Configuration of IPv6 Based ACL on SFE/SGE Managed Switches

Objective

This article explains how to create an IPv6 Based ACL on SFE/SGE Managed Switches. It can permit or deny the entry of packets to the IP addresses configured on the access list.

Applicable Devices

• SFE/SGE Managed Switches

Software Version

• v3.0.2.0

Configuration of IPv6 Based ACL

Step 1. Log in to the web configuration utility and choose Security Suite > Access Control > IPv6 Based ACL. The IPv6 Based ACL page opens:

Step 2. Click Add ACL. The Add IPv6 Based ACL window appears. 

Step 3. Enter the access list name in the ACL Name Field.

Step 4. Check to enable and enter the priority value in the New Rule Priority field. The highest priority values are processed first. The highest priority is 1.

Step 5. Click the radio button corresponds to the type of protocol to be used for the ACL, configured for all routed networks in order to filter the packets as the packets pass through a router.

• Select from list — Choose any of the protocols from the drop-down list (TCP, UDP, ICMP).

• Protocol ID to match — Used to match the protocol with an ID. For instance the default value for TCP is 6, UDP is17 and for ICMP is 58.

• Any —  Any of the IP Based Protocols are used in the ACL.

Step 6. The Source Port fields are enabled only when you choose protocol TCP or UDP from Step 5. Enter a value within the range 0 - 65535 or click Any if all the Source Ports are acceptable.

Step 7. The Destination Port fields are enabled only when you choose protocol TCP or UDP from Step 5. Enter a value within the range 0 - 65535 or click Any if all the Destination Ports are acceptable.

Step 8. TCP Flags are enabled only when you choose TCP from Step 5. Choose any of the flags.

• Urg — Identify incoming data as urgent.

• Ack — Acknowledge the successful receipt of packets.

• Psh —  Ensure that the data is given the priority (that it deserves) and is processed at the sending or receiving end.

• Rst — When a segment arrives that is not intended for the current connection.

• Syn —  TCP communications.

• Fin — The communication or data transfer is finished.

Step 9. ICMP is enabled only when you choose protocol ICMP from Step 5. ICMP sends error messages when the service is not available or a host or a router could not be reached. It is also used to relay query messages. Click any one of the desired option to choose  ICMP.

• Select from List — Choose any of the permitted control messages from the drop-down list.

• ICMP Type — Enter a range between 0-255 to match the ICMP control messages.

• Any — Any of the error message or query message.

Step 10. ICMP Codes are enabled only when you choose protocol ICMP from Step 5.Click to provide more specific information of the control messages with a value.

• Any — Any value that match the control message.

• User Defined — The value is defined from the range between 0-255, to match the control messages.

Step 11. Enter a source IP address value with its Wildcard Mask or click Any if all the source addresses are acceptable in the Source IP Address field.

Step 12. Enter a destination IP address value with its Wildcard Mask or click Any if all the destination addresses are acceptable in the Destination IP Address field.

Step 13. Check to enable traffic class for congestion control. Host back-off in case of congestion.

• Match DSCP —  Differentiated Service Code Point is a mechanism for classifying and managing network traffic. Six bits (0-63) are used to select the Per Hop Behavior that a packet experiences at each node.

• Match IP Precedence — Set a preference type for IP packets. The keyword with IP Preference value are 0 for routine, 1 for priority, 2 for immediate, 3 for flash, 4 for flash-override, 5 for critical, 6 for internet, 7 for network.

Step 14. Choose the Action which is used for a packet match.

• Permit — Allows packets that match the ACE criteria.

• Deny — Drops packets that meet the ACE criteria.

• Shutdown — Drops packets that meet the ACE criteria and disables the port from where the packets were received. Such ports can be reactivated from the port settings page.

Step 15. Click Apply which causes the Add IPv6 Based ACL to be written to the running configuration file.

Caution: This only saves your configuration to the running configuration file. This means any changes made will be lost if the device is rebooted. If you wish to save these changes even after a system reboot, you need to copy the running configuration file to the startup configuration file. See Copy Configuration File on SFE/SGE Series Managed Switches for more information on how to do this.