Ipv6 acl traffic filtering criteria, Ipv6 protocol names and numbers, Ipv6 acl configuration notes – Brocade Communications Systems Brocade ICX 6650 6650 User Manual
Page 148
128
Brocade ICX 6650 Security Configuration Guide
53-1002601-01
IPv6 ACL configuration notes
NOTE
IPv6 ACLs are supported on inbound traffic and are implemented in hardware, making it possible
for the Brocade device to filter traffic at line-rate speed on 10 Gbps interfaces.
IPv6 ACL traffic filtering criteria
The Brocade implementation of IPv6 ACLs enable traffic filtering based on the following
information:
•
IPv6 protocol
•
Source IPv6 address
•
Destination IPv6 address
•
IPv6 message type
•
Source TCP or UDP port (if the IPv6 protocol is TCP or UDP)
•
Destination TCP or UDP port (if the IPv6 protocol is TCP or UDP)
IPv6 protocol names and numbers
The IPv6 protocol can be one of the following well-known names or any IPv6 protocol number from
0 through 255:
•
Authentication Header (AHP)
•
Encapsulating Security Payload (ESP)
•
Internet Control Message Protocol (ICMP)
•
Internet Protocol Version 6 (IPv6)
•
Stream Control Transmission Protocol (SCTP)
•
Transmission Control Protocol (TCP)
•
User Datagram Protocol (UDP)
NOTE
TCP and UDP filters will be matched only if they are listed as the first option in the extension header.
For TCP and UDP, you also can specify a comparison operator and port name or number. For
example, you can configure a policy to block web access to a specific website by denying all TCP
port 80 (HTTP) packets from a specified source IPv6 address to the website IPv6 address.
IPv6 ACLs also provide support for filtering packets based on DSCP.
IPv6 ACL configuration notes
•
IPv4 ACLs that filter based on VLAN membership or VE port membership
(ACL-per-port-per-VLAN), are supported together with IPv6 ACLs on the same device, as long as
they are not bound to the same port or virtual interface.
•
IPv4 source guard and IPv6 ACLs are supported together on the same device, as long as they
are not configured on the same port or virtual Interface.
•
IPv6 ACLs do not support ACL filtering based on VLAN membership or VE port membership.