User's Manual

ManualsBrandsCisco Systems ManualsSwitchCisco Systems WSC3750X48TS

871

872

873

874

875

876

877

878

879

880

38-5

Catalyst 3750-X and 3560-X Switch Software Configuration Guide

OL-21521-01

Chapter 38 Configuring IPv6 ACLs

Configuring IPv6 ACLs

Creating IPv6 ACLs

Beginning in privileged EXEC mode, follow these steps to create an IPv6 ACL:

Command Purpose

Step 1

configure terminal Enter global configuration mode.

Step 2

ipv6 access-list

access-list-name

Use a name to define an IPv6 access list and enter IPv6 access-list configuration mode.

Step 3a

{deny | permit} protocol

{source-ipv6-prefix/prefix-l

ength | any | host

source-ipv6-address}

[operator [port-number]]

{destination-ipv6-prefix/

prefix-length | any |

host

desti

nation-ipv6-address}

[operator [port-number]]

[dscp value] [fragm

ents]

[log] [log-input] [routing]

[sequence value]

[time-range name]

Enter deny or permi

t to specify whether to deny or permit the packet if conditions are

matched. These are the conditions:

• For protocol, enter the name or number of an Internet protocol: ahp, esp, icmp,

ipv6, pcp, stcp, tcp, or udp, or an integer in the range 0 to 255 representing an

IPv6 protocol number.

Note For additional specific parameters for ICMP, TCP, and UDP, see Steps 3b

through 3d.

• The source-ipv6-prefix/prefix-length or destination-ipv6-prefix/ prefix-length is

the source or destination IPv6 network or class of networks for which to set deny

or permit conditions, specified in hexadecimal and using 16-bit values between

colons (see RFC 2373).

• Enter any as an abbreviation for the IPv6 prefix ::/0.

• For host source-ipv6-address or destination-ipv6-address, enter the source or

destination IPv6 host address for which to set deny or permit conditions, specified

in hexadecimal using 16-bit values between colons.

• (Optional) For operator, specify an operand that compares the source or

destination ports of the specified protocol. Operands are lt (less than), gt (greater

than), eq (equal), neq (not equal), and range.

If the operator follows the sour

ce-ipv6-prefix/prefix-length argument, it must

match the source port. If the operator follows the destination-ipv6-

prefix/prefix-length argument, it must match the destination port.

• (Optional) The port-number is a decimal number from 0 to 65535 or the name of

a TCP or UDP port. You can use TCP port names only when filtering TCP. You

can use UDP port names only when filtering UDP.

• (Optional) Enter dscp value to match a differentiated services code point value

against the traffic class value in the Traffic Class field of each IPv6 packet header.

The acceptable range is from 0 to 63.

• (Optional) Enter fragments to check noninitial fragments. This keyword is visible

only if the protocol is ipv6.

• (Optional) Enter log to cause an logging message to be sent to the console about

the packet that matches the entry. Enter log-input to include the input interface in

the log entry. Logging is supported only for router ACLs.

• (Optional) Enter routing to specify that IPv6 packets be routed.

• (Optional) Enter sequence value to specify the sequence number for the access list

statement. The acceptable range is from 1 to 4294967295.

• (Optional) Enter time-range name to specify the time range that applies to the

deny or permit statement.