Default and implicit ipv6 acl action – Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

Multi-Service IronWare Security Configuration Guide

179

53-1003035-02

Configuring an IPv6 ACL

4

Brocade(config)#access-list 101 deny ipv6 any any

In the above example, the first ACL entry will have default sequence number “10” assigned to it,
the second ACL entry will have user defined sequence number “12”, and the third ACL entry will
have a sequence number “20” assigned to it (smallest number divisible by 10 which is greater than
12), and the fourth ACL entry will be have a sequence number “30” assigned to it (smallest number
divisible by 10 which is greater than 20), and the fifth ACL entry will have user defined sequence
number “37”, and the sixth ACL entry will have a sequence number “40” assigned to it (smallest
number divisible by 10 which is greater than 37) and so on.

To configure an ACL filter rule with the sequence number “23” for “ipv6_acl”, enter the following
commands:

Brocade(config)# ipv6 access-list ipv6_acl

Brocade(config-ipv6-access-list-ipv6_acl)# sequence 23 deny esp 2::/64 any

If the sequence number “23” is already used by another ACL filter rule, the following error message
is displayed.

"Error: Entry with sequence 23 already exists!"

If you specify a sequence number which is greater than the limit (214748364) the following error
message is displayed.

"Error: Valid range for sequence is 1 to 214748364"

Default and implicit IPv6 ACL action

The default action when no IPv6 ACLs are configured is to permit all IPv6 traffic. Once you configure
an IPv6 ACL and apply it to an interface, the default action for that interface is to deny all IPv6
traffic that is not explicitly permitted on the interface. The following actions can be taken:

•

To tightly control access, configure ACLs with permit entries for the access you want to permit.
These ACLs implicitly deny all other access.

•

To secure access in environments with many users, configure ACLs with explicit deny entries,
then add an entry to permit all access to the end of each ACL. The Brocade device permits
packets that are not denied by the deny entries.

NOTE

Refer to

“Configuration considerations for IPv6 ACL and multicast traffic for 2X100GE modules

installed on NetIron MLX and NetIron XMR devices”

regarding 2x100 GE IPv6 ACL rule exceptions

for multicast traffic.

Every IPv6 ACL has the following implicit conditions as the last match condition.

1. permit icmp any any nd-na – Allows ICMP neighbor discovery acknowledgement.

2. permit icmp any any nd-ns – Allows ICMP neighbor discovery solicitation.

3. deny ipv6 any any – Denies IPv6 traffic. You must enter a permit ipv6 any any as the last

statement in the ACL to permit IPv6 traffic that was not denied by the previous statements.

The conditions are applied in the order shown above, with deny ipv6 any any as the last condition.

For example, to deny ICMP neighbor discovery acknowledgement, then permit any remaining IPv6
traffic, enter commands such as the following.