Configuring an ipv6 acl, Example configurations – Brocade Communications Systems ServerIron ADX 12.4.00a User Manual

Page 101

Advertising
background image

ServerIron ADX Security Guide

87

53-1002440-03

IACL overview

3

For deny actions:

All deny packets are dropped in hardware.

For permit actions:

For all traffic, packets are processed in hardware and then forwarded to the BPs. The BPs do
not take any action on the ACLs.

Backwards compatibility option:

You can use the ipv6 flow-based-acl-enable command to provide backwards compatibility for
IPv6 ACL processing. If this command is configured, packets are processed in hardware and
then forwarded to the BPs where the BPs also process the ACLs. This command is configured
as shown in the following.

ServerIronADX(config)# ipv6 flow-based-acl-enable

Syntax: ipv6 flow-based-acl-enable

Configuring an IPv6 ACL

To configure an IPv6 ACL, do the following:

1. Create the IPv6 ACL.

2. Apply the IPv6 ACL to the interface.

Example Configurations

To configure an access list that blocks all Telnet traffic received on port 1/1 from IPv6 host
2000:2382:e0bb::2, enter the following commands.

Here is another example of commands for configuring an ACL and applying it to an interface.

The first condition permits ICMP traffic from hosts in the 2000:2383:e0bb::x network to hosts in
the 2001:3782::x network.

The second condition denies all IPv6 traffic from host 2000:2383:e0ac::2 to host
2000:2383:e0aa:0::24.

The third condition denies all UDP traffic.

ServerIronADX(config)# ipv6 access-list fdry

ServerIronADX(config-ipv6-access-list-fdry)# deny tcp host 2000:2382:e0bb:

:2 any eq telnet

ServerIronADX(config-ipv6-access-list-fdry)# permit ipv6 any any

ServerIronADX(config-ipv6-access-list-fdry)# exit

ServerIronADX(config)# int eth 1/1

ServerIronADX(config-if-1/1)# ipv6 traffic-filter fdry in

ServerIronADX(config)# write memory

ServerIronADX(config)# ipv6 access-list netw

ServerIronADX(config-ipv6-access-list-netw)# permit icmp 2000:2383:

e0bb::/64 2001:3782::/64

ServerIronADX(config-ipv6-access-list-netw)# deny ipv6 host 2000:2383:

e0ac::2 host 2000:2383:e0aa:0::24

ServerIronADX(config-ipv6-access-list-netw)# deny udp any any

ServerIronADX(config-ipv6-access-list-netw)# permit ipv6 any any

Advertising
Popular Brands
Popular manuals