Configuration notes, Processing of ipv6 acls – Brocade Communications Systems ServerIron ADX 12.4.00a User Manual

Page 100

Advertising
background image

86

ServerIron ADX Security Guide

53-1002440-03

IACL overview

3

Transmission Control Protocol (TCP)

User Datagram Protocol (UDP)

NOTE

TCP and UDP filters will be matched only if they are listed as the first option in the extension header.

For TCP and UDP, you also can specify a comparison operator and port name or number. For
example, you can configure a policy to block web access to a specific website by denying all TCP
port 80 (HTTP) packets from a specified source IPv6 address to the website’s IPv6 address.

This chapter contains the following sections:

“Configuring an IPv6 ACL”

on page 87

“Applying an IPv6 ACL to an interface”

on page 93

“Displaying ACLs”

on page 94

Configuration Notes

Either IPv6 must be enabled globally or an IPV6 address must be configured on an interface
before IPv6 ACLs can be configured.

An IPv6 ACL can include up to 1024 entries or statements.

Only named ACLs are supported.

Only Inbound ACLs are supported.

If an IPv6 ACL has the implicit deny condition, make sure it also permits the IPv6 link-local
address, in addition to the global unicast address. Otherwise, routing protocols such as OSPF
will not work. To view the link-local address, use the show ipv6 interface command.

You cannot disable IPv6 on an interface to which an ACL is bound. Attempting to do so will
cause the system to return the following error message.

ServerIronADX(config-if-e1000-7)#no ipv6 enable

Error: Port 7 has IPv6 ACL configured. Cannot disable IPv6

To disable IPv6, first remove the ACL from the interface.

Processing of IPv6 ACLs

There are two ways that IPv6 ACLs are processed in Brocade devices: in software and in hardware.
This processing differs depending on the software release that you are running. These differences
are described in the following sections.

Prior to release 12.3.01

Prior to release 12.3.01, IPv6 ACLs were processed as described in the following:

For deny and permit actions:

All permit and deny packets are forwarded to the BPs and the BPs perform the ACL processing.

Beginning with release 12.3.01 and later

Beginning with release 12.3.01, IPv6 ACLs are processed as described in the following:

Advertising
Popular Brands
Popular manuals