Print this pagePrint this page

Email this topicEmail this topic

View PDFView PDF

Download EPUBDownload EPUB

replace

Use this command to replace an IPv6 access list entry with a remark, permit or deny entry.

Syntax

Standard IP Access List:
replace entry {remark text | {permit | deny}} {source-address/length | any | host ip-address]} [log | log-verbose]
Extended IP Access List:
replace entry {remark “text” | {permit | deny}} {protocol-num | ipv6 | | esp | gre} {source-address/length | any | host ip-address} {destination-address/length | any | host ip-address} [dscp code] [traffic-class value] [flow-label value] [log | log-verbose] [routing] [routing-type type] [mobility] [mobility-type type]
replace entry {remark text | {permit | deny}} tcp {source-address/length | any | host ip-address} [{eq | neq | gt | lt} source-port] [range start-port end-port] {destination-address/length | any | host ip-address} [{eq | neq | gt | lt} dest-port] [range start-port end-port] [established] [dscp code] [traffic-class value] [flow-label value] [log | log-verbose] [routing] [routing-type type] [mobility] [mobility-type type]
replace entry {remark “text” | {permit | deny}} udp {source-address/length | any | host ip-address} [{eq | neq | gt | lt} source-port] [range start-port end-port] {destination-address/length | any | host ip-address} [{eq | neq | gt | lt} dest-port] [range start-port end-port] [dscp code] [traffic-class value] [flow-label value] [log | log-verbose] [routing] [routing-type type] [mobility] [mobility-type type]
replace entry {remark “text” | {permit | deny}} icmpv6 {source-address/length | any | host ip-address} {destination-address/length | any | host ip-address} [icmpv6-type [icmpv6-code] | msg icmpv6-msg] [dscp code] [traffic-class value] [flow-label value] [log | log-verbose] [routing] [routing-type type] [mobility] [mobility-type type]

Parameters

entry Specifies an entry to replace with the entry configured in this command. An entry is a valid pre-existing IPv6 access list rule or the explicit deny which is the default entry 1.
remark text Specify a text remark that will be associated with this access list. Valid values: Up to 64 characters in quotes.
deny | permit Denies or permits access if specified conditions are met.
protocol-num Specifies an IP protocol for which to permit or deny access. Valid values are protocol numbers from 0 - 255.
ipv6 Specifies any IPv6 protocol (0 - 255).
esp Specifies the Encapsulation Security Payload protocol.
gre Specifies the Generic Router Encapsulation protocol.
tcp Specifies the Transmission Control Protocol.
udp Specifies the User Datagram Protocol.
icmpv6 Specifies the IPv6 Internet Control Message Protocol.
source-address/length Specifies the source network address and length from which the packet will be sent.
dest-address/length Specifies the destination network address and length (extended IPv6 access list only).
any Specifies that any source or destination (extended IPv6 access list only) address applies to this rule entry.
host ip-address Specifies a specific host address that will be applied to this rule entry.
icmpv6-type [icmpv6-code] (Optional) Specifies an ICMPv6 message type, optionally followed by an ICMPv6 message code. Valid values for both ICMPv6 message type and message codes are 0 - 255. See usage section for more information.
msg icmpv6-msg (Optional) Specifies an ICMPv6 type by entering a keyword. Supported values are provided in ICMP Message Types.
eq | neq | gt | lt {source-port | dest-port} (Optional) Specifies that a source or destination port is permitted or denied. The meaning of the keywords are:
  • eq - permits or denies the specified source or destination port
  • gt - permits or denies source or destination ports greater than the value specified
  • lt - permits or denies source or destination ports less than the value specified
  • neq - permits or denies source or destination ports that are not equal to the value specified
range start-port end-port (Optional) Specifies a range of source or destination ports permitted or denied.
established (Optional) Specifies that only established TCP connections are permitted or denied. A match is made if ACK or RST bits are set.
dscp code (Optional) Specifies a DiffServe Code Point (DSCP) value to match against this packet‘s DSCP code. Valid values are 0 - 63, or one of the following keywords:
  • af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, af44, – Assured Forwarding
  • be – best effort
  • cs1 - cs7 – Class Selector
  • ef – Expedited Forwarding
traffic-class value (Optional) Specifies a Type of Service (ToS) value. Valid values are 0 - 255.
flow-label value (Optional) Specifies a value that matches the flow label field value of the IPv6 packet header. Valid values are 0 to 1048575.
log | log-verbose Enables syslog or verbose syslog messaging for an access list rule hit.
routing (Optional) Specifies that the routing extension header within each IPv6 packet header should be matched against the source-routed packet.
routing-type type (Optional) Specifies the routing header type value that will be matched against the packet‘s routing extension header. Valid values are 0 - 255.
mobility (Optional) Specifies that the IPv6 packet will be matched against the mobility extension header within each IPv6 packet header.
mobility-type type (Optional) Specifies the mobility header type to match against the mobility-type extension header within each IPv6 packet header. Valid values are 0 - 255.

Defaults

If any optional parameter is not entered, no matching against that parameter is performed.

Mode

Standard or extended IPv6 access list configuration.

Usage

Entering any IPv6 protocol number will configure the permit or deny entry for the specified protocol, but will limit configurable parameters to the list in the protocol-num syntax. Specifying the tcp, udp, or icmpv6 keywords will provide the extended parameter set listed in the syntax for these keywords.

Access list logging is throttled to 1 log message per second. If there are multiple access list rules with logging enabled (log or log-verbose), and more then one frame is transmitted per second that can hit those rules, only the first frame will generate a message. Logging is sampling and does not report every time that a rule with logging enabled is hit.

If you did not turn on logging when creating a permit or deny rule, you can turn on logging within the access list for a specific rule or all rules using the log command. See log for command details.

When using the icmpv6-type [icmpv6-code] parameter syntax you must enter a numeric value. See the ICMPv6 parameters assignments page on the site for a complete listing of ICMPv6 message type and code numeric values, as well as the associated RFC. When using the msg icmpv6-msg parameter syntax, you must enter a single supported keyword to specify an ICMPv6 message type. Supported ICMPv6 message type keywords are listed in ICMP Message Types. Supported ICMPv6 message type keywords also display when entering a ? after the msg parameter.

Example

This example replaces entry 1 of IPv6 access list acl10 with a permit any source address :

System(rw-config)->ipv6 access-list standard acl10
System(rw-cfg-ipv6-std-acl)->replace 1 permit any
System(rw-cfg-ipv6-std-acl)->
Published May 2016prev | next

Email this topicEmail this topic

Print this pagePrint this page