seq
(rules in IPv6 standard ACLs)
Inserts filtering rules in IPv6 standard ACLs. Standard ACLs permit or deny traffic according to source address only.
Syntax
seq
seq-value
{
deny
|
permit
|
hard-drop
}
{
any
|
A:B:C:D:E:F:H:I / prefix_len
|
host
S_IPaddress
}
[
count
]
[
log
]
[
copy-sflow
]
{
deny
|
permit
|
hard-drop
}
{
any
|
A:B:C:D:E:F:H:I / prefix_len
|
host
SIP_address
|
SIP_addressmask
}
[
count
]
[
log
]
[
copy-sflow
]
no
{
deny
|
permit
|
hard-drop
}
{
any
|
A:B:C:D:E:F:H:I / prefix_len
|
host
SIP_address
|
SIP_addressmask
}
[
count
]
[
log
]
[
copy-sflow
]
Parameters
- seq
- (Optional) Enables you to assign a sequence number to the rule. If you do not specify
seq
seq-value, the rule is added at the end of the list.
- seq-value
- Valid values range from 1 through 65535.
-
permit
- Specifies rules to permit traffic.
-
deny
- Specifies rules to deny traffic.
-
hard-drop
- Overrides the trap behavior for control frames. However,
hard-drop does not override a
permit for this address in a preceding rule.
- any
- Specifies all source addresses.
- S_IPaddress
- Specify a source address for which you want to filter the subnet. For options to abbreviate the address, see the Usage Guidelines.
- prefix_len
- Indicates how many of the high-order, contiguous bits of the address comprise the IPv6 prefix.
- host
- Specifies a source address.
- SIP_address
- The source address. For options to abbreviate the address, see the Usage Guidelines.
- count
- Enables statistics for the rule.
- log
- Enables inbound logging for the rule. In addition, the ACL log buffer must be enabled, using the
debug access-list-log buffer command.
- copy-sflow
- For incoming traffic, sends matching packets
to the sFlow collector..
Modes
ACL configuration mode
Usage Guidelines
This command configures rules to permit or drop traffic based on source addresses. You can also enable counters and either logging or sFlow collection.
The order of the rules in an ACL is critical, as the first matching rule stops further processing. When creating rules, specifying sequence values determines the order of rule processing. If you do not specify a sequence value, the rule is added to the end of the list.
An IPv6 ACL can only be applied to incoming traffic.
You can abbreviate an IPv6 address by using one or more of the following rules:
- Remove one or more leading zeros from one or more groups of hexadecimal digits; this is usually done to either all or none of the leading zeros. (For example, convert the group 0042 to 42.)
- Omit consecutive sections of zeros, using a double colon (::) to denote the omitted sections. The double colon may only be used once in any given address, as the address would be indeterminate if the double colon were used multiple times. A double colon may not be used to denote an omitted single section of zeros. (For example, 2001:db8::1:2 is valid, but 2001:db8::1::2 or 2001:db8::1:1:1:1:1 are not permitted.)
Although in a standard-ACL rule you can specify
both
log and
copy-sflow,
only one of the two is processed, as follows:
- In a permit rule, only copy-sflow is
processed.
- In a deny or hard-drop rule, only
log is
processed.
To delete a rule from an ACL, do the relevant of the following:
- If you know the rule number, enter
no seq
seq-value.
- If you do not know the rule number, type
no and then enter the full syntax without
seq-value.
Filtering fragmented or non-fragmented packets is only supported on ingress ACLs. For IPv6
frames, filtering is only supported if the fragment is the first extension header. Use protocol
number 44 for fragmented extension header.
ACL filtering of fragmented and non-fragmented packets is not supported on SLX 9150 and SLX 9250 devices.
Examples
The following example shows how to create an IPv6 standard ACL and define rules for it.
device# configure terminal
device(config)# ipv6 access-list standard ipv6-std-acl
device(conf-ip6acl-std)# seq 10 permit host 0:1::1
device(conf-ip6acl-std)# seq 20 deny 0:2::/64
device(conf-ip6acl-std)# seq 30 hard-drop any count
The following example creates an IPv6 standard ACL for permitting fragmented packets.
device(config)# ipv6 access-list standard ipv6-receive-acl-example
device(conf-ip6acl-std)# seq 10 permit 44 any any count