seq (rules in IPv6 standard ACLs)

Inserts filtering rules in IPv6 standard ACLs. Standard ACLs permit or deny traffic according to source address only.

Syntax

seq seq-value { deny | permit | hard-drop } { any | A:B:C:D:E:F:H:I / prefix_len | host S_IPaddress } [ count ] [ log ] [ copy-sflow ]
no seq seq-value
{ deny | permit | hard-drop } { any | A:B:C:D:E:F:H:I / prefix_len | host SIP_address | SIP_addressmask } [ count ] [ log ] [ copy-sflow ]
no { deny | permit | hard-drop } { any | A:B:C:D:E:F:H:I / prefix_len | host SIP_address | SIP_addressmask } [ count ] [ log ] [ copy-sflow ]

Parameters

seq
(Optional) Enables you to assign a sequence number to the rule. If you do not specify seq seq-value, the rule is added at the end of the list.
seq-value
Valid values range from 1 through 65535.
permit
Specifies rules to permit traffic.
deny
Specifies rules to deny traffic.
hard-drop
Overrides the trap behavior for control frames. However, hard-drop does not override a permit for this address in a preceding rule.
any
Specifies all source addresses.
S_IPaddress
Specify a source address for which you want to filter the subnet. For options to abbreviate the address, see the Usage Guidelines.
prefix_len
Indicates how many of the high-order, contiguous bits of the address comprise the IPv6 prefix.
host
Specifies a source address.
SIP_address
The source address. For options to abbreviate the address, see the Usage Guidelines.
count
Enables statistics for the rule.
log
Enables inbound logging for the rule. In addition, the ACL log buffer must be enabled, using the debug access-list-log buffer command.
copy-sflow
For incoming traffic, sends matching packets to the sFlow collector..

Modes

ACL configuration mode

Usage Guidelines

This command configures rules to permit or drop traffic based on source addresses. You can also enable counters and either logging or sFlow collection.

The order of the rules in an ACL is critical, as the first matching rule stops further processing. When creating rules, specifying sequence values determines the order of rule processing. If you do not specify a sequence value, the rule is added to the end of the list.

An IPv6 ACL can only be applied to incoming traffic.

You can abbreviate an IPv6 address by using one or more of the following rules:
  • Remove one or more leading zeros from one or more groups of hexadecimal digits; this is usually done to either all or none of the leading zeros. (For example, convert the group 0042 to 42.)
  • Omit consecutive sections of zeros, using a double colon (::) to denote the omitted sections. The double colon may only be used once in any given address, as the address would be indeterminate if the double colon were used multiple times. A double colon may not be used to denote an omitted single section of zeros. (For example, 2001:db8::1:2 is valid, but 2001:db8::1::2 or 2001:db8::1:1:1:1:1 are not permitted.)
Although in a standard-ACL rule you can specify both log and copy-sflow, only one of the two is processed, as follows:
  • In a permit rule, only copy-sflow is processed.
  • In a deny or hard-drop rule, only log is processed.
To delete a rule from an ACL, do the relevant of the following:
  • If you know the rule number, enter no seq seq-value.
  • If you do not know the rule number, type no and then enter the full syntax without seq-value.

Filtering fragmented or non-fragmented packets is only supported on ingress ACLs. For IPv6 frames, filtering is only supported if the fragment is the first extension header. Use protocol number 44 for fragmented extension header. ACL filtering of fragmented and non-fragmented packets is not supported on SLX 9150 and SLX 9250 devices.

Examples

The following example shows how to create an IPv6 standard ACL and define rules for it.
device# configure terminal
device(config)# ipv6 access-list standard ipv6-std-acl
device(conf-ip6acl-std)# seq 10 permit host 0:1::1
device(conf-ip6acl-std)# seq 20 deny 0:2::/64
device(conf-ip6acl-std)# seq 30 hard-drop any count
                    

The following example creates an IPv6 standard ACL for permitting fragmented packets.

                    device(config)# ipv6 access-list standard ipv6-receive-acl-example
                    device(conf-ip6acl-std)# seq 10 permit 44 any any count