seq (rules in IPv6 extended ACLs)

Inserts filtering rules in IPv6 extended ACLs.

Syntax

seq seq-value { permit | deny | hard-drop } ip-protocol { any | S_IPaddress / prefix_len | host S_IPaddress } [ source-operator [ S_port-numbers ] ] [ tcp/udp-flags ] [ vlan vlanID ] [ count ] [ log ] [ mirror ] [ copy-sflow ] [ connlimit connlimit-value ]

no seq seq-value

{ permit | deny | hard-drop } ip-protocol { any | S_IPaddress / prefix_len | host S_IPaddress } [ source-operator [ S_port-numbers ] ] [ tcp/udp-flags ] [ vlan vlanID ] [ count ] [ log ] [ mirror ] [ copy-sflow ] [ connlimit connlimit-value ]

no { permit | deny | hard-drop } ip-protocol { any | S_IPaddress / prefix_len | host S_IPaddress } [ source-operator [ S_port-numbers ] ] [ tcp/udp-flags ] [ vlan vlanID ] [ count ] [ log ] [ mirror ] [ copy-sflow ] [ connlimit connlimit-value ]

Parameters

seq

(Optional) Enables you to assign a sequence number to the rule. If you do not specify seq seq-value, the rule is added at the end of the list.

seq-value: Valid values range from 1 through 65535.

permit

Specifies rules to permit traffic.

deny

Specifies rules to deny traffic.

hard-drop

Overrides the trap behavior for control frames. However, hard-drop does not override a permit for this address in a preceding rule.

ip-protocol

Indicates the type of IP packet you are filtering. The options are as follows:

<0-255>: Protocol number custom value from 0 through 255.
ipv6-icmp: Internet Control Message Protocol
ipv6: Any IP protocol
tcp: Transmission Control Protocol
udp: User Datagram Protocol

any

Specifies all source addresses.

S_IPaddress

Specifies a source address for which you want to filter the subnet. For options to abbreviate the address, see the Usage Guidelines.

prefix_len: Indicates how many of the high-order, contiguous bits of the address comprise the IPv6 prefix.

host

Specifies a source address.

S_IPaddress: The specific address. For options to abbreviate the address, see the Usage Guidelines.

source-operator

If you specified tcp or udp ip-protocol, the following optional operators are available:

eq: The policy applies to the TCP or UDP port name or number you enter after eq.
gt: The policy applies to TCP or UDP port numbers equal to or greater than the port number or the numeric equivalent of the port name you enter after gt.
lt: The policy applies to TCP or UDP port numbers that are equal to or less than the port number or the numeric equivalent of the port name you enter after lt.
neq: The policy applies to all TCP or UDP port numbers except the port number or port name you enter after neq.
range: The policy applies to all TCP or UDP port numbers that are between the first TCP or UDP port name or number and the second one you enter following the range keyword. The range includes the port names or numbers you enter. For example, to apply the policy to all ports between and including 23 (Telnet) and 53 (DNS), enter the following: range 23 53 (two values separated by a space). The first port number in the range must be lower than the last number in the range.

S_port-numbers

(Valid only when ip-protocol is UDP or TCP) Specify one or more port numbers.

drop-precedence-force dp-value

In permit rules applied to incoming traffic, forces drop precedence to a value of 0 through 2. On SLX 9540 or SLX 9640 devices, the drop-precedence-force keyword is supported only under the default, vxlan-ext, and bgp-flowspec TCAM profiles.

vlan vlanID

Specifies a VLAN interface to which the ACL is bound.

tcp/udp-flags

If you specify tcp or udp ip-protocol, one or more of the following flags are available:

ack: Filters packets for which the ack (acknowledge) flag is set.
fin: Filters packets for which the fin (finish) flag is set.
rst: Filters packets for which the rst (reset) flag is set.
sync: Filters packets for which the syn (synchronize) flag is set.
urg: Filters packets for which the urg (urgent) flag is set.
push: Filters packets for which the psh (push) flag is set.

count

Enables statistics for the rule.

log

Enables inbound logging for the rule. In addition, the ACL log buffer must be enabled, using the debug access-list-log buffer command.

mirror

(Supported for rules in ACLs applied on physical interfaces to inbound traffic. Not supported for PBR, rACLs, or ACL-RL.) Mirrors packets matching the rule.

copy-sflow

For incoming traffic, sends matching packets to the sFlow collector.

connlimit connlimit-value: Number of connections allowed per IP address.

Modes

ACL configuration mode

Usage Guidelines

IPv6 extended ACLs permit or deny traffic according to source address, as well as other parameters.

An IPv6 ACL can only be applied to incoming traffic.

IPv6 filtering by destination address is not supported.

The order of the rules in an ACL is critical, because the first matching rule stops further processing. When you create rules, specify the sequence values to determine the order of rule processing. If you do not specify a sequence value, the rule is added to the end of the list.

You can abbreviate an IPv6 address by using one or more of the following rules:

Remove one or more leading zeros from one or more groups of hexadecimal digits, usually for all or none of the leading zeros. (For example, convert the group 0042 to 42.)
Omit consecutive sections of zeros, using a double colon (::) to denote the omitted sections. The double colon is used only once in any given address. The address would be indeterminate if the double colon were used multiple times. A double colon cannot be used to denote one omitted section of zeros. (For example, 2001:db8::1:2 is valid, but 2001:db8::1::2 or 2001:db8::1:1:1:1:1 is not permitted.)

Although in an extended-ACL rule you can include log, mirror, and copy-sflow, only one of the three is processed, as follows:

In a permit rule, the order of precedence is mirror > copy-sflow > log.
In a deny or hard-drop rule, the order of precedence is log > copy-sflow > mirror.

To delete a rule from an ACL, do the relevant of the following:

If you know the rule number, enter no seq seq-value.
If you do not know the rule number, type no followed by the full syntax except for seq seq-value.

Filtering fragmented or non-fragmented packets is only supported on ingress ACLs. For IPv6 frames, filtering is only supported if the fragment is the first extension header. Use protocol number 44 for fragmented extension header. ACL filtering of fragmented and non-fragmented packets is not supported on SLX 9150 and SLX 9250 devices.

Examples

The following example creates an IPv6 extended ACL, defines a rule for it, and applies the ACL to an interface.

device# configure
                        device(config)# ipv6 access-list extended ip_acl_1
                        device(conf-ip6acl-ext)# seq 10 deny ipv6 2001:2002:1234:1::/64 2001:1001:1234:1::/64 count
                        device(conf-ip6acl-ext)# exit
                        device(config)# interface ethernet 0/5
                        device(conf-if-eth-0/5)# ipv6 access-group ip_acl_1 in

The following example creates an IPv6 extended ACL, defines rules in the ACL, and applies it as a receive-path ACL (rACL).

                    device(config)# ipv6 access-list extended ipv6-receive-acl-example
                    device(conf-ip6acl-ext)# hard-drop tcp host 10::1 any count 
                    device(conf-ip6acl-ext)# hard-drop udp any host 20::1 count 
                    device(conf-ip6acl-ext)# permit tcp host 10::2 any eq telnet count 
                    device(conf-ip6acl-ext)# permit tcp host 10::2 any eq bgp count 
                    device(conf-ip6acl-ext)# hard-drop tcp host 10::3 host ff02::1 count

                    device(conf-ip6acl-ext)# exit
                    device(config)# ipv6 receive access-group ipv6-receive-acl-example

The following example creates an IPv6 extended ACL for permitting fragmented packets.

                    device(config)# ipv6 access-list extended ipv6-receive-acl-example
                    device(conf-ip6acl-ext)# seq 10 permit 44 any any count