deny (ipv6-acl)

Creates a deny rule that rejects packets from a specified IPv6 source and/or to a specified IPv6 destination. You can also use this command to modify an existing deny rule.

Supported on the following devices:

Access Points: AP5010, AP310i/e, AP410i/e, AP505i, AP510i, AP510e, AP560i, AP6522, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP763, AP7662, AP8163, AP8543, AP8533.
Service Platforms: NX5500, NX7500, NX9500, NX9600
Virtual Platforms: CX9000, VX9000

Syntax

deny [icmpv6|ipv6|proto|tcp|udp]

deny icmpv6 [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|
host <DEST-HOST-IPv6>] [code [eq <ICMPv6-CODE>|range <STARTING-ICMPv6-CODE> <ENDING-ICMPv6-CODE>]|
type [eq <ICMPV6-TYPE>|range <STARTING-ICMPv6-TYPE> <ENDING-ICMPv6-TYPE>]] 
(log,rule-precedence <1-5000>) {(rule-description <LINE>)}

deny ipv6 [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|
host <DEST-HOST-IPv6>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}

deny proto [<PROTOCOL-NUMBER>|<PROTOCOL-NAME>|eigrp|gre|igp|ospf|vrrp] 
[<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|host <DEST-HOST-IPv6>] 
(log,rule-precedence <1-5000>) {(rule-description <LINE>)}

deny [tcp|udp] [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|
eq <SOURCE-PORT>|host <DEST-HOST-IPv6>|range <START-PORT> <END-PORT>] [eq [<1-65535>|<
SERVICE-NAME>|bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp|ntp|pop3|sip|smtp|ssh|telnet|tftp|www]|
range <START-PORT> <END-PORT>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}

Parameters

deny icmpv6 [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|
host <DEST-HOST-IPv6>] [code [eq <ICMPv6-CODE>|range <STARTING-ICMPv6-CODE> <ENDING-ICMPv6-CODE>]|
type [eq <ICMPV6-TYPE>|range <STARTING-ICMPv6-TYPE> <ENDING-ICMPv6-TYPE>]] 
(log,rule-precedence <1-5000>) {(rule-description <LINE>)}


icmpv6	Applies this deny rule to ICMPv6 packets only
<SOURCE-IPv6/MASK>	Specifies a range of IPv6 source address (network) to match. ICMPv6 packets received from any source in the specified network are dropped.
any	Specifies the source as any IPv6 address. ICMPv6 packets received from any source are dropped.
host <SOURCE-HOST-IPv6>	Identifies a specific host (as the source to match) by its IPv6 address. ICMPv6 packets received from the specified host are dropped. <SOURCE-HOST-IPv6> – Specify the source host‘s exact IPv6 address.
<DEST-IPv6/MASK>	Specifies a range of IPv6 destination address (network) to match. ICMPv6 packets addressed to any destination within the specified network are dropped.
any	Specifies the destination as any IPv6 address. ICMPv6 packets addressed to any destination are dropped.
host <DEST-HOST-IPv6>	Identifies a specific host (as the destination to match) by its IPv6 address. ICMPv6 packets addressed to the specified host are dropped. <DEST-HOST-IPv6> – Specify the destination host‘s exact IPv6 address.
<ICMPv6-TYPE> [eq\|range]	Defines the ICMPv6 type field filter eq – Configures a specific ICMPv6 type. Specify the ICMPv6 type value. range – Configures a range of ICMPv6 types. Specify the starting and ending ICMPv6 type values. Note: ICMPv6 packets with type field value matching the values specified here are dropped.
<ICMPv6-CODE>	Defines the ICMPv6 code field filter eq – Configures a specific ICMPv6 code. Specify the ICMPv6 code value. range – Configures a range of ICMPv6 code. Specify the starting and ending ICMPv6 code values. Note: ICMPv6 packets with code field value matching the values specified here are dropped.
log	Logs all deny events matching this entry
rule-precedence <1-5000>	Assigns a precedence for this deny rule <1-5000> – Specify a value from 1 - 5000. Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.
rule-description <LINE>	Optional. Configures a description for this deny rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length).

deny ipv6 [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|
host <DEST-HOST-IPv6>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}


ipv6	Applies this deny rule to IPv6 packets only
<SOURCE-IPv6/MASK>	Specifies a range of IPv6 source address (network) to match. IPv6 packets received from any source in the specified network are dropped.
any	Specifies the source as any IPv6 address. IPv6 packets received from any source are dropped.
host <SOURCE-HOST-IPv6>	Identifies a specific host (as the source to match) by its IPv6 address. IPv6 packets received from the specified host are dropped. <SOURCE-HOST-IPv6> – Specify the source host‘s exact IPv6 address.
<DEST-IPv6/MASK>	Specifies a range of IPv6 destination address (network) to match. IPv6 packets addressed to any destination within the specified network are dropped.
any	Specifies the destination as any IPv6 address. IPv6 packets addressed to any destination are dropped.
host <DEST-HOST-IPv6>	Identifies a specific host (as the destination to match) by its IPv6 address. IPv6 packets addressed to the specified host are dropped. <DEST-HOST-IPv6> – Specify the destination host‘s exact IPv6 address.
log	Logs all deny events matching this entry
rule-precedence <1-5000>	Assigns a precedence for this deny rule <1-5000> – Specify a value from 1 - 5000. Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.
rule-description <LINE>	Optional. Configures a description for this deny rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length).

deny proto [<PROTOCOL-NUMBER>|<PROTOCOL-NAME>|eigrp|gre|igp|ospf|vrrp] 
[<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|host <DEST-HOST-IPv6>] 
(log,rule-precedence <1-5000>) {(rule-description <LINE>)}


proto	Configures the ACL for additional protocols Additional protocols (other than IP, ICMP, TCP, and UDP) must be configured using this parameter.
<PROTOCOL-NUMBER>	Filters protocols using their IANA protocol number <PROTOCOL-NUMBER> – Specify the protocol number.
<PROTOCOL-NAME>	Filters protocols using their IANA protocol name <PROTOCOL-NAME> – Specify the protocol name.
eigrp	Identifies the EIGRP protocol (number 88) EIGRP enables routers to maintain copies of neighbors‘ routing tables. Routers use this information to determine the fastest route to a destination. When a router fails to find a route in its stored route tables, it sends a query to neighbors who in turn query their neighbors till a route is found. EIGRP also enables routers to inform neighbors of changes in their routing tables.
gre	Identifies the GRE protocol (number 47) GRE is a tunneling protocol that enables transportation of protocols (IP, IPX, DEC net, etc.) over an IP network. GRE encapsulates the packet at the source and removes the encapsulation at the destination.
igp	Identifies any private internal gateway (primarily used by CISCO for their IGRP) (number 9) IGP enables exchange of information between hosts and routers within a managed network. The most commonly used IGP protocols are: RIP and OSPF.
ospf	Identifies the OSPF protocol (number 89) OSPF is a link-state IGP. OSPF routes IP packets within a single routing domain (autonomous system), like an enterprise LAN. OSPF gathers link state information from neighbor routers and constructs a network topology. The topology determines the routing table presented to the Internet Layer which makes routing decisions based solely on the destination IP address found in IP packets.
vrrp	Identifies the VRRP protocol (number 112) VRRP allows a pool of routers to be advertized as a single virtual router. This virtual router is configured by hosts as their default gateway. VRRP elects a master router, from this pool, and assigns it a virtual IP address. The master router routes and forwards packets to hosts on the same subnet. When the master router fails, one of the backup routers is elected as the master and its IP address is mapped to the virtual IP address.
<SOURCE-IPv6/MASK>	Specifies a range of IPv6 source address (network) to match. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from any source in the specified network are dropped.
any	Specifies the source as any IPv6 address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from any source are dropped.
host <SOURCE-HOST-IPv6>	Identifies a specific host (as the source to match) by its IPv6 address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from the specified host are dropped. <SOURCE-HOST-IP> – Specify the source host‘s exact IPv6 address.
<DEST-IPv6/MASK>	Specifies a range of IPv6 destination address (network) to match. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to any destination within the specified network are dropped.
any	Specifies the destination as any IPv6 address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to any destination are dropped.
host <DEST-HOST-IPv6>	Identifies a specific host (as the destination to match) by its IPv6 address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to the specified host are dropped. <DEST-HOST-IPv6> – Specify the destination host‘s exact IPv6 address.
log	Logs all deny events matching this entry
rule-precedence <1-5000>	Assigns a precedence for this deny rule <1-5000> – Specify a value from 1 - 5000. Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.
rule-description <LINE>	Optional. Configures a description for this deny rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length).

deny [tcp|udp] [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|
eq <SOURCE-PORT>|host <DEST-HOST-IPv6>|range <START-PORT> <END-PORT>] [eq [<1-65535>|<SERVICE-NAME>|
bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp|ntp|pop3|sip|smtp|ssh|telnet|tftp|www]|
range <START-PORT> <END-PORT>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}


tcp	Applies this deny rule to TCP packets only
udp	Applies this deny rule to UDP packets only
<SOURCE-IPv6/MASK>	This keyword is common to the ‘tcp‘ and ‘udp‘ parameters. Specifies a range of IPv6 source address (network) to match. TCP/UDP packets received from any source in the specified network are dropped.
any	This keyword is common to the ‘tcp‘ and ‘udp‘ parameters. Specifies the source as any IPv6 address. TCP/UDP packets received from any source are dropped.
host <SOURCE-HOST-IPv6>	Identifies a specific host (as the source to match) by its IPv6 address. TCP/UDP packets received from the specified host are dropped. <SOURCE-HOST-IP> – Specify the source host‘s exact IPv6 address.
<DEST-IPv6/MASK>	This keyword is common to the ‘tcp‘ and ‘udp‘ parameters. Specifies a range of IPv6 destination address (network) to match. TCP/UDP packets addressed to any destination within the specified network are dropped.
any	This keyword is common to the ‘tcp‘ and ‘udp‘ parameters. Specifies the destination as any destination IPv6 address. TCP/UDP packets received from any destination are dropped.
eq <SOURCE-PORT>	Identifies a specific source port <SOURCE-PORT> – Specify the exact source port.
host <DEST-HOST-IP>	Identifies a specific host (as the destination to match) by its IPv6 address. TCP/UDP packets addressed to the specified host are dropped. <DEST-HOST-IP> – Specify the destination host‘s exact IP address.
range <START-PORT> <END-PORT>	Specifies a range of source ports <START-PORT> – Specify the first port in the range. <END-PORT> – Specify the last port in the range.
eq [<1-65535>\| <SERVICE-NAME>\| \|bgp\|dns\|ftp\| ftp-data\|gropher\| https\|ldap\|nntp\|ntp\| pop3\|sip\|smtp\| ssh\|telnet\| tftp\|www]	Identifies a specific destination or protocol port to match <1-65535> – The destination port is designated by its number <SERVICE-NAME> – Specifies the service name bgp – The designated BGP protocol port (179) dns – The designated DNS protocol port (53) ftp – The designated FTP protocol port (21) ftp-data – The designated FTP data port (20) gropher – The designated GROPHER protocol port (70) https – The designated HTTPS protocol port (443) ldap – The designated LDAP protocol port (389) nntp – The designated NNTP protocol port (119) ntp – The designated NTP protocol port (123) pop3 – The designated POP3 protocol port (110) sip – The designated SIP protocol port (5060) smtp – The designated SMTP protocol port (25) ssh – The designated SSH protocol port (22) telnet – The designated Telnet protocol port (23) tftp – The designated TFTP protocol port (69) www – The designated www protocol port (80)
range <START-PORT> <END-PORT>	Specifies a range of destination ports <START-PORT> – Specify the first port in the range. <END-PORT> – Specify the last port in the range.
log	Logs all deny events matching this entry
rule-precedence <1-5000>	Assigns a precedence for this deny rule <1-5000> – Specify a value from 1 - 5000. Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.
rule-description <LINE>	Optional. Configures a description for this deny rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length).

Examples

nx9500-6C8809(config-ipv6-acl-test)#deny icmpv6 any any type eq 1 code eq 0 log rule-precedence 1

nx9500-6C8809(config-ipv6-acl-test)#show context
ipv6 access-list test
 deny icmpv6 any any type eq destination-unreachable code eq router-renumbering-command log rule-precedence 1
nx9500-6C8809(config-ipv6-acl-test)#

Related Commands


no (ipv6-acl)	Removes a specified deny access rule from this IPv6 ACL