Create and apply ipv6 acl: examples – Cisco 10000 User Manual

Page 484

Advertising
background image

21-8

Cisco 10000 Series Router Software Configuration Guide

OL-2226-23

Chapter 21 Configuring IP Version 6

IPv6 Extended ACLs

Create and Apply IPv6 ACL: Examples

The following example configures two IPv6 ACLs named OUTBOUND and INBOUND and applies
both ACLs to outbound and inbound traffic on Ethernet interface 0. The first and second permit entries
in the OUTBOUND list permit all TCP and User Datagram Protocol (UDP) packets from network
2001:0DB8:0300:0201::/32 to exit out of Ethernet interface 0. The entries also configure the temporary
IPv6 reflexive ACL named REFLECTOUT to filter returning (incoming) TCP and UDP packets on
Ethernet interface 0. The first deny entry in the OUTBOUND list keeps all packets from the network
fec0:0:0:0201::/64 (packets that have the site-local prefix fec0:0:0:0201 as the first 64 bits of their source
IPv6 address) from exiting out of Ethernet interface 0.

The evaluate command in the INBOUND list applies the temporary IPv6 reflexive ACL named
REFLECTOUT to inbound TCP and UDP packets on Ethernet interface 0. When outgoing TCP or UDP
packets are permitted on Ethernet interface 0 by the OUTBOUND list, the INBOUND list uses the
REFLECTOUT list to match (evaluate) the returning (incoming) TCP and UDP packets.

ipv6 access-list OUTBOUND

permit tcp 2001:0DB8:0300:0201::/32 any reflect REFLECTOUT

permit udp 2001:0DB8:0300:0201::/32 any reflect REFLECTOUT

deny fec0:0:0:0201::/64 any

ipv6 access-list INBOUND

evaluate REFLECTOUT

interface ethernet 0

ipv6 traffic-filter OUTBOUND out

ipv6 traffic-filter INBOUND in

Note

Given that a permit any any statement is not included as the last entry in the OUTBOUND or
INBOUND ACL, only TCP and UDP packets matching the configured permit entries in the ACL and
ICMP packets matching the implicit permit conditions in the ACL are permitted out of and in to Ethernet
interface 0 (the implicit deny all condition at the end of the ACL denies all other packet types on the
interface).

The following example configures HTTP access to be restricted to certain hours during the day, and to
log any activity outside of the permitted hours.

time-range lunchtime

periodic weekdays 12:00 to 13:00

ipv6 access-list OUTBOUND

permit tcp any any eq www time-range lunchtime

deny tcp any any eq www log-input

permit tcp 2001:0DB8::/32 any

permit udp 2001:0DB8::/32 any

Advertising
Popular Brands
Popular manuals