HP 6200YL User Manual

IPv6 Access Control Lists (ACLs)
Configuration Commands

< ipv6 | ipv6-protocol | ipv6-protocol-nbr >

Used after

deny or permit to specify the packet protocol type

required for a match. An ACL must include one of the follow­
ing:
• ipv6 — any IPv6 packet.
• ipv6-protocol — any one of the following IPv6 protocol

names:

esp

ah

sctp

icmp*

tcp*

udp*

* For TCP, UDP, and ICMP, additional, optional criteria can
be specified, as described on pages 8-52 through 8-56.

• ipv6-protocol-nbr — the protocol number of an IPv6 packet

type, such as “8” for Exterior Gateway Protocol or 121 for
Simple Message Protocol. (Range: 0 - 255)

(For a listing of IPv6 protocol numbers and their corre­

sponding protocol names, refer to the IANA protocol number
assignments at

www.iana.com..)

< any | host < SA > | SA < prefix-length >>

This is the first instance of IPv6 addressing in an ACE. It
follows the protocol specifier and defines the source IPv6
address (SA) a packet must carry for a match with the ACE.
• any — Allows IPv6 packets from any IPv6 SA.
• host < SA > — Specifies only packets having a single address

as the SA. Use this criterion when you want to match only
the IPv6 packets from a single SA.

• SA < prefix-length > — Specifies packets received from one or

more contiguous subnets or contiguous addresses within a
single subnet. The prefix length is in CIDR format and
defines the number of leftmost bits to use in determining a
match. (Refer to “Using CIDR Notation To Enter the IPv6
ACL Prefix Length” on page 8-41.) In a given ACE, the SA
prefix length defines how many leftmost bits in a packet’s
SA must exactly match the SA configured in the ACE.

Examples of Prefix-Length Applications:

• 2001:db8:0:e102::10:100/120 matches any IPv6 address

in the range of 2001:db8:0:e102::10:<0100 - 01FF>

• 2001:db8:a0:e102::/64 matches any IPv6 address having

a prefix of 2001:db8:a0:e102.

• FE80::/16 matches any link-local address on an inter­

face.

8-48