seq (ipv6 access-list
rules)
Inserts filtering rules in IPv6 access
lists (ACLs).
Syntax
seq
{
1-65535
}
[
permit | deny
]
[
tcp
|
udp
|
icmpv6 | igmpv6
| ipv6
|
esp
|
1-254
]
|
[
vxlan
|
nvgre
|
gre |
ipip|
gtpc
|
gtpu
]
{
1-4294967295
}
[
src-ip |
prefix-length |
src-ip
src-mask
]
[
dst-ip
|
prefix-length |
dst-ip
dst-mask
]
{
sport
1-65535}
{
dport
1-65535
}
{
sport-end
1-65535
}
{
dport-end
1-65535 }
{
dscp
1-63
}
{
length
64-9000
|
length-end
65-9000
}
{
push
}
{
sync
}
{
ack
}
{
fin
}
{
urg
}
{
cwr
}
{
ece
}
{
reset
}
{{
morefragment
|
dontfragment
}}
{
vlan
0-4095}
{
count
}
{
log
}
{
qos-forwarding-group
group-name
}
Parameters
- seq
ID
- Specifies the sequence ID for
the rule. This parameter is mandatory. Valid values range from 1 through
65535, and the value must be unique within the selected IP ACL.
- If the value is not specified, a non-assigned value starting from 10 with an
increment of 10 is assigned.
- permit
|deny
- Specifies the forwarding
action for the matching traffic.
- tcp|udp
|
icmpv6
|igmpv6
|
ipv6
|
esp
|
protocol-number
- Specifies the protocol type of the traffic
for non-tunneled packets.
- Valid values range from 1
through 254.
- vxlan
|nvgre
|
gre
|
ipip
|
gtpc
|
gtpu
- Specifies the tunnel types supported for
tunneled traffic. For tunnel types IP address and masks are mapped to the
outer header.
- VNI and TEID are configured for the VXLAN
and GTP-U tunnels, respectively. Valid values range from 1 through
4294967295.
- VXLAN and NVGRE tunnels allow VNID and
VSID values in the range of 1 through 16777215.
- GTP-U and GTP-C tunnels allow tunnel ID
values in the range of 1 through 4294967295.
- src-ip
|
prefix-length
|
src-mask
|
dst-ip
|
prefix-length
|
dst-mask
- Specifies the source IP address, source
mask, destination IP address, and destination mask of the traffic.
- IP addresses and IP masks display in hexadecimal format.
- Instead of subnet mask, the subnet prefix
length also can be specified.
- sport
|sport-end
- Specifies the source port value. The valid
values range is from 1 through 65535.
- Provides matching based on
sport range and sport range end parameters.
- When specifying a range, source port value
is mandatory.
- Specifying the source port end value alone
is not valid.
- The source port value must be less than the sport port end.
- dport
|dport-end
- Specifies the destination port. The valid
values range is from 1 through 65535.
- To match based on range, use
the provided destination port value and the destination port end parameters.
- The destination port value must be less than
the destination port end value.
- dscp
- Specifies the type of service field for the
IPv6 protocol. The valid values range is from 1 through 63.
- length
|length-end
- Specifies the length of the IPv6 packets.
The valid values range is from 64 to 9000.
- To match based on length range, use the
provided length and length-end parameters. The valid values range is from 65
through 9000.
- When specifying range, length
value is mandatory.
- Specifying length-end alone is not valid.
- Length must be less than the length-end.
- push
|sync
|
ack
|
cwr
|
ece
|reset
|
fin
|urg
- Specifies the TCP protocol configuration.
- vlan
vlan-id
- Specifies the VLAN ID. The valid values
range is 0 through 4095.
- morefragment
|
dontfragment
- Specifies the fragment
parameters.
- count
- Enables counters for the
rule.
- log
- Enables the system log
(syslog) for the rule.
- qos-forwarding-group
group-name
- Specifies the name of a Quality of Service
(QoS) forwarding group.
Usage Guidelines
GRE tunnel-type:
- Version-1 packets are not filtered with this setting.
- Version-0 packets are filtered successfully
with this setting.
The following specified length limitation applies to the
sport-end and
dport-end range length configuration.
Important
If you configure
an IPv4 or IPv6 ACL rule to match a specific IP length and also configure an
IPv4 or IPv6 ACL with an overlapping IP length range, then the rule with
specific length will not work.
IPvn rules
configured with specified lengths that overlap IPvn length-range
configurations fail silently.
Example 1. The IPv6 ACL rule in
this example will not work because the rule with a specific length (bold font) overlaps
the configured IP ACL range from 100 through 200. The rule with the
overlapping specified length fails
silently.
ip access-list v4acl
seq 10 permit ip any 1.0.0.1 255.255.255.0 length 100 length-end 200
ipv6 access-list v6acl
seq 10 permit ipv6 any bbbb::bbbb ffff::ffff length 150
Example
2. The IPv6 ACL rule (bold
font) in this example will not work because the rule with a specific
length overlaps the range from 100 through 200. The rule with the
overlapping specified length fails
silently.
ipv6 access-list v6acl
seq 10 permit ipv6 any aaaa::aaaa ffff::ffff length 100 length-end 200
seq 20 permit ipv6 any bbbb::bbbb ffff::ffff length 150
Example
3. This IPv6 ACL rule example will not work because in this configuration,
because the rule with a specific length (bold font) overlaps
the range from 100 through 200. The rule with the overlapping specified
length fails
silently.
ipv6 access-list v6acl-1
seq 10 permit ipv6 any aaaa::aaaa ffff::ffff length 100 length-end 200
ipv6 access-list v6acl-2
seq 10 permit ipv6 any bbbb::bbbb ffff::ffff length 150
Duplicate ACL rules are not allowed.
Conflicting ACL rules, rules with same match condition and different forwarding
action are not allowed.
Examples
The following example configures an IPv6 ACL.
device# configure terminal
device(config)#ipv6 access-list ip6-acl
device(config-ip6-acl)# seq 1 permit 2000::1 FFFF::1 any any count log
device# show running-config access-list
ipv6 access-list ip6-acl
seq 10 permit ipv6 2001::1 2001::0 2002::2 2002::0
device# show running-config ipv6 access-list all
ipv6 access-list ip6-acl
seq 10 permit ipv6 2001::1 2001::0 2002::2 2002::0
device# show running-config ipv6 access-list all
ipv6 access-list ip6-acl
seq 10 permit ipv6 2001::1 2001::0 2002::2 2002::0
