Ipv6 access control lists, Iacl overview, Chapter 3 – Brocade Communications Systems ServerIron ADX 12.4.00a User Manual
Page 99: Chapter
ServerIron ADX Security Guide
85
53-1002440-03
Chapter
3
IPv6 Access Control Lists
IACL overview
ServerIron ADX supports IPv6 Access Control Lists (ACLs) in hardware. The maximum number of
ACL entries you can configure is a system-wide parameter and depends on the device you are
configuring. You can configure up to the maximum number of 1024 entries in any combination in
different ACLs. The total number of entries in all ACLs cannot exceed the system maximum of 1024
By default, IPv6 ACLs are processed in hardware and all IPv6 ACL rules are stored in TCAM.
An IPv6 ACL is composed of one or more conditional statements that pose an action (permit or
deny) if a packet matches a specified source or destination prefix. There can be up to 1024 IPv6
ACL statements per device. When the maximum number of IPv6 ACL rules are reached, the
following error message will display on the console:
IPv6 Hardware ACL rules cannot be configured,exceeds the maximum hardware limit of
1024 entries
Insufficient hardware resource for binding the ACL scale1 to interface Port or
Slot/Port.
In ACLs with multiple statements, you can specify a priority for each statement.The specified
priority determines the order in which the statement appears in the ACL. The last statement in each
IPv6 ACL is an implicit deny statement for all packets that do not match the previous statements in
the ACL.
You can configure an IPv6 ACL on a global basis, then apply it to the incoming IPv6 packets on
specified interfaces. You can apply only one IPv6 ACL to an interface’s incoming traffic. When an
interface receives an IPv6 packet, it applies the statement within the ACL in their order of
appearance to the packet. As soon as a match occurs, the ServerIron ADX takes the specified
action (permit or deny the packet) and stops further comparison for that packet.
Brocade’s IPv6 ACLs enable traffic filtering based on the following information:
•
IPv6 protocol
•
Source IPv6 address
•
Destination IPv6 address
•
Source TCP or UDP port (if the IPv6 protocol is TCP or UDP)
•
Destination TCP or UDP port (if the IPv6 protocol is TCP or UDP)
The IPv6 protocol can be one of the following well-known names or any IPv6 protocol number from
0 – 255:
•
Authentication Header (AHP)
•
Encapsulating Security Payload (ESP)
•
Internet Control Message Protocol (ICMP)
•
Internet Protocol Version 6 (IPv6)
•
Stream Control Transmission Protocol (SCTP)