Extended ipv6 acls – Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual
Page 214
196
Multi-Service IronWare Security Configuration Guide
53-1003035-02
Extended IPv6 ACLs
4
Syntax: [no] ipv6 access-list name
deny | permit
routing-header-type type-value
Enter a value from 0 - 255 for the routing-header-type type-value parameter to filter packets based
on their IPv6 header type value.
For more information on the syntax, refer to
NOTE
The routing-header-type option is separate and independent of the routing option. The
routing-header-type and routing options are mutually exclusive and cannot be used in the same
filter.
NOTE
For more information on configuring the acl-mirror-port command, refer to Multi-Service IronWare
Switching Configuration Guide.
Extended IPv6 ACLs
Configuration considerations for extended IPv6 layer 4 ACL
The following configuration considerations apply to extended IPv6 L4 ACLs:
•
There are two lookups available for ingress direction. In ingress direction, you can bind an IPv6
layer 4 ACL with IPv4 layer 4 ACLs and layer 3 ACLs on the same port.
•
Brocade NetIron XMR and Brocade MLX series devices have one CAM lookup for outbound
ACLs.
•
Only one ingress L2 or IPv6 ACL is allowed per port. However, they cannot be applied
simultaneously.
•
Layer 4 ACLs filter incoming traffic based on IPv6 packet header fields. The following attributes
can be added to the IPv6 packet header fields:
-
VLAN ID
-
Source IPv6 address (SIP) prefix
-
Destination IPv6 address (DIP) prefix
-
IP protocol (SPI matching is not supported for AHP or ESP
-
UDP or TCP source port
-
UDP or TCP destination port
-
TCP flags - established (RST or ACK)
-
TCP flags - SYN
-
ICMP type and code
-
DSCP value
-
IPv6 fragments
-
source routed packets
-
specific routing header type