`access-list ipv6`

Syntax

Syntax to create an IPv6 ACL and enter its context. Plus syntax to remove an ACL:

access-list ipv6no access-list ipv6

Syntax (within the ACL context) for creating or removing ACEs for protocolsah,gre,esp,ospf,pim(ipv6is available as an alias forany):

[] {permit|deny} {any|ipv6|ah|gre|esp|ospf|pim|} {any|[/]|} {any|[/]|} [dscp] [ecn] [ip-precedence] [tos] [fragment] [vlan] [ttl] [count] [log] no

Syntax (within the ACL context) for creating or removing ACEs for protocolssctp,tcp,udp:

[] {permit|deny} {sctp|tcp|udp} {any|[/}]|} [{eq|gt|lt}|range|group] {any|[/]|} [{eq|gt|lt}|range|group] [urg] [ack] [psh] [rst] [syn] [fin] [established] [dscp] [ecn] [ip-precedence] [tos] [fragment] [vlan] [ttl] [count] [log] no

Syntax (within the ACL context) for creating or removing ACEs for protocolicmpv6:

[] {permit|deny} {icmpv6} {any|[/]|} {any|[/]|} [icmp-type {echo|echo-reply|}] [icmp-code] [dscp][ecn] [ip-precedence] [tos] [fragment] [vlan] [ttl] [count] [log] no

Syntax (within the ACL context) for ACE comments:

[] commentnocomment

Description

Creates an IPv6 Access Control List (ACL). The ACL is made of one or more Access Control Entries (ACEs) ordered and prioritized by sequence number. The lowest sequence number is the highest prioritized ACE.

Thenoform of this command deletes the entire ACL, or deletes an ACE identified by sequence number, or deletes only the comment from the ACE identified by sequence number.

Command context

config

Theaccess-list ipv6 command takes you into the named ACL context where you enter the ACEs.

Parameters

Specifies the name of this ACL.

Specifies a sequence number for the ACE. Range: 1 to 4294967295.

{permit|deny}

Specifies whether to permit or deny traffic matching this ACE.

Specifies the protocol as its Internet Protocol number. For example, 2 corresponds to the IGMP protocol. Range: 0 to 255.

{any|[/]|}

Specifies the source IPv6 address.

any- specifies any source IPv6 address.
- specifies the source IPv6 host address.
- - specifies the address bits to mask (CIDR subnet mask notation). Range: 1 to 128.
- specifies an IPv6 address group that you defined earlier withobject-group ipv6 address.

{any|[/]|}

Specifies the destination IPv6 address.

any- specifies any destination IPv6 address.
- specifies the destination IPv6 host address.
- - specifies the address bits to mask (CIDR subnet mask notation). Range: 1 to 128.
- specifies an IPv6 address group that you defined earlier withobject-group ipv6 address.

[{eq|gt|lt}|range|group]

Specifies the port, port range, or port group. Port numbers are in the range of 0 to 65535.

eq- specifies the Layer 4 port.
gt- specifies any Layer 4 port greater than the indicated port.
lt- specifies any Layer 4 port less than the indicated port.
range- specifies the Layer 4 port range.
group- specifies the Layer 4 port group that you defined earlier withobject-group port.

NOTE:

Upon application of the ACL, ACEs with L4 port ranges may consume more than one hardware entry.

urg, ack, psh, rst, syn, fin, established

These TCP flag-matching parameters are supported for both ingress and egress.

[icmp-type {echo|echo-reply|}]

Specifies the ICMP type.

echo- specifies an ICMP echo request packet.
echo-reply- specifies an ICMP echo reply packet.
- specifies an ICMP type value. Range: 0 to 255.

[icmp-code]

Specifies the ICMP code value. Range: 0 to 255.

dscp

Specifies the Differentiated Services Code Point (DSCP), either a numeric(0 to 63) or one of these keywords:

AF11- DSCP 10(保证转发类1、低公关obability)
AF12- DSCP 12 (Assured Forwarding Class 1, medium drop probability)
AF13- DSCP 14 (Assured Forwarding Class 1, high drop probability)
AF21- DSCP 18 (Assured Forwarding Class 2, low drop probability)
AF22- DSCP 20 (Assured Forwarding Class 2, medium drop probability)
AF23- DSCP 22 (Assured Forwarding Class 2, high drop probability)
AF31- DSCP 26 (Assured Forwarding Class 3, low drop probability)
AF32- DSCP 28 (Assured Forwarding Class 3, medium drop probability)
AF33- DSCP 30 (Assured Forwarding Class 3, high drop probability)
AF41- DSCP 34 (Assured Forwarding Class 4, low drop probability)
AF42- DSCP 36 (Assured Forwarding Class 4, medium drop probability)
AF43- DSCP 38 (Assured Forwarding Class 4, high drop probability)
CS0- DSCP 0 (Class Selector 0: Default)
CS1- DSCP 8 (Class Selector 1: Scavenger)
CS2- DSCP 16 (Class Selector 2: OAM)
CS3- DSCP 24 (Class Selector 3: Signaling)
CS4- DSCP 32 (Class Selector 4: Real time)
CS5- DSCP 40 (Class Selector 5: Broadcast video)
CS6- DSCP 48 (Class Selector 6: Network control)
CS7- DSCP 56 (Class Selector 7)
EF- DSCP 46 (Expedited Forwarding)

ecn

Specifies an Explicit Congestion Notification value. Range: 0- 3.

ip-precedence

Specifies an IP precedence value. Range: 0-7.

tos

Specifies the Type of Service value. Range: 0-31.

fragment

Specifies a fragment packet.

vlan

Specifies VLAN tag to match on. 802.1Q VLAN ID.

NOTE:

This parameter cannot be used in any ACL that will be applied to a VLAN.

ttl

Not supported.

count

Keeps the hit counts of the number of packets matching this ACE.

log

Keeps a log of the number of packets matching this ACE. Works with bothpermitanddenyactions. Works with ACLs applied on ingress or egress, except for control plane.

[] comment

Adds a comment to an ACE. Thenoform removes only the comment from the ACE.

Authority

Administrators or local user group members with execution rights for this command.

Usage

If theparameter is used instead of a protocol name, ensure that any needed ACE-definition parameters specific to the selected protocol are also provided.
When using multiple ACL types (IPv4, IPv6, or MAC) with logging on the same interface, the first packet that matches an ACE withlogoption is logged. Until the log-timer wait-period is over, any packets matching other ACL types do not create a log. At the end of the wait-period, the switch creates a summary log all the ACLs that were matched, regardless of type.

Examples

Creating an IPv6 ACL with four entries:

switch(config)#access-list ipv6 MY_IPV6_ACLswitch(config-acl-ipv6)#10 permit udp any 2001::1/64switch(config-acl-ipv6)#20 permit tcp 2001:2001::2:1/128 gt 1023 anyswitch(config-acl-ipv6)#30 permit tcp 2001:2011::1/64 anyswitch(config-acl-ipv6)#40 deny any any any countswitch(config-acl-ipv6)#exitswitch(config)#do show access-list类型名称序列评论行动L3协议酸ce IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) Additional Parameters ------------------------------------------------------------------------------- IPv6 MY_IPV6_ACL 10 permit udp any 2001::1/64 20 permit tcp 2001:2001::2:1 > 1023 any 30 permit tcp 2001:2011::1/64 any 40 deny any any any Hit-counts: enabled

Adding a comment to an existing IPv6 ACE:

switch(config)#access-list ipv6 MY_IPV6_ACLswitch(config-acl-ipv6)#20 comment Permit all TCP ephemeral portsswitch(config-acl-ipv6)#exitswitch(config)#do show access-list类型名称序列评论行动L3协议酸ce IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) Additional Parameters ------------------------------------------------------------------------------- IPv6 MY_IPV6_ACL 10 permit udp any 2001::1/64 20 Permit all TCP ephemeral ports permit tcp 2001:2001::2:1 > 1023 any 30 permit tcp 2001:2011::1/64 any 40 deny any any any Hit-counts: enabled

Removing a comment from an existing IPv6 ACE:

switch(config)#access-list ipv6 MY_IPV6_ACLswitch(config-acl-ipv6)#no 20 commentswitch(config-acl-ipv6)#exitswitch(config)#do show access-list类型名称序列评论行动L3协议酸ce IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) Additional Parameters ------------------------------------------------------------------------------- IPv6 MY_IPV6_ACL 10 permit udp any 2001::1/64 20 permit tcp 2001:2001::2:1 > 1023 any 30 permit tcp 2001:2011::1/64 any 40 deny any any any Hit-counts: enabled

Adding an ACE to an existing IPv6 ACL:

switch(config)#access-list ipv6 MY_IPV6_ACLswitch(config-acl-ipv6)#25 permit icmpv6 2001::1/64 anyswitch(config-acl-ipv6)#exitswitch(config)#do show access-list类型名称序列评论行动L3协议酸ce IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) Additional Parameters ------------------------------------------------------------------------------- IPv6 MY_IPV6_ACL 10 permit udp any 2001::1/64 20 permit tcp 2001:2001::2:1 > 1023 any 25 permit icmpv6 2001::1/64 any 30 permit tcp 2001:2011::1/64 any 40 deny any any any Hit-counts: enabled

Replacing an ACE in an existing IPv6 ACL:

switch(config)#access-list ipv6 MY_IPV6_ACLswitch(config-acl-ipv6)#25 permit icmpv6 2001::2:1/64 anyswitch(config-acl-ipv6)#exitswitch(config)#do show access-list类型名称序列评论行动L3协议酸ce IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) Additional Parameters ------------------------------------------------------------------------------- IPv6 MY_IPV6_ACL 10 permit udp any 2001::1/64 20 permit tcp 2001:2001::2:1 > 1023 any 25 permit icmpv6 2001::2:1/64 any 30 permit tcp 2001:2011::1/64 any 40 deny any any any Hit-counts: enabled

Removing an ACE from an IPv6 ACL:

switch(config)#access-list ipv6 MY_IPV6_ACLswitch(config-acl-ipv6)#no 25switch(config-acl-ipv6)#exitswitch(config)#do show access-list类型名称序列评论行动L3协议酸ce IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) Additional Parameters ------------------------------------------------------------------------------- IPv6 MY_IPV6_ACL 10 permit udp any 2001::1/64 20 permit tcp 2001:2001::2:1 > 1023 any 30 permit tcp 2001:2011::1/64 any 40 deny any any any Hit-counts: enabled

Removing an IPv6 ACL:

switch(config)#no access-list ipv6 MY_IPV6_ACLswitch(config)#do show access-list类型名称序列评论行动L3协议酸ce IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) Additional Parameters ------------------------------------------------------------------------------- IPv6 MY_IPV6_ACL2 1 permit udp any 2001::1/64 2 Permit all TCP ephemeral ports permit tcp 2001:2001::2:1 > 1023 any 3 permit tcp 2001:2011::1/64 any 4 deny any any any Hit-counts: enabled