Configuration notes, Configuring an ipv6 acl, Example configurations – Brocade Virtual ADX Security Guide (Supporting ADX v03.1.00) User Manual

Page 62

Advertising
background image

50

Brocade Virtual ADX Security Guide

53-1003250-01

IPv6 ACL overview

3

NOTE

TCP and UDP filters will be matched only if they are listed as the first option in the extension header.

For TCP and UDP, you also can specify a comparison operator and port name or number. For
example, you can configure a policy to block web access to a specific website by denying all TCP
port 80 (HTTP) packets from a specified source IPv6 address to the website’s IPv6 address.

This chapter contains the following sections:

“Configuring an IPv6 ACL”

on page 50

“Applying an IPv6 ACL to an interface”

on page 55

“Displaying ACLs”

on page 55

Configuration notes

Either IPv6 must be enabled globally or an IPV6 address must be configured on an interface
before IPv6 ACLs can be configured.

An IPv6 ACL can include up to 1024 entries or statements.

Only named ACLs are supported.

Only Inbound ACLs are supported.

If an IPv6 ACL has the implicit deny condition, make sure it also permits the IPv6 link-local
address, in addition to the global unicast address. Otherwise, routing protocols such as OSPF
will not work. To view the link-local address, use the show ipv6 interface command.

You cannot disable IPv6 on an interface to which an ACL is bound. Attempting to do so will
cause the system to return the following error message.

Virtual ADX(config-if-e1000-7)#no ipv6 enable

Error: Port 7 has IPv6 ACL configured. Cannot disable IPv6

To disable IPv6, first remove the ACL from the interface.

Configuring an IPv6 ACL

To configure an IPv6 ACL, do the following:

1. Create the IPv6 ACL.

2. Apply the IPv6 ACL to the interface.

Example configurations

To configure an access list that blocks all Telnet traffic received on port 1/1 from IPv6 host
2001:db8:2382:e0bb::2, enter the following commands.

Virtual ADX(config)#ipv6 access-list fdry

Virtual ADX(config-ipv6-access-list-fdry)#deny tcp host 2001:db8:2382:e0bb:

:2 any eq telnet

Virtual ADX(config-ipv6-access-list-fdry)#permit ipv6 any any

Virtual ADX(config-ipv6-access-list-fdry)#exit

Virtual ADX(config)#int ethernet 1/1

Virtual ADX(config-if-1/1)#ipv6 traffic-filter fdry in

Virtual ADX(config)#write memory

Advertising
Popular Brands
Popular manuals