Inserts filtering rules in IPv6 access lists (ACLs).
IP ACL config mode
Important
If you configure an IPv4 or IPv6 ACL rule to match a specific IP length and also configure an IPv4 or IPv6 ACL with an overlapping IP length range, then the rule with specific length will not work.IPvn rules configured with specified lengths that overlap IPvn length-range configurations fail silently.
Example 1. The IPv6 ACL rule in this example will not work because the rule with a specific length (bold font) overlaps the configured IP ACL range from 100 through 200. The rule with the overlapping specified length fails silently.
ip access-list v4acl seq 10 permit ip any 1.0.0.1 255.255.255.0 length 100 length-end 200 ipv6 access-list v6acl seq 10 permit ipv6 any bbbb::bbbb ffff::ffff length 150
Example 2. The IPv6 ACL rule (bold font) in this example will not work because the rule with a specific length overlaps the range from 100 through 200. The rule with the overlapping specified length fails silently.
ipv6 access-list v6acl seq 10 permit ipv6 any aaaa::aaaa ffff::ffff length 100 length-end 200 seq 20 permit ipv6 any bbbb::bbbb ffff::ffff length 150
Example 3. This IPv6 ACL rule example will not work because in this configuration, because the rule with a specific length (bold font) overlaps the range from 100 through 200. The rule with the overlapping specified length fails silently.
ipv6 access-list v6acl-1 seq 10 permit ipv6 any aaaa::aaaa ffff::ffff length 100 length-end 200 ipv6 access-list v6acl-2 seq 10 permit ipv6 any bbbb::bbbb ffff::ffff length 150
Duplicate ACL rules are not allowed.
Conflicting ACL rules, rules with same match condition and different forwarding action are not allowed.
Message | Reason |
---|---|
Error: seqid 10 already exist ip1. | Sequence ID is repeated within IP ACL named ip1. |
Error: valid range for VNID is 1-16777215. | VNID range exceeds for VxLAN protocol. |
Error: valid range for VSID is 1-16777215. | VSID range exceeds for NVGRE protocol. |
Error: source ip address must be in X:X:X:X:X:X:X:X or X:X::X:X format. Each X can be up to 4 hexa-decimal digits. Example: 2001:0:0:0:0:0:0:1 or 2001::1 | IPv6 format must be used.. |
% Value '65536' not in range <1-65535>. | Example: Sequencel-id range error. |
% Value '255' not in range <0-254>. | Example: Custom Protocol Number range error. |
% Value '4294967296' not in range <1-4294967295>. | Example: Tunnel-id range error (ngvre, gtpu, vxlan). |
% Value '65536' not in range <1-65535>. | Example: Source port range error. |
% Value '9001' not in range <64-9000>. | Example: Length errors. |
The following example configures IPv6 ACL.
device# configure terminal device(config)#ipv6 access-list ip6-acl device(config-ip6-acl)# seq 1 permit 2000::1 FFFF::1 any any count log device# show running-config access-list ipv6 access-list ip6-acl seq 10 permit ipv6 2001::1 2001::0 2002::2 2002::0 device# show running-config ipv6 access-list all ipv6 access-list ip6-acl seq 10 permit ipv6 2001::1 2001::0 2002::2 2002::0 device# show running-config ipv6 access-list all ipv6 access-list ip6-acl seq 10 permit ipv6 2001::1 2001::0 2002::2 2002::0Error messages
Sequence id is repeated within ipv6 access-list:
device(config)# ipv6 access-list ip6 device(config-ipv6-acl)# seq 10 permit ipv6 2001:01:2::1 2001:01:2::1 any Error: seqid 10 already exist ip6.
VNID range exceeds for VxLAN protocol:
device(config-ipv6-acl)# permit vxlan 166777215 any any Error: valid range for VNID is 1-16777215.
VSID range exceeds for NVGRE protocol:
device(config-ipv6-acl)# seq 20 permit nvgre 16777216 any any Error: valid range for VSID is 1-16777215.
Invalid ipv6 formats:
Error: source ip address must be in X:X:X:X:X:X:X:X or X:X::X:X format. Each X can be upto 4 hexa-decimal digits. Example: 2001:0:0:0:0:0:0:1 or 2001::1
Sequence-id range:
device#(config-ipv6-acl)# seq 65536 % Value '65536' not in range <1-65535>.
Custom Protocol Number:
device#(config-ipv6-acl)# seq 65535 permit 255 % Value '255' not in range <0-254>.
Tunnel-id:
device(config-ipv6-acl)# seq 65535 permit nvgre 4294967296 % Value '4294967296' not in range <1-4294967295>. device(config-ipv6-acl)# seq 65535 permit vxlan 4294967296 % Value '4294967296' not in range <1-4294967295>. device(config-ipv6-acl)# seq 100 permit gtpu 4294967296 % Value '4294967296' not in range <1-4294967295>.
Source port:
device(config-ipv6-acl)# seq 120 permit gre any any sport 65536 % Value '65536' not in range <1-65535>. device(config-ipv6-acl)# seq 120 permit gre any any sport 65535 sport-end 65536 % Value '65536' not in range <1-65535>. device(config-ipv6-acl)# seq 120 permit gre any any dport 65536 % Value '65536' not in range <1-65535>. device(config-ipv6-acl)# seq 120 permit gre any any dport 65535 dport-end 65536 % Value '65536' not in range <1-65535>.
Length:
device(config-ipv6-acl)# seq 120 permit gre any any length 9001 % Value '9001' not in range <64-9000>. device(config-ipv6-acl)# seq 120 permit gre any any length 63 % Value '63' not in range <64-9000>. device(config-ipv6-acl)# seq 120 permit gre any any length 65 length-end 9001 % Value '9001' not in range <65-9000>. device(config-ipv6-acl)# seq 120 permit gre any any length 65 length-end 63 % Value '63' not in range <65-9000>.
Duplicate rule:
device(config-ipv6-acl)# seq 1 permit ipv6 any any device(config-ipv6-acl)# seq 2 permit ipv6 any any Error: Sequence 2 is duplicate of Sequence 1.
Conflicting rule:
device(config-ipv6-acl)# seq 1 permit ipv6 any any 9920(config-ipv6-acl)# seq 2 deny ipv6 any any Error: Sequence 2 is conflicting with Sequence 1.