|
Command or Action |
Purpose |
Step 1 |
configure terminal
Example: Switch# configure terminal |
Enters global configuration mode. |
Step 2 |
ipv6 access-list acl_name
Example: ipv6 access-list access-list-name |
Use a name to define an IPv6 access list and enter IPv6 access-list configuration mode. |
Step 3 |
{deny|permit} protocol
Example: {deny | permit} protocol {source-ipv6-prefix/prefix-length | any | host source-ipv6-address}
[operator [port-number]]{destination-ipv6-prefix/prefix-length | any |host destination-ipv6-address}
[operator [port-number]][dscp value] [fragments][log] [log-input] [routing][sequence value]
[time-range name] |
Enter deny or permit to specify whether to deny or permit the packet if conditions are matched. These are the conditions:
-
For protocol, enter the name or number of an Internet protocol: ahp, esp, icmp, ipv6, pcp, stcp, tcp, or udp, or an integer in the range 0 to 255 representing an IPv6 protocol number.
-
The source-ipv6-prefix/prefix-length or destination-ipv6-prefix/ prefix-length is the source or destination IPv6 network or class of networks for which to set deny or permit conditions, specified in hexadecimal and using 16-bit values between colons (see RFC 2373).
-
Enter any as an abbreviation for the IPv6 prefix ::/0.
-
For host source-ipv6-address or destination-ipv6-address, enter the source or destination IPv6 host address for which to set deny or permit conditions, specified in hexadecimal using 16-bit values between colons.
-
(Optional) For operator, specify an operand that compares the source or destination ports of the specified protocol. Operands are lt (less than), gt (greater than), eq (equal), neq (not equal), and range.
If the operator follows the source-ipv6-prefix/prefix-length argument, it must match the source port. If the operator follows the destination-ipv6- prefix/prefix-length argument, it must match the destination port.
-
(Optional) The port-number is a decimal number from 0 to 65535 or the name of a TCP or UDP port. You can use TCP port names only when filtering TCP. You can use UDP port names only when filtering UDP.
-
(Optional) Enter dscp value to match a differentiated services code point value against the traffic class value in the Traffic Class field of each IPv6 packet header. The acceptable range is from 0 to 63.
-
(Optional) Enter fragments to check noninitial fragments. This keyword is visible only if the protocol is ipv6.
-
(Optional) Enter log to cause an logging message to be sent to the console about the packet that matches the entry. Enter log-input to include the input interface in the log entry. Logging is supported only for router ACLs.
-
(Optional) Enter routing to specify that IPv6 packets be routed.
-
(Optional) Enter sequence value to specify the sequence number for the access list statement. The acceptable range is from 1 to 4294967295
-
(Optional) Enter time-range name to specify the time range that applies to the deny or permit statement.
|
Step 4 |
{deny|permit} tcp
Example: {deny | permit} tcp {source-ipv6-prefix/prefix-length | any | hostsource-ipv6-address}
[operator [port-number]]{destination-ipv6-prefix/prefix-length | any |hostdestination-ipv6-address}
[operator [port-number]][ack] [dscp value][established] [fin]
[log][log-input] [neq {port |protocol}] [psh] [range{port | protocol}] [rst][routing] [sequence value]
[syn] [time-range name][urg] |
(Optional) Define a TCP access list and the access conditions.
Enter tcp for Transmission Control Protocol. The parameters are the same as those described in Step 3, with these additional optional parameters:
-
ack—Acknowledgment bit set.
-
established—An established connection. A match occurs if the TCP datagram has the ACK or RST bits set.
-
fin—Finished bit set; no more data from sender.
-
neq {port | protocol}—Matches only packets that are not on a given port number.
-
psh—Push function bit set.
-
range {port | protocol}—Matches only packets in the port number range.
-
rst—Reset bit set.
-
syn—Synchronize bit set.
-
urg—Urgent pointer bit set.
|
Step 5 |
{deny|permit} udp
Example: {deny | permit} udp {source-ipv6-prefix/prefix-length | any | hostsource-ipv6-address}
[operator [port-number]]{destination-ipv6-prefix/prefix-length | any | hostdestination-ipv6-address}
[operator [port-number]][dscp value] [log][log-input]
[neq {port |protocol}] [range {port |protocol}] [routing][sequence value][time-range name] |
(Optional) Define a UDP access list and the access conditions. Enter udp for the User Datagram Protocol. The UDP parameters are the same as those described for TCP, except that the operator [port]] port number or name must be a UDP port number or name, and the established parameter is not valid for UDP. |
Step 6 |
{deny|permit} icmp
Example: {deny | permit} icmp {source-ipv6-prefix/prefix-length | any | hostsource-ipv6-address}
[operator [port-number]] {destination-ipv6-prefix/prefix-length | any | hostdestination-ipv6-address}
[operator [port-number]][icmp-type [icmp-code] |icmp-message] [dscpvalue] [log] [log-input]
[routing] [sequence value][time-range name] |
(Optional) Define an ICMP access list and the access conditions.
Enter icmp for Internet Control Message Protocol. The ICMP parameters are the same as those described for most IP protocols in Step 3a, with the addition of the ICMP message type and code parameters. These optional keywords have these meanings:
-
icmp-type—Enter to filter by ICMP message type, a number from 0 to 255.
-
icmp-code—Enter to filter ICMP packets that are filtered by the ICMP message code type, a number from 0 to 255.
-
icmp-message—Enter to filter ICMP packets by the ICMP message type name or the ICMP message type and code name. To see a list of ICMP message type names and code names, use the ? key or see command reference for this release.
|
Step 7 |
end
Example:Switch(config)# end |
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode. |
Step 8 |
show ipv6 access-list
Example: show ipv6 access-list |
Verify the access list configuration. |
Step 9 |
copy running-config startup-config
Example: copy running-config startup-config |
(Optional) Save your entries in the configuration file. |