Print this pagePrint this page

Email this topicEmail this topic

View PDFView PDF

Download EPUBDownload EPUB

permit

Use this command to create a permit IPv6 access list rule entry.

Syntax

Standard IPv6 Access List:
permit {source-address/length | any | host ip-address]} [log | log-verbose]
Extended IPv6 Access List:
permit {protocol-num | ipv6 | | esp | gre} {source-address/length | any | host ip-address} {destination-address/length | any | host ip-address} [dscp code] [traffic-class value] [flow-label value] [log | log-verbose] [routing] [routing-type type] [mobility] [mobility-type type]
permit tcp {source-address/length | any | host ip-address} [{eq | neq | gt | lt} source-port] [range start-port end-port] {destination-address/length | any | host ip-address} [{eq | neq | gt | lt} dest-port] [range start-port end-port] [established] [dscp code] [traffic-class value] [flow-label value] [log | log-verbose] [routing] [routing-type type] [mobility] [mobility-type type]
permit udp {source-address/length | any | host ip-address} [{eq | neq | gt | lt} source-port] [range start-port end-port] {destination-address/length | any | host ip-address} [{eq | neq | gt | lt} dest-port] [range start-port end-port] [dscp code] [traffic-class value] [flow-label value] [log | log-verbose] [routing] [routing-type type] [mobility] [mobility-type type]
permit icmpv6 {source-address/length | any | host ip-address} {destination-address/length | any | host ip-address} [icmpv6-type [icmpv6-code] | msg icmpv6-msg] [dscp code] [traffic-class value] [flow-label value] [log | log-verbose] [routing] [routing-type type] [mobility] [mobility-type type]

Parameters

protocol-num Specifies an IP protocol for which to permit access. Valid values are protocol numbers from 0 - 255.
ipv6 Specifies any IPv6 protocol (0 - 255)
esp Specifies the Encapsulation Security Payload protocol
gre Specifies the Generic Router Encapsulation protocol
tcp Specifies the Transmission Control Protocol
udp Specifies the User Datagram Protocol
icmpv6 Specifies the IPv6 Internet Control Message Protocol
source-address/length Specifies the source network address and length from which the packet will be sent.
dest-address/length Specifies the destination network address and length (extended IPv6 access list only).
any Specifies that any source or destination (extended IPv6 access list only) address applies to this rule entry.
host ip-address Specifies a specific host address that will be applied to this rule entry.
icmpv6-type [icmpv6-code] (Optional) Specifies an ICMPv6 message type, optionally followed by an ICMPv6 message code. Valid values for both ICMPv6 message type and message codes are 0 - 255. See usage section for more information.
msg icmpv6-msg (Optional) Specifies a single ICMPv6 message type by entering a keyword. Supported message type keywords are provided in ICMP Message Types.
eq | neq | gt | lt {source-port | dest-port} (Optional) Specifies that a source or destination port is permitted. The meaning of the keywords are:
  • eq - permits the specified source or destination port
  • gt - permits source or destination ports greater than the value specified
  • lt - permits source or destination ports less than the value specified
  • neq - permits source or destination ports that are not equal to the value specified
range start-port end-port (Optional) Specifies a range of source or destination ports permitted.
established (Optional) Specifies that only established TCP connections are permitted. A match is made if ACK or RST bits are set.
dscp code (Optional) Specifies a DiffServe Code Point (DSCP) value to match against this packet‘s DSCP code. Valid values are 0 - 63, or one of the following keywords:
  • af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, af44, – Assured Forwarding
  • be – best effort
  • cs1 - cs7 – Class Selector
  • ef – Expedited Forwarding
traffic-class value (Optional) Specifies a Type of Service (ToS) value. Valid values are 0 - 255.
flow-label value (Optional) Specifies a value that matches the flow label field value of the IPv6 packet header. Valid values are 0 to 1048575.
log | log-verbose Enables syslog or verbose syslog messaging for an access list rule hit.
routing (Optional) Specifies that the routing extension header within each IPv6 packet header should be matched against the source-routed packet.
routing-type type (Optional) Specifies the routing header type value that will be matched against the packet‘s routing extension header. Valid values are 0 - 255.
mobility (Optional) Specifies that the IPv6 packet will be matched against the mobility extension header within each IPv6 packet header.
mobility-type type (Optional) Specifies the mobility header type to match against the mobility-type extension header within each IPv6 packet header. Valid values are 0 - 255.

Defaults

If any optional parameter is not entered, no matching against that parameter is performed.

Mode

Standard or extended IPv6 access list configuration.

Usage

Entering any IPv6 protocol number will configure the permit entry for the specified protocol, but will limit configurable parameters to the list in the protocol-num syntax. Specifying the tcp, udp, or icmpv6 keywords will provide the extended parameter set listed in the syntax for these keywords.

Access list logging is throttled to 1 log message per second. If there are multiple access list rules with logging enabled (log or log-verbose), and more then one frame is transmitted per second that can hit those rules, only the first frame will generate a message. Logging is sampling and does not report every time that a rule with logging enabled is hit.

If you did not turn on logging when creating a permit rule, you can turn on logging within the access list for a specific rule or all rules using the log command. See log for command details.

When using the icmpv6-type [icmpv6-code] parameter syntax you must enter a numeric value. See the ICMPv6 parameters assignments page on the site for a complete listing of ICMPv6 message type and code numeric values, as well as the associated RFC. When using the msg icmpv6-msg parameter syntax, you must enter a single supported keyword to specify an ICMPv6 message type. Supported ICMPv6 message type keywords are listed in ICMP Message Types. Supported ICMPv6 message type keywords also display when entering a ? after the msg parameter.

ICMP Message Types contains supported ICMP message types with message codes and descriptions.

Click to expand in new window

ICMP Message Types

Message Type Keyword Message Code and Description
address-unreachable (001,003) Address is unreachable, unspecified reason
admin-prohibited (001,001) Administratively prohibited
bad-header-field (004,000) Erroneous header field encountered
bad-ipv6-option (004,002) Unrecognized IPv6 option encountered
bad-next-header-type (004,001) Unrecognized Next Header type encountered
beyond-scope (001,002) Beyond scope of source address
dest-unreachable (001,000) No route to destination
echo-reply (129,000) Echo reply
echo-request (128,000) Echo request
home-agent-disc-req (144,000) Home agent address discovery request
home-agent-disc-resp (145,000) Home agent address discovery reply
inverse-nd-na (142,000) Inverse neighbor-discovery advertisement
inverse-nd-ns (141,000) Inverse neighbor-discovery solicitation
mld-done (132,000) Multicast listener done
mld-report (131,000) Multicast listener report
mld-query (130,000) Multicast listener query
mobile-prefix-advert (147,000) Mobile prefix advertisement
mobile-prefix-solicit (146,000) Mobile prefix solicitation
nd-na (135,000) Neighbor advertisement
nd-ns (136,000) Neighbor solicitation
node-info-query-addrv4 (139,002) ICMP node information query for IPv4 address
node-info-query-addrv6 (139,000) ICMP node information query for IPv6 address
node-info-query-name (139,001) ICMP node information query for name
node-info-resp-refused (140,001) ICMP node information response refused
node-info-resp-success (140,000) ICMP node information response succeeded
node-info-resp-unknown (140,002) ICMP node information response Qtype unknown
packet-too-big (002,000) Packet is too big
port-unreachable (001,004) Specified port is not reachable
reassembly-timeout (003,001) Fragment reassembly time exceeded
redirect-message (137,000) Redirect Message
reject-route (001,006) Route to destination rejected
router-advertisement (134,000) Router advertisement
router-renumber-cmd (138,000) Router renumbering command
router-renumber-result (138,001) Router renumbering result
router-renumber-reset (138,255) Router renumbering sequence number reset
router-solicitation (133,000) Router solicitation
src-addr-policy-fail (001,005) Source addr failed ingress/egress policy
ttl-exceeded (003,000) Time-to-live exceeded

Examples

This example enters configuration mode for standard IPv6 access list acl2 and configures a permit entry for source address 2001:1234:50:0:21f:45ff:fe3d:21be/64:

System(rw-config)->ipv6 access-list standard acl2
System(rw-cfg-ipv6-std-acl)->permit 2001:1234:50:0:21f:45ff:fe3d:21be/64
System(rw-cfg-ipv6-std-acl)->

This example enters configuration mode for extended IPv6 access list acl120 and configures a permit entry for the IP protocol with a source address 2001:1234:50:0:21f:45ff:fe3d:21aa/64 and a destination address of any:

System(rw-config)->ipv6 access-list extended acl120
System(rw-cfg-ipv6-ext-acl)->permit ipv6 2001:1234:50:0:21f:45ff:fe3d:21aa/64 any
System(rw-cfg-ipv6-ext-acl)->

This example enters configuration mode for extended IPv6 access list acl130 and configures a permit entry for the ICMP protocol with a source network address of 2001:1234:0:0:21f::50/64 and a destination address of 2001:2345:50:0:21f:45ff:fe3d:21ba/64 and a router discovery advertisement ICMP message type:

System(rw-config)->ipv6 access-list extended acl130
System(rw-cfg-ipv6-ext-acl)->permit icmpv6 2001:1234:0:0:21f::50/64 2001:2345:50:0:21f:45ff:fe3d:21ba/64 msg router-advertisement
System(rw-cfg-ipv6-ext-acl)->
Published May 2016prev | next

Email this topicEmail this topic

Print this pagePrint this page