Using an acl to restrict telnet access, Logging ipv6 acls – Brocade Communications Systems ServerIron ADX 12.4.00a User Manual

ServerIron ADX Security Guide

95

53-1002440-03

Using an ACL to Restrict Telnet Access

3

ServerIronADX(config)# ipv6 access-list test2

ServerIronADX(config-ipv6-access-list test2)# deny ipv6 host 2000:1::1 any log

ServerIronADX(config-ipv6-access-list test2)# permit ipv6 2000:1::0/32 any

ServerIronADX(config-ipv6-access-list test2)# permit ipv6 2000:2::0/32 any

ServerIronADX(config-ipv6-access-list test2)# permit ipv6 host 2000:3::1 any

ServerIronADX(config-ipv6-access-list test2)# exit

ServerIronADX(config)# ssh access-group ipv6 test2

Syntax: [no] ssh access-group ipv6 <acl-name>

Using an ACL to Restrict Telnet Access

To configure an ACL that restricts Telnet access to an IPv6 device, first create the named ACL with
the ACL statements. Then use the telnet access-group command to restrict Telnet access for IPv6:

ServerIronADX(config)# ipv6 access-list test1

ServerIronADX(config-ipv6-access-list test1)# deny ipv6 host 2000:1::1 any log

ServerIronADX(config-ipv6-access-list test1)# permit ipv6 2000:1::0/32 any

ServerIronADX(config-ipv6-access-list test1)# permit ipv6 2000:2::0/32 any

ServerIronADX(config-ipv6-access-list test1)# permit ipv6 host 2000:3::1 any

ServerIronADX(config-ipv6-access-list test1)# exit

ServerIronADX(config)# telnet access-group ipv6 test1

Syntax: telnet access-group ipv6 <acl-name>

Logging IPv6 ACLs

Logging for IPv6 ACLs is disabled by default. To enable logging, enable it for each IPv6 ACL, then
include the logging option in an ACL statement. Logging at both levels need to be configured in
order for statistics for packets that match the condition to be logged. For example:

ServerIronADX(config)# ipv6 access-list acl2

ServerIronADX(config-ipv6-access-list-acl2)# logging-enable

ServerIronADX(config-ipv6-access-list-acl2)# permit tcp host

2002:200:12d:1300:204:23ff:fec7:dabf any eq http

ServerIronADX(config-ipv6-access-list-acl2)# deny icmp 2002:200:12d:1300::/64 any

echo-reply log

ServerIronADX(config-ipv6-access-list-acl2)# permit ipv6 any any

Syntax: [no] logging-enable

NOTE

Syntax for the log option in an IPv6 ACL statement are presented in the section

“ACL Syntax”

on

page 89.

NOTE

Permit logging is not currently supported.