowed to create a rule that duplicates an already existing one. A rule cannot be configured with a sequence number that is already used for another rule.

    For example, if a user adds new ACL rule to ACL without specifying a sequence number, it is placed at the bottom of the list. By changing the sequence number, user can move the ACL rule to a different position in the ACL

    [dscp dscp] Specifies the dscp value to match for the IPv6 rule.
    flag [+fin | -fin] [+syn | -syn] [+rst | -rst] [+psh | -psh] [+ack | -ack] [+urg | -urg] [established] Specifies that the IPv6 ACL rule matches on the tcp flags.

    When +tcpflagname is specified, a match occurs if the specified tcpflagname flag is set in the TCP header.

    When -tcpflagname is specified, a match occurs if the specified tcpflagname flag is NOT set in the TCP header.

    When established is specified, a match occurs if the specified either RST or ACK bits are set in the TCP header.

    Two rules are installed in hardware to when “established” option is specified.

    This option is visible only if protocol is “tcp”.

    [icmp-type icmp-type [icmp-code icmp-code] | icmp-message icmp-message] This option is available only if the protocol is icmpv6.

    Specifies a match condition for ICMP (Internet Control Message Protocol) packets.

    When icmp-type is specified, IPv6 ACL rule matches on the specified ICMP message type, a number from 0 to 255.

    When icmp-code is specified, IPv6 ACL rule matches on the specified ICMP message code, a number from 0 to 255.

    Specifying icmp-message implies both icmp-type and icmp-code are specified. The following icmp-messages are supported: destination-unreachable, echo-reply, echo-request, header, hop-limit, mld-query, mld-reduction, mld-report, nd-na, nd-ns, next-header, no-admin, no-route, packet-too-big, port-unreachable, router-solicitation, router-advertisement, router-renumbering, time-exceeded, and unreachable.

    The ICMP message is decoded into the corresponding ICMP type and ICMP code within that ICMP type.

    Fragments Specifies that IPv6 ACL rule matches on fragmented IPv6 packets (Packets that have the next header field is set to 44).
    Routing Specifies that IPv6 ACL rule matches on IPv6 packets that have routing extension headers (the next header field is set to 43).
    Log Specifies that this rule is to be logged.
    time-range time-range-name Allows imposing a time limitation on the ACL rule as defined by the parameter time-range-name. If a time range with the specified name does not exist and the ACL containing this ACL rule is applied to an interface or bound to a VLAN, the ACL rule is applied immediately. If a time range with the specified name exists and the ACL containing this ACL rule is applied to an interface or bound to a VLAN, the ACL rule is applied when the time-range with the specified name becomes active. The ACL rule is removed when the time-range with specified name becomes inactive.
    assign-queue queue-id Specifies the assign-queue, which is the queue identifier to which packets matching this rule are assigned.
    rate-limit rate burst-size Specifies the allowed rate of traffic as per the configured rate in kbps, and burst-size in kbytes.

The following shows an example of the command.

(Extreme 220) (Config) #ipv6 access-list ip61
(Extreme 220) (Config-ipv6-acl)#permit udp any any rate-limit 32 16
(Extreme 220) (Config-ipv6-acl)#exit