deny (ipv6-acl)

Creates a deny rule that rejects packets from a specified IPv6 source and/or to a specified IPv6 destination. You can also use this command to modify an existing deny rule.

Supported in the following platforms:

  • Access Points — AP505i, AP510i/e, AP560i/h
  • Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax

deny [icmpv6|ipv6|proto|tcp|udp]
deny icmpv6 [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|
host <DEST-HOST-IPv6>] [code [eq <ICMPv6-CODE>|range <STARTING-ICMPv6-CODE> <ENDING-ICMPv6-CODE>]|
type [eq <ICMPV6-TYPE>|range <STARTING-ICMPv6-TYPE> <ENDING-ICMPv6-TYPE>]] 
(log,rule-precedence <1-5000>) {(rule-description <LINE>)}
deny ipv6 [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|
host <DEST-HOST-IPv6>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}
deny proto [<PROTOCOL-NUMBER>|<PROTOCOL-NAME>|eigrp|gre|igp|ospf|vrrp] 
[<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|host <DEST-HOST-IPv6>] 
(log,rule-precedence <1-5000>) {(rule-description <LINE>)}
deny [tcp|udp] [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|
eq <SOURCE-PORT>|host <DEST-HOST-IPv6>|range <START-PORT> <END-PORT>] [eq [<1-65535>|<
SERVICE-NAME>|bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp|ntp|pop3|sip|smtp|ssh|telnet|tftp|www]|
range <START-PORT> <END-PORT>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}

Parameters

deny icmpv6 [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|
host <DEST-HOST-IPv6>] [code [eq <ICMPv6-CODE>|range <STARTING-ICMPv6-CODE> <ENDING-ICMPv6-CODE>]|
type [eq <ICMPV6-TYPE>|range <STARTING-ICMPv6-TYPE> <ENDING-ICMPv6-TYPE>]] 
(log,rule-precedence <1-5000>) {(rule-description <LINE>)}
icmpv6 Applies this deny rule to ICMPv6 packets only
<SOURCE-IPv6/MASK> Specifies a range of IPv6 source address (network) to match. ICMPv6 packets received from any source in the specified network are dropped.
any Specifies the source as any IPv6 address. ICMPv6 packets received from any source are dropped.
host <SOURCE-HOST-IPv6> Identifies a specific host (as the source to match) by its IPv6 address. ICMPv6 packets received from the specified host are dropped.
  • <SOURCE-HOST-IPv6> – Specify the source host‘s exact IPv6 address.
<DEST-IPv6/MASK> Specifies a range of IPv6 destination address (network) to match. ICMPv6 packets addressed to any destination within the specified network are dropped.
any Specifies the destination as any IPv6 address. ICMPv6 packets addressed to any destination are dropped.
host <DEST-HOST-IPv6> Identifies a specific host (as the destination to match) by its IPv6 address. ICMPv6 packets addressed to the specified host are dropped.
  • <DEST-HOST-IPv6> – Specify the destination host‘s exact IPv6 address.
<ICMPv6-TYPE> [eq|range] Defines the ICMPv6 type field filter
  • eq – Configures a specific ICMPv6 type. Specify the ICMPv6 type value.
  • range – Configures a range of ICMPv6 types. Specify the starting and ending ICMPv6 type values.
Note: ICMPv6 packets with type field value matching the values specified here are dropped.
<ICMPv6-CODE> Defines the ICMPv6 code field filter
  • eq – Configures a specific ICMPv6 code. Specify the ICMPv6 code value.
  • range – Configures a range of ICMPv6 code. Specify the starting and ending ICMPv6 code values.
Note: ICMPv6 packets with code field value matching the values specified here are dropped.
log Logs all deny events matching this entry
rule-precedence <1-5000> Assigns a precedence for this deny rule
  • <1-5000> – Specify a value from 1 - 5000.
Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.
rule-description <LINE> Optional. Configures a description for this deny rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length).
deny ipv6 [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|
host <DEST-HOST-IPv6>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}
ipv6 Applies this deny rule to IPv6 packets only
<SOURCE-IPv6/MASK> Specifies a range of IPv6 source address (network) to match. IPv6 packets received from any source in the specified network are dropped.
any Specifies the source as any IPv6 address. IPv6 packets received from any source are dropped.
host <SOURCE-HOST-IPv6> Identifies a specific host (as the source to match) by its IPv6 address. IPv6 packets received from the specified host are dropped.
  • <SOURCE-HOST-IPv6> – Specify the source host‘s exact IPv6 address.
<DEST-IPv6/MASK> Specifies a range of IPv6 destination address (network) to match. IPv6 packets addressed to any destination within the specified network are dropped.
any Specifies the destination as any IPv6 address. IPv6 packets addressed to any destination are dropped.
host <DEST-HOST-IPv6> Identifies a specific host (as the destination to match) by its IPv6 address. IPv6 packets addressed to the specified host are dropped.
  • <DEST-HOST-IPv6> – Specify the destination host‘s exact IPv6 address.
log Logs all deny events matching this entry
rule-precedence <1-5000> Assigns a precedence for this deny rule
  • <1-5000> – Specify a value from 1 - 5000.
Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.
rule-description <LINE> Optional. Configures a description for this deny rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length).
deny proto [<PROTOCOL-NUMBER>|<PROTOCOL-NAME>|eigrp|gre|igp|ospf|vrrp] 
[<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|host <DEST-HOST-IPv6>] 
(log,rule-precedence <1-5000>) {(rule-description <LINE>)}
proto Configures the ACL for additional protocols

Additional protocols (other than IP, ICMP, TCP, and UDP) must be configured using this parameter.

<PROTOCOL-NUMBER> Filters protocols using their IANA protocol number
  • <PROTOCOL-NUMBER> – Specify the protocol number.
<PROTOCOL-NAME> Filters protocols using their IANA protocol name
  • <PROTOCOL-NAME> – Specify the protocol name.
eigrp Identifies the EIGRP protocol (number 88)

EIGRP enables routers to maintain copies of neighbors‘ routing tables. Routers use this information to determine the fastest route to a destination. When a router fails to find a route in its stored route tables, it sends a query to neighbors who in turn query their neighbors till a route is found. EIGRP also enables routers to inform neighbors of changes in their routing tables.

gre Identifies the GRE protocol (number 47)

GRE is a tunneling protocol that enables transportation of protocols (IP, IPX, DEC net, etc.) over an IP network. GRE encapsulates the packet at the source and removes the encapsulation at the destination.

igp Identifies any private internal gateway (primarily used by CISCO for their IGRP) (number 9)

IGP enables exchange of information between hosts and routers within a managed network. The most commonly used IGP protocols are: RIP and OSPF.

ospf Identifies the OSPF protocol (number 89)

OSPF is a link-state IGP. OSPF routes IP packets within a single routing domain (autonomous system), like an enterprise LAN. OSPF gathers link state information from neighbor routers and constructs a network topology. The topology determines the routing table presented to the Internet Layer which makes routing decisions based solely on the destination IP address found in IP packets.

vrrp Identifies the VRRP protocol (number 112)

VRRP allows a pool of routers to be advertized as a single virtual router. This virtual router is configured by hosts as their default gateway. VRRP elects a master router, from this pool, and assigns it a virtual IP address. The master router routes and forwards packets to hosts on the same subnet. When the master router fails, one of the backup routers is elected as the master and its IP address is mapped to the virtual IP address.

<SOURCE-IPv6/MASK> Specifies a range of IPv6 source address (network) to match. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from any source in the specified network are dropped.
any Specifies the source as any IPv6 address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from any source are dropped.
host <SOURCE-HOST-IPv6> Identifies a specific host (as the source to match) by its IPv6 address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from the specified host are dropped.
  • <SOURCE-HOST-IP> – Specify the source host‘s exact IPv6 address.
<DEST-IPv6/MASK> Specifies a range of IPv6 destination address (network) to match. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to any destination within the specified network are dropped.
any Specifies the destination as any IPv6 address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to any destination are dropped.
host <DEST-HOST-IPv6> Identifies a specific host (as the destination to match) by its IPv6 address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to the specified host are dropped.
  • <DEST-HOST-IPv6> – Specify the destination host‘s exact IPv6 address.
log Logs all deny events matching this entry
rule-precedence <1-5000> Assigns a precedence for this deny rule
  • <1-5000> – Specify a value from 1 - 5000.
Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.
rule-description <LINE> Optional. Configures a description for this deny rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length).
deny [tcp|udp] [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|
eq <SOURCE-PORT>|host <DEST-HOST-IPv6>|range <START-PORT> <END-PORT>] [eq [<1-65535>|<SERVICE-NAME>|
bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp|ntp|pop3|sip|smtp|ssh|telnet|tftp|www]|
range <START-PORT> <END-PORT>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}
tcp Applies this deny rule to TCP packets only
udp Applies this deny rule to UDP packets only
<SOURCE-IPv6/MASK> This keyword is common to the ‘tcp‘ and ‘udp‘ parameters.

Specifies a range of IPv6 source address (network) to match. TCP/UDP packets received from any source in the specified network are dropped.

any This keyword is common to the ‘tcp‘ and ‘udp‘ parameters. Specifies the source as any IPv6 address. TCP/UDP packets received from any source are dropped.
host <SOURCE-HOST-IPv6> Identifies a specific host (as the source to match) by its IPv6 address. TCP/UDP packets received from the specified host are dropped.
  • <SOURCE-HOST-IP> – Specify the source host‘s exact IPv6 address.
<DEST-IPv6/MASK> This keyword is common to the ‘tcp‘ and ‘udp‘ parameters.

Specifies a range of IPv6 destination address (network) to match. TCP/UDP packets addressed to any destination within the specified network are dropped.

any This keyword is common to the ‘tcp‘ and ‘udp‘ parameters.

Specifies the destination as any destination IPv6 address. TCP/UDP packets received from any destination are dropped.

eq <SOURCE-PORT> Identifies a specific source port
  • <SOURCE-PORT> – Specify the exact source port.
host <DEST-HOST-IP> Identifies a specific host (as the destination to match) by its IPv6 address. TCP/UDP packets addressed to the specified host are dropped.
  • <DEST-HOST-IP> – Specify the destination host‘s exact IP address.
range <START-PORT> <END-PORT> Specifies a range of source ports
  • <START-PORT> – Specify the first port in the range.
    • <END-PORT> – Specify the last port in the range.
eq [<1-65535>| <SERVICE-NAME>| |bgp|dns|ftp| ftp-data|gropher| https|ldap|nntp|ntp| pop3|sip|smtp| ssh|telnet| tftp|www] Identifies a specific destination or protocol port to match
  • <1-65535> – The destination port is designated by its number
  • <SERVICE-NAME> – Specifies the service name
  • bgp – The designated BGP protocol port (179)
  • dns – The designated DNS protocol port (53)
  • ftp – The designated FTP protocol port (21)
  • ftp-data – The designated FTP data port (20)
  • gropher – The designated GROPHER protocol port (70)
  • https – The designated HTTPS protocol port (443)
  • ldap – The designated LDAP protocol port (389)
  • nntp – The designated NNTP protocol port (119)
  • ntp – The designated NTP protocol port (123)
  • pop3 – The designated POP3 protocol port (110)
  • sip – The designated SIP protocol port (5060)
  • smtp – The designated SMTP protocol port (25)
  • ssh – The designated SSH protocol port (22)
  • telnet – The designated Telnet protocol port (23)
  • tftp – The designated TFTP protocol port (69)
  • www – The designated www protocol port (80)
range <START-PORT> <END-PORT> Specifies a range of destination ports
  • <START-PORT> – Specify the first port in the range.
    • <END-PORT> – Specify the last port in the range.
log Logs all deny events matching this entry
rule-precedence <1-5000> Assigns a precedence for this deny rule
  • <1-5000> – Specify a value from 1 - 5000.
Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.
rule-description <LINE> Optional. Configures a description for this deny rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length).

Examples

nx9500-6C8809(config-ipv6-acl-test)#deny icmpv6 any any type eq 1 code eq 0 log rule-precedence 1
nx9500-6C8809(config-ipv6-acl-test)#show context
ipv6 access-list test
 deny icmpv6 any any type eq destination-unreachable code eq router-renumbering-command log rule-precedence 1
nx9500-6C8809(config-ipv6-acl-test)#

Related Commands

no (ipv6-acl) Removes a specified deny access rule from this IPv6 ACL