Used to filter subscriber sessions based on the IPv6 address mask sent by the source to the mobile node or the network.

Product

All

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > IPv6 ACL Configuration

configure > context context_name > ipv6 access-list ipv6_acl_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-ipv6-acl)#

Syntax

Syntax Description

{ deny | permit } [ log ] source_address source_wildcard
after { deny | permit } [ log ] source_address source_wildcard
before { deny | permit } [ log ] source_address source_wildcard
no { deny | permit } [ log ] source_address source_wildcard

after

Indicates all rules defined subsequent to this command are to be inserted after the command identified by the exact options listed.

This moves the insertion point to be immediately after the rule which matches the exact options specified such that new rules will be added, in order, after the matching rule.

before

Indicates all rules defined subsequent to this command are to be inserted before the command identified by the exact options listed.

This moves the insertion point to be immediately before the rule which matches the exact options specified such that new rules will be added, in order, before the matching rule.

no

Removes the rule which exactly matches the options specified.

deny | permit

Specifies the rule is either block (deny) or an allow (permit) filter.

log

Default: packets are not logged.

Indicates all packets which match the filter are to be logged.

source_address

The IP address(es) form which the packet originated.

This option is used to filter all packets from a specific IP address or a group of IP addresses.

When specifying a group of addresses, the initial address is configured using this option. The range can then be configured using the source_wildcard parameter.

source_wildcard

This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.

The mask must be entered as a complement:

Usage Guidelines

Define a rule when any packet from the IP addresses which fall into the group of addresses matching the IP address masking. This allows the reduction of filtering rules as it does not require a rule for each source and destination pair.

Used to filter subscriber sessions based on any packet received. This command is also used to set the access control list insertion point.

Product

All

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > IPv6 ACL Configuration

configure > context context_name > ipv6 access-list ipv6_acl_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-ipv6-acl)#

Syntax

Syntax Description

{ deny | permit } [ log ] any
after { deny | permit } [ log ] any
before { deny | permit } [ log ] any
no { deny | permit } [ log ] any

after

Indicates all rules defined subsequent to this command are to be inserted after the command identified by the exact options listed.

This moves the insertion point to be immediately after the rule which matches the exact options specified such that new rules will be added, in order, after the matching rule.

before

Indicates all rules defined subsequent to this command are to be inserted before the command identified by the exact options listed.

This moves the insertion point to be immediately before the rule which matches the exact options specified such that new rules will be added, in order, before the matching rule.

no

Removes the rule which exactly matches the options specified.

deny | permit

Specifies the rule is either block (deny) or an allow (permit) filter.

log

Default: packets are not logged.

Indicates all packets which match the filter are to be logged.

any

Indicates all packets will match the filter regardless of source and/or destination.

Usage Guidelines

Define a catch all rule to place at the end of the list of rules.

Used to filter subscriber sessions based on the targeted host IP address sent by the source to the mobile node or the network.

Product

All

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > IPv6 ACL Configuration

configure > context context_name > ipv6 access-list ipv6_acl_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-ipv6-acl)#

Syntax

Syntax Description

{ deny | permit } [ log ] host source_host_address
after { deny | permit } [ log ] host source_host_address
before { deny | permit } [ log ] host source_host_address
no { deny | permit } [ log ] host source_host_address

after

Indicates all rules defined subsequent to this command are to be inserted after the command identified by the exact options listed.

This moves the insertion point to be immediately after the rule which matches the exact options specified such that new rules will be added, in order, after the matching rule.

before

Indicates all rules defined subsequent to this command are to be inserted before the command identified by the exact options listed.

This moves the insertion point to be immediately before the rule which matches the exact options specified such that new rules will be added, in order, before the matching rule.

no

Removes the rule which exactly matches the options specified.

deny | permit

Specifies the rule is either block (deny) or an allow (permit) filter.

log

Default: packets are not logged.

Indicates all packets which match the filter are to be logged.

source_host_address

The IP address of the source host to filter against expressed in IPv6 colon notation.

Usage Guidelines

Define a rule when a very specific remote host is to be blocked. In simplified networks where the access controls need only block a few hosts, this command allows the rules to be very clear and concise.

Used to filter subscriber sessions based on the internet control message protocol packets sent by the source to the mobile node or the network.

Product

All

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > IPv6 ACL Configuration

configure > context context_name > ipv6 access-list ipv6_acl_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-ipv6-acl)#

Syntax

Syntax Description

{ deny | permit } [ log ] icmp { source_address source_wildcard | any | host source_host_address } { dest_address dest_wildcard | any | host dest_host_address } [ icmp_type [ icmp_code ] ]
after { deny | permit } [ log ] icmp { source_address source_wildcard | any | host source_host_address } { dest_address dest_wildcard | any | host dest_host_address } [ icmp_type [ icmp_code ] ]
before { deny | permit } [ log ] icmp { source_address source_wildcard | any | host source_host_address } { dest_address dest_wildcard | any | host dest_host_address } [ icmp_type [ icmp_code ] ]
no { deny | permit } [ log ] icmp { source_address source_wildcard | any | host source_host_address } { dest_address dest_wildcard | any | host dest_host_address } [ icmp_type [ icmp_code ] ]

after

Indicates all rules defined subsequent to this command are to be inserted after the command identified by the exact options listed.

This moves the insertion point to be immediately after the rule which matches the exact options specified such that new rules will be added, in order, after the matching rule.

before

Indicates all rules defined subsequent to this command are to be inserted before the command identified by the exact options listed.

This moves the insertion point to be immediately before the rule which matches the exact options specified such that new rules will be added, in order, before the matching rule.

no

Removes the rule which exactly matches the options specified.

deny | permit

Specifies the rule is either block (deny) or an allow (permit) filter.

log

Default: packets are not logged.

Indicates all packets which match the filter are to be logged.

source_address

The IP address(es) form which the packet originated.

This option is used to filter all packets from a specific IP address or a group of IP addresses.

When specifying a group of addresses, the initial address is configured using this option. The range can then be configured using the source_wildcard parameter.

source_wildcard

This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.

The mask must be entered as a complement:

any

Specifies that the rule applies to all packets.

host

Specifies that the rule applies to a specific host as determined by its IP address.

source_host_address

The IP address of the source host to filter against expressed in IPv6 hexadecimal-colon-separated notation.

dest_host_address

The IP address of the destination host to filter against expressed in IPv6 hexadecimal-colon-separated notation.

dest_address

The IP address(es) to which the packet is to be sent.

This option is used to filter all packets to a specific IP address or a group of IP addresses.

When specifying a group of addresses, the initial address is configured using this parameter. The range can then be configured using the dest_wildcard parameter.

dest_wildcard

This option is used in conjunction with the dest_address option to specify a group of addresses for which packets are to be filtered.

The mask must be entered as a complement:

icmp_type

Specifies that all ICMP packets of a particular type are to be filtered. The type is an integer from 0 through 255.

icmp_code

Specifies that all ICMP packets of a particular code are to be filtered. The type is an integer from 0 through 255.

Usage Guidelines

Define a rule to block ICMP packets which can be used for address resolution and possible be a security risk.

The IP filtering allows flexible controls for pairs of individual hosts or groups by IP masking which allows the filtering of entire subnets if necessary.

Used to filter subscriber sessions based on the internet protocol packets sent by the source to the mobile node or the network.

Product

All

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > IPv6 ACL Configuration

configure > context context_name > ipv6 access-list ipv6_acl_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-ipv6-acl)#

Syntax

Syntax Description

{ deny | permit } [ log ] ip { source_address source_wildcard | any | host source_host_address } { dest_address dest_wildcard | any | host dest_host_address } [ fragment ] [ protocolnum ]
after { deny | permit } [ log ] ip { source_address source_wildcard | any | host source_host_address } { dest_address dest_wildcard | any | host dest_host_address } [ fragment ] [ protocolnum ]
before { deny | permit } [ log ] ip { source_address source_wildcard | any | host source_host_address } { dest_address dest_wildcard | any | host dest_host_address } [ fragment ] [ protocolnum ]
no { deny | permit } [ log ] ip { source_address source_wildcard | any | host source_host_address } { dest_address dest_wildcard | any | host dest_host_address } [ fragment ] [ protocolnum ]

after

Indicates all rules defined subsequent to this command are to be inserted after the command identified by the exact options listed.

This moves the insertion point to be immediately after the rule which matches the exact options specified such that new rules will be added, in order, after the matching rule.

before

Indicates all rules defined subsequent to this command are to be inserted before the command identified by the exact options listed.

This moves the insertion point to be immediately before the rule which matches the exact options specified such that new rules will be added, in order, before the matching rule.

no

Removes the rule which exactly matches the options specified.

deny | permit

Specifies the rule is either block (deny) or an allow (permit) filter.

log

Default: packets are not logged.

Indicates all packets which match the filter are to be logged.

source_address

The IP address(es) form which the packet originated.

This option is used to filter all packets from a specific IP address or a group of IP addresses.

When specifying a group of addresses, the initial address is configured using this option. The range can then be configured using the source_wildcard parameter.

source_wildcard

This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.

The mask must be entered as a complement:

any

Specifies that the rule applies to all packets.

host

Specifies that the rule applies to a specific host as determined by its IP address.

source_host_address

The IP address of the source host to filter against expressed in IPv6 colon notation.

dest_host_address

The IP address of the destination host to filter against expressed in IPv6 colon notation.

dest_address

The IP address(es) to which the packet is to be sent.

This option is used to filter all packets to a specific IP address or a group of IP addresses.

When specifying a group of addresses, the initial address is configured using this parameter. The range can then be configured using the dest_wildcard parameter.

dest_wildcard

This option is used in conjunction with the dest_address option to specify a group of addresses for which packets are to be filtered.

The mask must be entered as a complement:

fragment

Indicates packet filtering is to be applied to IP packet fragments only.

protocol num

Indicates that the packet filtering is to be applied to a specific protocol number.

num can be any integer ranging from 0 to 255.

Usage Guidelines

Block IP packets when the source and destination are of interest.

Used to filter subscriber sessions based on the transmission control protocol/user datagram protocol packets sent by the source to the mobile node or the network.

Product

All

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > IPv6 ACL Configuration

configure > context context_name > ipv6 access-list ipv6_acl_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-ipv6-acl)#

Syntax

Syntax Description

{ deny | permit } [ log ] { tcp | udp } { { source_address source_wildcard | any | host source_host_address } [ eq source_port | gt source_port | lt source_port | neq source_port ] } { { dest_address dest_wildcard | any | host dest_host_address } [ eq dest_port | gt dest_port | lt dest_port | neq dst_port ] }
after { deny | permit } [ log ] { tcp | udp } { { source_address source_wildcard | any | host source_host_address } [ eq source_port | gt source_port | lt source_port | neq source_port ] } { { dest_address dest_wildcard | any | host dest_host_address } [ eq dest_port | gt dest_port | lt dest_port | neq dst_port ] }
before { deny | permit } [ log ] { tcp | udp } { { source_address source_wildcard | any | host source_host_address } [ eq source_port | gt source_port | lt source_port | neq source_port ] } { { dest_address dest_wildcard | any | host dest_host_address } [ eq dest_port | gt dest_port | lt dest_port | neq dst_port ] }
no { deny | permit } [ log ] { tcp | udp } { { source_address source_wildcard | any | host source_host_address } [ eq source_port | gt source_port | lt source_port | neq source_port ] } { { dest_address dest_wildcard | any | host dest_host_address } [ eq dest_port | gt dest_port | lt dest_port | neq dst_port ] }

after

Indicates all rules defined subsequent to this command are to be inserted after the command identified by the exact options listed.

This moves the insertion point to be immediately after the rule which matches the exact options specified such that new rules will be added, in order, after the matching rule.

before

Indicates all rules defined subsequent to this command are to be inserted before the command identified by the exact options listed.

This moves the insertion point to be immediately before the rule which matches the exact options specified such that new rules will be added, in order, before the matching rule.

no

Removes the rule which exactly matches the options specified.

deny | permit

Specifies the rule is either block (deny) or an allow (permit) filter.

log

Default: packets are not logged.

Indicates all packets which match the filter are to be logged.

tcp | udp

Specifies the filter is to be applied to IP-based transmission control protocol or the user datagram protocol.

source_address

The IP address(es) form which the packet originated.

This option is used to filter all packets from a specific IP address or a group of IP addresses.

When specifying a group of addresses, the initial address is configured using this option. The range can then be configured using the source_wildcard parameter.

source_wildcard

This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.

The mask must be entered as a complement:

any

Specifies that the rule applies to all packets.

host

Specifies that the rule applies to a specific host as determined by its IP address.

source_host_address

The IP address of the source host to filter against expressed in IPv6 colon-separated-hexadecimal notation.

dest_host_address

The IP address of the destination host to filter against expressed in IPv6 colon-separated-hexadecimal notation.

eq source_port

Specifies a single, specific source TCP port number to be filtered.

source_port must be configured to an integer from 0 through 65535.

gt source_port

Specifies that all source TCP port numbers greater than the one specified are to be filtered.

source_port must be configured to an integer from 0 through 65535.

lt source_port

Specifies that all source TCP port numbers less than the one specified are to be filtered.

source_port must be configured to an integer from 0 through 65535.

neq source_port

Specifies that all source TCP port numbers not equal to the one specified are to be filtered.

source_port must be configured to an integer from 0 through 65535.

dest_address

The IP address(es) to which the packet is to be sent.

This option is used to filter all packets to a specific IP address or a group of IP addresses.

When specifying a group of addresses, the initial address is configured using this parameter. The range can then be configured using the dest_wildcard parameter.

dest_wildcard

This option is used in conjunction with the dest_address option to specify a group of addresses for which packets are to be filtered.

The mask must be entered as a complement:

eq dest_port

Specifies a single, specific destination TCP port number to be filtered.

dest_port must be configured to an integer from 0 through 65535.

gt dest_port

Specifies that all destination TCP port numbers greater than the one specified are to be filtered.

dest_port must be configured to an integer from 0 through 65535.

lt dest_port

Specifies that all destination TCP port numbers less than the one specified are to be filtered.

dest_port must be configured to an integer from 0 through 65535.

neq dest_port

Specifies that all destination TCP port numbers not equal to the one specified are to be filtered.

dest_port must be configured to an integer from 0 through 65535.

Usage Guidelines

Block IP packets when the source and destination are of interest but for only a limited set of ports.

Exits the current configuration mode and returns to the Exec mode.

Product

All

Privilege

Security Administrator, Administrator

Syntax

Syntax Description

end

Usage Guidelines

Use this command to return to the Exec mode.

Exits the current mode and returns to the parent configuration mode.

Product

All

Privilege

Security Administrator, Administrator

Syntax

Syntax Description

exit

Usage Guidelines

Use this command to return to the parent configuration mode.

Alter the destination address and port number in TCP or UDP packet headers to redirect packets to a different server.

Product

All

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > IPv6 ACL Configuration

configure > context context_name > ipv6 access-list ipv6_acl_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-ipv6-acl)#

Syntax

Syntax Description

readdress server redirect_address [ port port_number ] { tcp | udp } { { source_address source_wildcard | any | host source_host_address } [ eq source_port | gt source_port | lt source_port | neq source_port ] } { { dest_address dest_wildcard any | host dest_host_address } [ eq dest_port | gt dest_port | lt dest_port | neq dst_port ] }

after readdress server redirect_address [ port port_no ] { tcp | udp } { { source_address source_wildcard | any | host source_host_address } [ eq source_port | gt source_port | lt source_port | neq source_port ] } { { dest_address dest_wildcard any | host dest_host_address } [ eq dest_port | gt dest_port | lt dest_port | neq dst_port ] }
before readdress server redirect_address [ port port_no ] { tcp | udp } { { source_address source_wildcard | any | host source_host_address } [ eq source_port | gt source_port | lt source_port | neq source_port ] } { { dest_address dest_wildcard any | host dest_host_address } [ eq dest_port | gt dest_port | lt dest_port | neq dst_port ] }
no readdress server redirect_address [ port port_number ] { tcp | udp } { { source_address source_wildcard | any | host source_host_address } [ eq source_port | gt source_port | lt source_port | neq source_port ] } { { dest_address dest_wildcard any | host dest_host_address } [ eq dest_port | gt dest_port | lt dest_port | neq dst_port ] }

after

Indicates all rules defined subsequent to this command are to be inserted after the command identified by the exact options listed.

This moves the insertion point to be immediately after the rule which matches the exact options specified such that new rules will be added, in order, after the matching rule.

before

Indicates all rules defined subsequent to this command are to be inserted before the command identified by the exact options listed.

This moves the insertion point to be immediately before the rule which matches the exact options specified such that new rules will be added, in order, before the matching rule.

no

Removes the rule which exactly matches the options specified.

redirect_address

The IP address to which the IP packets are redirected. TCP or UDP packet headers are rewritten to contain the new destination address. This must expressed in IPv6 colon-separated-hexadecimal notation.

port port_number

The number of the port at the redirect address where the packets are sent. TCP or UDP packet headers are rewritten to contain the new destination port number.

tcp | udp

Specifies the redirect is to be applied to the IP-based transmission control protocol or the user datagram protocol.

source_address

The IP address(es) form which the packet originated.

This option is used to filter all packets from a specific IP address or a group of IP addresses.

When specifying a group of addresses, the initial address is configured using this option. The range can then be configured using the source_wildcard parameter.

any

Specifies that the rule applies to all packets.

host

Specifies that the rule applies to a specific host as determined by its IP address.

source_host_address

The IP address of the source host to filter against expressed in IPv6 colon notation.

dest_host_address

The IP address of the destination host to filter against expressed in IPv6 colon-separated-hexadecimal notation.

eq source_port

Specifies a single, specific source TCP port number to be filtered.

source_port must be configured to an integer from 0 through 65535.

gt source_port

Specifies that all source TCP port numbers greater than the one specified are to be filtered.

source_port must be configured to an integer from 0 through 65535.

lt source_port

Specifies that all source TCP port numbers less than the one specified are to be filtered.

source_port must be configured to an integer from 0 through 65535.

neq source_port

Specifies that all source TCP port numbers not equal to the one specified are to be filtered.

source_port must be configured to an integer from 0 through 65535.

dest_address

The IP address(es) to which the packet is to be sent.

This option is used to filter all packets to a specific IP address or a group of IP addresses.

When specifying a group of addresses, the initial address is configured using this parameter. The range can then be configured using the dest_wildcard parameter.

eq dest_port

Specifies a single, specific destination TCP port number to be filtered.

dest_port must be configured to an integer from 0 through 65535.

gt dest_port

Specifies that all destination TCP port numbers greater than the one specified are to be filtered.

dest_port must be configured to an integer from 0 through 65535.

lt dest_port

Specifies that all destination TCP port numbers less than the one specified are to be filtered.

dest_port must be configured to an integer from 0 through 65535.

neq dest_port

Specifies that all destination TCP port numbers not equal to the one specified are to be filtered.

dest_port must be configured to an integer from 0 through 65535.

Usage Guidelines

Use this command to define a rule that redirects packets to a different destination address. The TCP and UDP packet headers are modified with the new destination address and destination port.

Used to redirect subscriber sessions based on the IP address mask sent by the source to the mobile node or the network.

Product

All

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > IPv6 ACL Configuration

configure > context context_name > ipv6 access-list ipv6_acl_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-ipv6-acl)#

Syntax

Syntax Description

redirect context context_id [ log ] source_address source_wildcard
after redirect context context_id [ log ] source_address source_wildcard
before redirect context context_id [ log ] source_address source_wildcard
no redirect context context_id [ log ] source_address source_wildcard

after

Indicates all rules defined subsequent to this command are to be inserted after the command identified by the exact options listed.

This moves the insertion point to be immediately after the rule which matches the exact options specified such that new rules will be added, in order, after the matching rule.

before

Indicates all rules defined subsequent to this command are to be inserted before the command identified by the exact options listed.

This moves the insertion point to be immediately before the rule which matches the exact options specified such that new rules will be added, in order, before the matching rule.

no

Removes the rule which exactly matches the options specified.

context context_id

Specifies the context identification number of the context to which packets are redirected. At the executive mode prompt, use the show context all command to display context names and context IDs.

log

Default: packets are not logged.

Indicates all packets which match the redirect are to be logged.

source_address

Filters by the IP address(es) from which the packet originated. This option filters all packets from a specific IP address or a group of IP addresses.

When specifying a group of addresses, the initial address is configured using this option. The range can then be configured using the source_wildcard parameter.

source_wildcard

Filters packets for a group of addresses specified in conjunction with the source_address option.

The mask must be entered as a complement:

Usage Guidelines

Define a rule when any packet from the IP addresses which fall into the group of addresses matching the IP address masking. This allows the reduction of redirect rules as it does not require a rule for each source and destination pair.

Used to redirect subscriber sessions based on any packet received. This command is also used to set the access control list insertion point.

Product

All

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > IPv6 ACL Configuration

configure > context context_name > ipv6 access-list ipv6_acl_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-ipv6-acl)#

Syntax

Syntax Description

redirect context context_id [ log ] any
after redirect context context_id [ log ] any
before redirect context context_id [ log ] any
no redirect context context_id [ log ] any

after

Indicates all rules defined subsequent to this command are to be inserted after the command identified by the exact options listed.

This moves the insertion point to be immediately after the rule which matches the exact options specified such that new rules will be added, in order, after the matching rule.

before

Indicates all rules defined subsequent to this command are to be inserted before the command identified by the exact options listed.

This moves the insertion point to be immediately before the rule which matches the exact options specified such that new rules will be added, in order, before the matching rule.

no

Removes the rule which exactly matches the options specified.

context context_id

The context identification number of the context to which packets are redirected. At the executive mode prompt, use the show context all command to display context names and context IDs.

log

Default: packets are not logged.

Indicates all packets which match the redirect are to be logged.

any

Indicates all packets will match the redirect regardless of source and/or destination.

Usage Guidelines

Define a catch all rule to place at the end of the list of rules to provide explicit handling of rules which do not fit any other criteria.

Used to redirect subscriber sessions based on the targeted host IP address sent by the source to the mobile node or the network.

Product

All

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > IPv6 ACL Configuration

configure > context context_name > ipv6 access-list ipv6_acl_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-ipv6-acl)#

Syntax

Syntax Description

redirect context context_id [ log ] host source_ip_address
after redirect context context_id [ log ] host source_ip_address
before redirect context context_id [ log ] host source_ip_address
no redirect context context_id [ log ] host source_ip_address

after

Indicates all rules defined subsequent to this command are to be inserted after the command identified by the exact options listed.

This moves the insertion point to be immediately after the rule which matches the exact options specified such that new rules will be added, in order, after the matching rule.

before

Indicates all rules defined subsequent to this command are to be inserted before the command identified by the exact options listed.

This moves the insertion point to be immediately before the rule which matches the exact options specified such that new rules will be added, in order, before the matching rule.

no

Removes the rule which exactly matches the options specified.

context context_id

The context identification number of the context to which packets are redirected. At the executive mode prompt, use the show context all command to display context names and context IDs.

log

Default: packets are not logged.

Indicates all packets which match the redirect are to be logged.

host

Specifies that the rule applies to a specific host as determined by its IP address.

source_host_address

The IP address of the source host to filter against expressed in IPv6 colon-separated-hexadecimal notation.

Usage Guidelines

Define a rule when a very specific remote host is to be blocked. In simplified networks where the access controls need only block a few hosts, this command allows the rules to be very clear and concise.

Used to redirect subscriber sessions based on the internet control message protocol packets sent by the source to the mobile node or the network.

Product

All

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > IPv6 ACL Configuration

configure > context context_name > ipv6 access-list ipv6_acl_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-ipv6-acl)#

Syntax

Syntax Description

redirect context context_id [ log ] icmp { source_address source_wildcard | any | host source_host_address } { dest_address dest_wildcard | any | host dest_host_address } [ icmp_type [ icmp_code ] ]
after redirect context context_id [ log ] icmp { source_address source_wildcard | any | host source_host_address } { dest_address dest_wildcard | any | host dest_host_address } [ icmp_type [ icmp_code ] ]
before redirect context context_id [ log ] icmp { source_address source_wildcard | any | host source_host_address } { dest_address dest_wildcard | any | host dest_host_address } [ icmp_type [ icmp_code ] ]
no redirect context context_id [ log ] icmp { source_address source_wildcard | any | host source_host_address } { dest_address dest_wildcard | any | host dest_host_address } [ icmp_type [ icmp_code ] ]

after

Indicates all rules defined subsequent to this command are to be inserted after the command identified by the exact options listed.

This moves the insertion point to be immediately after the rule which matches the exact options specified such that new rules will be added, in order, after the matching rule.

before

Indicates all rules defined subsequent to this command are to be inserted before the command identified by the exact options listed.

This moves the insertion point to be immediately before the rule which matches the exact options specified such that new rules will be added, in order, before the matching rule.

no

Removes the rule which exactly matches the options specified.

context context_id

The context identification number of the context to which packets are redirected. At the executive mode prompt, use the show context all command to display context names and context IDs.

log

Default: packets are not logged.

Indicates all packets which match the redirect are to be logged.

source_address

The IP address(es) form which the packet originated.

This option is used to filter all packets from a specific IP address or a group of IP addresses.

When specifying a group of addresses, the initial address is configured using this option. The range can then be configured using the source_wildcard parameter.

source_wildcard

This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.

The mask must be entered as a complement:

any

Specifies that the rule applies to all packets.

host

Specifies that the rule applies to a specific host as determined by its IP address.

source_host_address

The IP address of the source host to filter against expressed in IPv6 colon-separated-hexadecimal notation.

dest_host_address

The IP address of the destination host to filter against expressed in IPv6 colon-separated-hexadecimal notation.

dest_address

The IP address(es) to which the packet is to be sent.

This option is used to filter all packets to a specific IP address or a group of IP addresses.

When specifying a group of addresses, the initial address is configured using this parameter. The range can then be configured using the dest_wildcard parameter.

dest_wildcard

This option is used in conjunction with the dest_address option to specify a group of addresses for which packets are to be filtered.

The mask must be entered as a complement:

icmp_type

Specifies that all ICMP packets of a particular type are to be filtered. Type is an integer from 0 through 255.

icmp_code

Specifies that all ICMP packets of a particular code are to be filtered type is an integer from 0 through 255.

Usage Guidelines

Define a rule to block ICMP packets which can be used for address resolution and possibly be a security risk.

The IP redirecting allows flexible controls for pairs of individual hosts or groups by IP masking which allows the redirecting of entire subnets if necessary.

Used to redirect subscriber sessions based on the internet protocol packets sent by the source to the mobile node or the network.

Product

All

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > IPv6 ACL Configuration

configure > context context_name > ipv6 access-list ipv6_acl_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-ipv6-acl)#

Syntax

Syntax Description

redirect context context_id [ log ] ip { source_address source_wildcard | any | host source_host_address } { dest_address dest_wildcard | any | host dest_host_address } [ fragment ] [ protocol num ]
after redirect context context_id [ log ] ip { source_address source_wildcard | any | host source_host_address } { dest_address dest_wildcard | any | host dest_host_address } [ fragment ] [ protocol num ]
before redirect context context_id [ log ] ip { source_address source_wildcard | any | host source_host_address } { dest_address dest_wildcard | any | host dest_host_address } [ fragment ] [ protocol num ]
no redirect context context_id [ log ] ip { source_address source_wildcard | any | host source_host_address } { dest_address dest_wildcard | any | host dest_host_address } [ fragment ] [ protocol num ]

after

Indicates all rules defined subsequent to this command are to be inserted after the command identified by the exact options listed.

This moves the insertion point to be immediately after the rule which matches the exact options specified such that new rules will be added, in order, after the matching rule.

before

Indicates all rules defined subsequent to this command are to be inserted before the command identified by the exact options listed.

This moves the insertion point to be immediately before the rule which matches the exact options specified such that new rules will be added, in order, before the matching rule.

no

Removes the rule which exactly matches the options specified.

context context_id

The context identification number of the context to which packets are redirected. At the executive mode prompt, use the show context all command to display context names and context IDs.

log

Default: packets are not logged.

Indicates all packets which match the redirect are to be logged.

source_address

The IP address(es) form which the packet originated.

This option is used to filter all packets from a specific IP address or a group of IP addresses.

When specifying a group of addresses, the initial address is configured using this option. The range can then be configured using the source_wildcard parameter.

source_wildcard

This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.

The mask must be entered as a complement:

any

Specifies that the rule applies to all packets.

host

Specifies that the rule applies to a specific host as determined by its IP address.

source_host_address

The IP address of the source host to filter against expressed in IPv6 colon-separated-hexadecimal notation.

dest_host_address

The IP address of the destination host to filter against expressed in IPv6 colon-separated-hexadecimal notation.

dest_address

The IP address(es) to which the packet is to be sent.

This option is used to filter all packets to a specific IP address or a group of IP addresses.

When specifying a group of addresses, the initial address is configured using this parameter. The range can then be configured using the dest_wildcard parameter.

dest_wildcard

This option is used in conjunction with the dest_address option to specify a group of addresses for which packets are to be filtered.

The mask must be entered as a complement:

fragment

Indicates packet redirection is to be applied to IP packet fragments only.

protocol num

Indicates that the packet filtering is to be applied to a specific protocol number.

num is an integer from 0 through 255.

Usage Guidelines

Block IP packets when the source and destination are of interest.

Used to redirect subscriber sessions based on the transmission control protocol/user datagram protocol packets sent by the source to the mobile node or the network.

Product

All

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > IPv6 ACL Configuration

configure > context context_name > ipv6 access-list ipv6_acl_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-ipv6-acl)#

Syntax

Syntax Description

redirect context context_id [ log ] { tcp | udp } { { source_address source_wildcard | any | host source_host_address } [ eq source_port | gt source_port | lt source_port | neq source_port ] } { { dest_address dest_wildcard | any | host dest_host_address } [ eq dest_port | gt dest_port | lt dest_port | neq dst_port ] }
after redirect context context_id [ log ] { tcp | udp } { { source_address source_wildcard | any | host source_host_address } [ eq source_port | gt source_port | lt source_port | neq source_port ] } { { dest_address dest_wildcard | any | host dest_host_address } [ eq dest_port | gt dest_port | lt dest_port | neq dst_port ] }
before redirect context context_id [ log ] { tcp | udp } { { source_address source_wildcard | any | host source_host_address } [ eq source_port | gt source_port | lt source_port | neq source_port ] } { { dest_address dest_wildcard | any | host dest_host_address } [ eq dest_port | gt dest_port | lt dest_port | neq dst_port ] }
no redirect context context_id [ log ] { tcp | udp } { { source_address source_wildcard | any | host source_host_address } [ eq source_port | gt source_port | lt source_port | neq source_port ] } { { dest_address dest_wildcard | any | host dest_host_address } [ eq dest_port | gt dest_port | lt dest_port | neq dst_port ] }

after

Indicates all rules defined subsequent to this command are to be inserted after the command identified by the exact options listed.

This moves the insertion point to be immediately after the rule which matches the exact options specified such that new rules will be added, in order, after the matching rule.

before

Indicates all rules defined subsequent to this command are to be inserted before the command identified by the exact options listed.

This moves the insertion point to be immediately before the rule which matches the exact options specified such that new rules will be added, in order, before the matching rule.

no

Removes the rule which exactly matches the options specified.

context context_id

The context identification number of the context to which packets are redirected. At the executive mode prompt, use the show context all command to display context names and context IDs.

log

Default: packets are not logged.

Indicates all packets which match the redirect are to be logged.

tcp | udp

Specifies the redirect is to be applied to IP-based transmission control protocol or the user datagram protocol.

source_address

The IP address(es) form which the packet originated.

This option is used to filter all packets from a specific IP address or a group of IP addresses.

When specifying a group of addresses, the initial address is configured using this option. The range can then be configured using the source_wildcard parameter.

source_wildcard

This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.

The mask must be entered as a complement:

any

Specifies that the rule applies to all packets.

host

Specifies that the rule applies to a specific host as determined by its IP address.

source_host_address

The IP address of the source host to filter against expressed in IPv6 colon-separated-hexadecimal notation.

dest_host_address

The IP address of the destination host to filter against expressed in IPv6 colon-separated-hexadecimal notation.

eq source_port

Specifies a single, specific source TCP port number to be filtered.

source_port must be configured to an integer from 0 through 65535.

gt source_port

Specifies that all source TCP port numbers greater than the one specified are to be filtered.

source_port must be configured to an integer from 0 through 65535.

lt source_port

Specifies that all source TCP port numbers less than the one specified are to be filtered.

source_port must be configured to an integer from 0 through 65535.

neq source_port

Specifies that all source TCP port numbers not equal to the one specified are to be filtered.

source_port must be configured to an integer from 0 through 65535.

dest_address

The IP address(es) to which the packet is to be sent.

This option is used to filter all packets to a specific IP address or a group of IP addresses.

When specifying a group of addresses, the initial address is configured using this parameter. The range can then be configured using the dest_wildcard parameter.

dest_wildcard

This option is used in conjunction with the dest_address option to specify a group of addresses for which packets are to be filtered.

The mask must be entered as a complement:

eq dest_port

Specifies a single, specific destination TCP port number to be filtered.

dest_port must be configured to an integer from 0 through 65535.

gt dest_port

Specifies that all destination TCP port numbers greater than the one specified are to be filtered.

dest_port must be configured to an integer from 0 through 65535.

lt dest_port

Specifies that all destination TCP port numbers less than the one specified are to be filtered.

dest_port must be configured to an integer from 0 through 65535.

neq dest_port

Specifies that all destination TCP port numbers not equal to the one specified are to be filtered.

dest_port must be configured to an integer from 0 through 65535.

Usage Guidelines

Block IP packets when the source and destination are of interest but for only a limited set of ports.

This is a restricted command. In StarOS 9.0 and later, this command is obsoleted.

Used to redirect subscriber sessions based on any packet received with Content Service Steering (CSS) enabled. This command is also used to set the access control list insertion point.

Product

All

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > IPv6 ACL Configuration

configure > context context_name > ipv6 access-list ipv6_acl_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-ipv6-acl)#

Syntax

Syntax Description

redirect css service svc_name [ log ] any
after redirect css service svc_name [ log ] any
before redirect css service svc_name [ log ] any
no redirect css service svc_name [ log ] any

after

Indicates all rule definitions defined subsequent to this command are to be inserted after the command identified by the exact options listed.

This moves the insertion point to be immediately after the rule definition which matches the exact options specified such that new rule definitions will be added, in order, after the matching rule definition.

before

Indicates all rule definitions subsequent to this command are to be inserted before the command identified by the exact options listed.

This moves the insertion point to be immediately before the rule definitions which matches the exact options specified such that new rule definitions will be added, in order, before the matching rule definition.

no

Removes the rule definition which exactly matches the options specified.

css service svc_name

The name of the CSS service to which packets are to be redirected. At the executive mode prompt, use the show css service all command to display the names of all configured CSS services.

svc_name must be a string of 1 through 15 characters.

log

Default: packets are not logged.

Indicates all packets which match the redirect are to be logged.

any

Indicates all packets will match the redirect regardless of source and/or destination.

Usage Guidelines

Define a catch all rule definitions to place at the end of the list of rule definitions to provide explicit handling of rule definitions which do not fit any other criteria.

Used to redirect subscriber sessions based on the targeted host IP address sent by the source to the mobile node or the network.

Product

All

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > IPv6 ACL Configuration

configure > context context_name > ipv6 access-list ipv6_acl_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-ipv6-acl)#

Syntax

Syntax Description

redirect css service svc_name [ log ] host source_host_address
after redirect css service svc_name [ log ] host source_host_address
before redirect css service svc_name [ log ] host source_host_address
no redirect css service svc_name [ log ] host source_host_address

after

Indicates all rule definitions subsequent to this command are to be inserted after the command identified by the exact options listed.

This moves the insertion point to be immediately after the rule definition which matches the exact options specified such that new rule definitions will be added, in order, after the matching rule definition.

before

Indicates all rule definitions subsequent to this command are to be inserted before the command identified by the exact options listed.

This moves the insertion point to be immediately before the rule definition which matches the exact options specified such that new rule definitions will be added, in order, before the matching rule definition.

no

Removes the rule definition which exactly matches the options specified.

css service svc_name

The name of the Content Service Steering (CSS) service to which packets are to be redirected. At the executive mode prompt, use the show css service all command to display the names of all configured CSS services.

svc_name must be an alphanumeric string of 1 through 15 characters.

log

Default: packets are not logged.

Indicates all packets which match the redirect are to be logged.

host

Specifies that the rule definition applies to a specific host as determined by its IP address.

source_host_address

The IP address of the source host to filter against expressed in IPv6 colon-separated-hexadecimal notation.

Usage Guidelines

Define a rule definition when a very specific remote host is to be blocked. In simplified networks where the access controls need only block a few hosts, this command allows the rule definitions to be very clear and concise.

Used to redirect subscriber sessions based on the internet control message protocol packets sent by the source to the mobile node or the network.

Product

All

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > IPv6 ACL Configuration

configure > context context_name > ipv6 access-list ipv6_acl_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-ipv6-acl)#

Syntax

Syntax Description

redirect css service svc_name [ log ] icmp { any | host source_host_address | source_address source_wildcard } { any | host dest_host_address | dest_address dest_wildcard } [icmp_type [ icmp_code ] ]
after redirect css service svc_name [ log ] icmp { any | host source_host_address | source_address source_wildcard } { any | host dest_host_address | dest_address dest_wildcard } [icmp_type [ icmp_code ] ]
before redirect css service svc_name [ log ] icmp { any | host source_host_address | source_address source_wildcard } { any | host dest_host_address | dest_address dest_wildcard } [icmp_type [ icmp_code ] ]
no redirect css service svc_name [ log ] icmp { any | host source_host_address | source_address source_wildcard } { any | host dest_host_address | dest_address dest_wildcard } [icmp_type [ icmp_code ] ]

after

Indicates all rule definitions subsequent to this command are to be inserted after the command identified by the exact options listed.

This moves the insertion point to be immediately after the rule definition which matches the exact options specified such that new rule definitions will be added, in order, after the matching rule definition.

before

Indicates all rule definitions subsequent to this command are to be inserted before the command identified by the exact options listed.

This moves the insertion point to be immediately before the rule definition which matches the exact options specified such that new rule definitions will be added, in order, before the matching rule definition.

no

Removes the rule definition which exactly matches the options specified.

css service svc_name

The name of the Content Service Steering (CSS) service to which packets are to be redirected. At the executive mode prompt, use the show css service all command to display the names of all configured charging services.

svc_name must be an alphanumeric string of 1 through 15 characters.

log

Default: packets are not logged.

Indicates all packets which match the redirect are to be logged.

source_address

The IP address(es) form which the packet originated.

This option is used to filter all packets from a specific IP address or a group of IP addresses.

When specifying a group of addresses, the initial address is configured using this option. The range can then be configured using the source_wildcard parameter.

source_wildcard

This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.

The mask must be entered as a complement:

any

Specifies that the rule definition applies to all packets.

host

Specifies that the rule definition applies to a specific host as determined by its IP address.

source_host_address

The IP address of the source host to filter against expressed in IPv6 colon-separated-hexadecimal notation.

dest_host_address

The IP address of the destination host to filter against expressed in IPv6 colon-separated-hexadecimal notation.

dest_address

The IP address(es) to which the packet is to be sent.

This option is used to filter all packets to a specific IP address or a group of IP addresses.

When specifying a group of addresses, the initial address is configured using this parameter. The range can then be configured using the dest_wildcard parameter.

dest_wildcard

This option is used in conjunction with the dest_address option to specify a group of addresses for which packets are to be filtered.

The mask must be entered as a complement:

icmp_type

Specifies that all ICMP packets of a particular type are to be filtered. The type can be an integer value from 0 through 255.

icmp_code

Specifies that all ICMP packets of a particular code are to be filtered. The type is an integer from 0 through 255.

Usage Guidelines

Define a rule definition to block ICMP packets which can be used for address resolution and possibly be a security risk.

The IP redirecting allows flexible controls for pairs of individual hosts or groups by IP masking which allows the redirecting of entire subnets if necessary.

Used to redirect subscriber sessions based on the internet protocol packets sent by the source to the mobile node or the network.

Product

All

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > IPv6 ACL Configuration

configure > context context_name > ipv6 access-list ipv6_acl_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-ipv6-acl)#

Syntax

Syntax Description

redirect css service svc_name [ log ] ip { any | host source_host_address | source_address source_wildcard } { any | host dest_host_address | dest_address dest_wildcard } [ fragment ]
after redirect css service svc_name [ log ] ip { any | host source_host_address | source_address source_wildcard } { any | host dest_host_address | dest_address dest_wildcard } [ fragment ]
before redirect css service svc_name [ log ] ip { any | host source_host_address | source_address source_wildcard } { any | host dest_host_address | dest_address dest_wildcard } [ fragment ]
no redirect css service svc_name [ log ] ip { any | host source_host_address | source_address source_wildcard } { any | host dest_host_address | dest_address dest_wildcard } [ fragment ]

after

Indicates all rule definitions subsequent to this command are to be inserted after the command identified by the exact options listed.

This moves the insertion point to be immediately after the rule definition which matches the exact options specified such that new rule definitions will be added, in order, after the matching rule definition.

before

Indicates all rule definitions defined subsequent to this command are to be inserted before the command identified by the exact options listed.

This moves the insertion point to be immediately before the rule definition which matches the exact options specified such that new rule definitions will be added, in order, before the matching rule definition.

no

Removes the rule definition which exactly matches the options specified.

css service svc_name

The name of the Content Service Steering (CSS) service to which packets are to be redirected. At the executive mode prompt, use the show css service all command to display the names of all configured CSS services.

svc_name must be an alphanumeric string of 1 through 15 characters.

log

Default: packets are not logged.

Indicates all packets which match the redirect are to be logged.

source_address

The IP address(es) form which the packet originated.

This option is used to filter all packets from a specific IP address or a group of IP addresses.

When specifying a group of addresses, the initial address is configured using this option. The range can then be configured using the source_wildcard parameter.

source_wildcard

This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.

The mask must be entered as a complement:

any

Specifies that the rule definition applies to all packets.

host

Specifies that the rule definition applies to a specific host as determined by its IP address.

source_host_address

The IP address of the source host to filter against expressed in IPv6 colon-separated-hexadecimal notation.

dest_host_address

The IP address of the destination host to filter against expressed in IPv6 colon-separated-hexadecimal notation.

dest_address

The IP address(es) to which the packet is to be sent.

This option is used to filter all packets to a specific IP address or a group of IP addresses.

When specifying a group of addresses, the initial address is configured using this parameter. The range can then be configured using the dest_wildcard parameter.

dest_wildcard

This option is used in conjunction with the dest_address option to specify a group of addresses for which packets are to be filtered.

The mask must be entered as a complement:

fragment

Indicates packet redirection is to be applied to IP packet fragments only.

Usage Guidelines

Block IP packets when the source and destination are of interest.

Used to redirect subscriber sessions based on the IP address mask sent by the source to the mobile node or the network.

Product

All

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > IPv6 ACL Configuration

configure > context context_name > ipv6 access-list ipv6_acl_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-ipv6-acl)#

Syntax

Syntax Description

redirect css service svc_name [ log ] source_address source_wildcard
after redirect css service svc_name [ log ] source_address source_wildcard
before redirect css service svc_name [ log ] source_address source_wildcard
no redirect css service svc_name [ log ] source_address source_wildcard

after

Indicates all rule definitions subsequent to this command are to be inserted after the command identified by the exact options listed.

This moves the insertion point to be immediately after the rule definition which matches the exact options specified such that new rule definitions will be added, in order, after the matching rule definition.

before

Indicates all rule definitions subsequent to this command are to be inserted before the command identified by the exact options listed.

This moves the insertion point to be immediately before the rule definition which matches the exact options specified such that new rule definitions will be added, in order, before the matching rule definition.

no

Removes the rule definition which exactly matches the options specified.

css service svc_name

The name of the Content Service Steering (CSS) service to which packets are to be redirected. At the executive mode prompt, use the show css service all command to display the names of all configured CSS services.

svc_name must be an alphanumeric string of 1 through 15 characters.

log

Default: packets are not logged.

Indicates all packets which match the filter are to be logged.

source_address

The IP address(es) form which the packet originated.

This option is used to filter all packets from a specific IP address or a group of IP addresses.

When specifying a group of addresses, the initial address is configured using this option. The range can then be configured using the source_wildcard parameter.

source_wildcard

This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.

The mask must be entered as a complement:

Usage Guidelines

Define a rule definition when any packet from the IP addresses which fall into the group of addresses matching the IP address masking. This allows the reduction of filtering rule definitions as it does not require a rule definition for each source and destination pair.

Used to redirect subscriber sessions based on the transmission control protocol/user datagram protocol packets sent by the source to the mobile node or the network.

Product

All

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > IPv6 ACL Configuration

configure > context context_name > ipv6 access-list ipv6_acl_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-ipv6-acl)#

Syntax

Syntax Description

redirect css service svc_name [ log ] { tcp | udp } { { source_address source_wildcard | any | host source_host_address } [ eq source_port | gt source_port | lt source_port | neq source_port | range start_source_port end_source_port ] } { { dest_address dest_wildcard | any | host dest_host_address } [ eq dest_port | gt dest_port | lt dest_port | neq dest_port | range start_dest_port end_dest_port ] }
after redirect css service svc_name [ log ] { tcp | udp } { { source_address source_wildcard | any | host source_host_address } [ eq source_port | gt source_port | lt source_port | neq source_port | range start_source_port end_source_port ] } { { dest_address dest_wildcard | any | host dest_host_address } [ eq dest_port | gt dest_port | lt dest_port | neq dest_port | range start_dest_port end_dest_port ] }
after redirect css service svc_name [ log ] { tcp | udp } { { source_address source_wildcard | any | host source_host_address } [ eq source_port | gt source_port | lt source_port | neq source_port | range start_source_port end_source_port ] } { { dest_address dest_wildcard | any | host dest_host_address } [ eq dest_port | gt dest_port | lt dest_port | neq dest_port | range start_dest_port end_dest_port ] }
no redirect css service svc_name [ log ] { tcp | udp } { { source_address source_wildcard | any | host source_host_address } [ eq source_port | gt source_port | lt source_port | neq source_port | range start_source_port end_source_port ] } { { dest_address dest_wildcard | any | host dest_host_address } [ eq dest_port | gt dest_port | lt dest_port | neq dest_port | range start_dest_port end_dest_port ] }

after

Indicates all rule definitions subsequent to this command are to be inserted after the command identified by the exact options listed.

This moves the insertion point to be immediately after the rule definition which matches the exact options specified such that new rule definitions will be added, in order, after the matching rule definition.

before

Indicates all rule definitions subsequent to this command are to be inserted before the command identified by the exact options listed.

This moves the insertion point to be immediately before the rule definition which matches the exact options specified such that new rule definitions will be added, in order, before the matching rule definition.

no

Removes the rule definition which exactly matches the options specified.

css service svc_name

The name of the Content Service Steering (CSS) service to which packets are to be redirected. At the executive mode prompt, use the show css service all command to display the names of all configured charging services.

svc_name must be an alphanumeric string of 1 through 15 characters.

log

Default: packets are not logged.

Indicates all packets which match the redirect are to be logged.

tcp | udp

Specifies the redirect is to be applied to IP-based transmission control protocol or the user datagram protocol.

source_address

The IP address(es) form which the packet originated.

This option is used to filter all packets from a specific IP address or a group of IP addresses.

When specifying a group of addresses, the initial address is configured using this option. The range can then be configured using the source_wildcard parameter.

source_wildcard

This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.

The mask must be entered as a complement:

any

Specifies that the rule definition applies to all packets.

host

Specifies that the rule definition applies to a specific host as determined by its IP address.

source_host_address

The IP address of the source host to filter against expressed in IPv6 colon notation.

dest_host_address

The IP address of the destination host to filter against expressed in IPv6 colon notation.

eq source_port

Specifies a single, specific source TCP port number to be filtered.

source_port must be configured to an integer from 0 to 65535.

gt source_port

Specifies that all source TCP port numbers greater than the one specified are to be filtered.

source_port must be configured to an integer from 0 to 65535.

lt source_port

Specifies that all source TCP port numbers less than the one specified are to be filtered.

source_port must be configured to an integer from 0 to 65535.

neq source_port

Specifies that all source TCP port numbers not equal to the one specified are to be filtered.

source_port must be configured to an integer from 0 to 65535.

range start_source_port end_source_port

Specifies that all source TCP ports within a specific range are to be filtered.

start_source_port is the initial port in the range and end_source_port is the final port in the range.

Both start_source_port and end_source_port can be configured to an integer from 0 to 65535.

dest_address

The IP address(es) to which the packet is to be sent.

This option is used to filter all packets to a specific IP address or a group of IP addresses.

When specifying a group of addresses, the initial address is configured using this parameter. The range can then be configured using the dest_wildcard parameter.

dest_wildcard

This option is used in conjunction with the dest_address option to specify a group of addresses for which packets are to be filtered.

The mask must be entered as a complement:

eq dest_port

Specifies a single, specific destination TCP port number to be filtered.

dest_port must be configured to an integer from 0 to 65535.

gt dest_port

Specifies that all destination TCP port numbers greater than the one specified are to be filtered.

dest_port must be configured to an integer from 0 to 65535.

lt dest_port

Specifies that all destination TCP port numbers less than the one specified are to be filtered.

dest_port must be configured to an integer from 0 to 65535.

neq dest_port

Specifies that all destination TCP port numbers not equal to the one specified are to be filtered.

dest_port must be configured to an integer from 0 to 65535.

range start_dest_port end_dest_port

Specifies that all destination TCP ports within a specific range are to be filtered.

start_dest_port is the initial port in the range and end_dest_port is the final port in the range.

Both start_dest_port and end_dest_port can be configured to an integer from 0 to 65535

Usage Guidelines

Block IP packets when the source and destination are of interest but for only a limited set of ports.

Used to redirect subscriber sessions based on any packet received in the downlink (from the Mobile Node) direction. This command is also used to set the access control list insertion point.

Product

All

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > IPv6 ACL Configuration

configure > context context_name > ipv6 access-list ipv6_acl_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-ipv6-acl)#

Syntax

Syntax Description

redirect css service svc_name [ log ] downlink any
after redirect css service svc_name [ log ] downlink any
before redirect css service svc_name [ log ] downlink any
no redirect css service svc_name [ log ] downlink any

after

Indicates all rule definitions defined subsequent to this command are to be inserted after the command identified by the exact options listed.

This moves the insertion point to be immediately after the rule definition which matches the exact options specified such that new rule definitions will be added, in order, after the matching rule definition.

before

Indicates all rule definitions subsequent to this command are to be inserted before the command identified by the exact options listed.

This moves the insertion point to be immediately before the rule definition which matches the exact options specified such that new rule definitions will be added, in order, before the matching rule definition.

no

Removes the rule definition which exactly matches the options specified.

css service svc_name

The name of the Content Service Steering (CSS) service to which packets are to be redirected. At the executive mode prompt, use the show css service all command to display the names of all configured CSS services.

svc_name must be an alphanumeric string of 1 through 15 characters.

downlink

Apply this rule definition only to packets in the downlink (from the Mobile Node) direction.

log

Default: packets are not logged.

Indicates all packets which match the redirect are to be logged.

any

Indicates all packets will match the redirect regardless of source and/or destination.

Usage Guidelines

Define a catch all rule definition to place at the end of the list of rule definitions to provide explicit handling of rule definitions which do not fit any other criteria.

Used to redirect subscriber sessions based on the targeted host IP address in the downlink (from the Mobile Node) direction.

Product

All

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > IPv6 ACL Configuration

configure > context context_name > ipv6 access-list ipv6_acl_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-ipv6-acl)#

Syntax

Syntax Description

redirect css service svc_name [ log ] downlink host source_host_address
after redirect css service svc_name [ log ] downlink host source_host_address
before redirect css service svc_name [ log ] downlink host source_host_address
no redirect css service svc_name [ log ] downlink host source_host_address

after

Indicates all rule definitions subsequent to this command are to be inserted after the command identified by the exact options listed.

This moves the insertion point to be immediately after the rule definition which matches the exact options specified such that new rule definitions will be added, in order, after the matching rule definition.

before

Indicates all rule definitions defined subsequent to this command are to be inserted before the command identified by the exact options listed.

This moves the insertion point to be immediately before the rule definition which matches the exact options specified such that new rule definitions will be added, in order, before the matching rule definition.

no

Removes the rule definition which exactly matches the options specified.

css service svc_name

The name of the Content Service Steering (CSS) service to which packets are to be redirected. At the executive mode prompt, use the show css service all command to display the names of all configured CSS services.

svc_name must be an alphanumeric string of 1 through 15 characters.

downlink

Apply this rule definition only to packets in the downlink (from the Mobile Node) direction.

log

Default: packets are not logged.

Indicates all packets which match the redirect are to be logged.

host

Specifies that the rule definition applies to a specific host as determined by its IP address.

source_host_address

The IP address of the source host to filter against expressed in IPv6 colon-separated-hexadecimal notation.

Usage Guidelines

Define a rule definition when a very specific remote host is to be blocked. In simplified networks where the access controls need only block a few hosts, this command allows the rule definitions to be very clear and concise.

Used to redirect subscriber sessions based on the internet control message protocol packets in the downlink (from the Mobile Node) direction.

Product

All

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > IPv6 ACL Configuration

configure > context context_name > ipv6 access-list ipv6_acl_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-ipv6-acl)#

Syntax

Syntax Description

redirect css service svc_name [ log ] downlink icmp { any | host source_host_address | source_address source_wildcard } { any | host dest_host_address | dest_address dest_wildcard } [ icmp_type [ icmp_code ] ]
after redirect css service svc_name [ log ] downlink icmp { any | host source_host_address | source_address source_wildcard } { any | host dest_host_address | dest_address dest_wildcard } [ icmp_type [ icmp_code ] ]
before redirect css service svc_name [ log ] downlink icmp { any | host source_host_address | source_address source_wildcard } { any | host dest_host_address | dest_address dest_wildcard } [ icmp_type [ icmp_code ] ]
no redirect css service svc_name [ log ] downlink icmp { any | host source_host_address | source_address source_wildcard } { any | host dest_host_address | dest_address dest_wildcard } [ icmp_type [ icmp_code ] ]

after

Indicates all rule definitions subsequent to this command are to be inserted after the command identified by the exact options listed.

This moves the insertion point to be immediately after the rule definition which matches the exact options specified such that new rule definitions will be added, in order, after the matching rule definition.

before

Indicates all rule definitions subsequent to this command are to be inserted before the command identified by the exact options listed.

This moves the insertion point to be immediately before the rule definition which matches the exact options specified such that new rule definitions will be added, in order, before the matching rule definition.

no

Removes the rule definition which exactly matches the options specified.

css service svc_name

The name of the Content Service Steering (CSS) service to which packets are to be redirected. At the executive mode prompt, use the show css service all command to display the names of all configured CSS services.

svc_name must be an alphanumeric string of 1 through 15 characters.

downlink

Apply this rule definition only to packets in the downlink (from the Mobile Node) direction.

log

Default: packets are not logged.

Indicates all packets which match the redirect are to be logged.

source_address

The IP address(es) form which the packet originated.

This option is used to filter all packets from a specific IP address or a group of IP addresses.

When specifying a group of addresses, the initial address is configured using this option. The range can then be configured using the source_wildcard parameter.

source_wildcard

This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.

The mask must be entered as a complement:

any

Specifies that the rule definition applies to all packets.

host

Specifies that the rule definition applies to a specific host as determined by its IP address.

source_host_address

The IP address of the source host to filter against expressed in IPv6 colon-separated-hexadecimal notation.

dest_host_address

The IP address of the destination host to filter against expressed in IPv6 colon-separated-hexadecimal notation.

dest_address

The IP address(es) to which the packet is to be sent.

This option is used to filter all packets to a specific IP address or a group of IP addresses.

When specifying a group of addresses, the initial address is configured using this parameter. The range can then be configured using the dest_wildcard parameter.

dest_wildcard

This option is used in conjunction with the dest_address option to specify a group of addresses for which packets are to be filtered.

The mask must be entered as a complement:

icmp_type

Specifies that all ICMP packets of a particular type are to be filtered. The type can be an integer value from 0 through 255.

icmp_code

Specifies that all ICMP packets of a particular code are to be filtered. The type can be an integer value from 0 through 255.

Usage Guidelines

Define a rule definition to block ICMP packets which can be used for address resolution and possibly be a security risk.

The IP redirecting allows flexible controls for pairs of individual hosts or groups by IP masking which allows the redirecting of entire subnets if necessary.

Used to redirect subscriber sessions based on the internet protocol packets in the downlink (from the Mobile Node) direction.

Product

All

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > IPv6 ACL Configuration

configure > context context_name > ipv6 access-list ipv6_acl_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-ipv6-acl)#

Syntax

Syntax Description

redirect css service svc_name [ log ] downlink ip { any | host source_host_address | source_address source_wildcard } { any | host dest_host_address | dest_address dest_wildcard } [ fragment ]
after redirect css service svc_name [ log ] downlink ip { any | host source_host_address | source_address source_wildcard } { any | host dest_host_address | dest_address dest_wildcard } [ fragment ]
before redirect css service svc_name [ log ] downlink ip { any | host source_host_address | source_address source_wildcard } { any | host dest_host_address | dest_address dest_wildcard } [ fragment ]
no redirect css service svc_name [ log ] downlink ip { any | host source_host_address | source_address source_wildcard } { any | host dest_host_address | dest_address dest_wildcard } [ fragment ]

after

Indicates all rule definitions subsequent to this command are to be inserted after the command identified by the exact options listed.

This moves the insertion point to be immediately after the rule definition which matches the exact options specified such that new rule definitions will be added, in order, after the matching rule definition.

before

Indicates all rule definitions defined subsequent to this command are to be inserted before the command identified by the exact options listed.

This moves the insertion point to be immediately before the rule definition which matches the exact options specified such that new rule definitions will be added, in order, before the matching rule definition.

no

Removes the rule definition which exactly matches the options specified.

css service svc_name

The name of the Content Service Steering (CSS) service to which packets are to be redirected. At the executive mode prompt, use the show css service all command to display the names of all configured CSS services.

svc_name must be a string of 1 through 15 characters.

downlink

Apply this rule definition only to packets in the downlink (from the Mobile Node) direction.

log

Default: packets are not logged.

Indicates all packets which match the redirect are to be logged.

source_address

The IP address(es) form which the packet originated.

This option is used to filter all packets from a specific IP address or a group of IP addresses.

When specifying a group of addresses, the initial address is configured using this option. The range can then be configured using the source_wildcard parameter.

source_wildcard

This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.

The mask must be entered as a complement:

any

Specifies that the rule definition applies to all packets.

host

Specifies that the rule definition applies to a specific host as determined by its IP address.

source_host_address

The IP address of the source host to filter against expressed in IPv6 colon notation.

dest_host_address

The IP address of the destination host to filter against expressed in IPv6 colon notation.

dest_address

The IP address(es) to which the packet is to be sent.

This option is used to filter all packets to a specific IP address or a group of IP addresses.

When specifying a group of addresses, the initial address is configured using this parameter. The range can then be configured using the dest_wildcard parameter.

dest_wildcard

This option is used in conjunction with the dest_address option to specify a group of addresses for which packets are to be filtered.

The mask must be entered as a complement:

fragment

Indicates packet redirection is to be applied to IP packet fragments only.

Usage Guidelines

Block IP packets when the source and destination are of interest.

Used to redirect subscriber sessions based on the IP address mask sent by the source in the downlink (from the Mobile Node) direction.

Product

All

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > IPv6 ACL Configuration

configure > context context_name > ipv6 access-list ipv6_acl_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-ipv6-acl)#

Syntax

Syntax Description

redirect css service svc_name [ log ] downlink source_address source_wildcard
after redirect css service svc_name [ log ] downlink source_address source_wildcard
before redirect css service svc_name [ log ] downlink source_address source_wildcard
no redirect css service svc_name [ log ] downlink source_address source_wildcard

after

Indicates all rule definitions subsequent to this command are to be inserted after the command identified by the exact options listed.

This moves the insertion point to be immediately after the rule definition which matches the exact options specified such that new rule definitions will be added, in order, after the matching rule definition.

before

Indicates all rule definitions defined subsequent to this command are to be inserted before the command identified by the exact options listed.

This moves the insertion point to be immediately before the rule definition which matches the exact options specified such that new rule definitions will be added, in order, before the matching rule definition.

no

Removes the rule definition which exactly matches the options specified.

css service svc_name

The name of the Content Service Steering (CSS) service to which packets are to be redirected. At the executive mode prompt, use the show css service all command to display the names of all configured CSS services.

svc_name must be an alphanumeric string of 1 through 15 characters.

downlink

Apply this rule definition only to packets in the downlink (from the Mobile Node) direction.

log

Default: packets are not logged.

Indicates all packets which match the filter are to be logged.

source_address

The IP address(es) form which the packet originated.

This option is used to filter all packets from a specific IP address or a group of IP addresses.

When specifying a group of addresses, the initial address is configured using this option. The range can then be configured using the source_wildcard parameter.

source_wildcard

This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.

The mask must be entered as a complement:

Usage Guidelines

Define a rule definition when any packet from the IP addresses which fall into the group of addresses matching the IP address masking. This allows the reduction of filtering rule definitions as it does not require a rule definition for each source and destination pair.

Used to redirect subscriber sessions to a charging service based on the transmission control protocol/user datagram protocol packets in the downlink (from the Mobile Node) direction.

Product

All

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > IPv6 ACL Configuration

configure > context context_name > ipv6 access-list ipv6_acl_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-ipv6-acl)#

Syntax

Syntax Description

redirect css service svc_name [ log ] downlink { tcp | udp } { { source_address source_wildcard | any | host source_host_address } [ eq source_port | gt source_port | lt source_port | neq source_port | range start_source_port end_source_port ] } { { dest_address dest_wildcard | any | host dest_host_address } [ eq dest_port | gt dest_port | lt dest_port | neq dest_port | range start_dest_port end_dest_port ] }
after redirect css service svc_name [ log ] downlink { tcp | udp } { { source_address source_wildcard | any | host source_host_address } [ eq source_port | gt source_port | lt source_port | neq source_port | range start_source_port end_source_port ] } { { dest_address dest_wildcard | any | host dest_host_address } [ eq dest_port | gt dest_port | lt dest_port | neq dest_port | range start_dest_port end_dest_port ] }
after redirect css service svc_name [ log ] downlink { tcp | udp } { { source_address source_wildcard | any | host source_host_address } [ eq source_port | gt source_port | lt source_port | neq source_port | range start_source_port end_source_port ] } { { dest_address dest_wildcard | any | host dest_host_address } [ eq dest_port | gt dest_port | lt dest_port | neq dest_port | range start_dest_port end_dest_port ] }
no redirect css service svc_name [ log ] downlink { tcp | udp } { { source_address source_wildcard | any | host source_host_address } [ eq source_port | gt source_port | lt source_port | neq source_port | range start_source_port end_source_port ] } { { dest_address dest_wildcard | any | host dest_host_address } [ eq dest_port | gt dest_port | lt dest_port | neq dest_port | range start_dest_port end_dest_port ] }

after

Indicates all rule definitions subsequent to this command are to be inserted after the command identified by the exact options listed.

This moves the insertion point to be immediately after the rule definition which matches the exact options specified such that new rule definitions will be added, in order, after the matching rule definition.

before

Indicates all rule definitions subsequent to this command are to be inserted before the command identified by the exact options listed.

This moves the insertion point to be immediately before the rule definition which matches the exact options specified such that new rule definitions will be added, in order, before the matching rule definition.

no

Removes the rule definition which exactly matches the options specified.

css service svc_name

The name of the Content Service Steering (CSS) service to which packets are to be redirected. At the executive mode prompt, use the show css service all command to display the names of all configured CSS services.

svc_name must be an alphanumeric string of 1 through 15 characters.

downlink

Apply this rule definition only to packets in the downlink (from the Mobile Node) direction.

log

Default: packets are not logged.

Indicates all packets which match the redirect are to be logged.

tcp | udp

Specifies the redirect is to be applied to IP-based transmission control protocol or the user datagram protocol.

source_address

The IP address(es) form which the packet originated.

This option is used to filter all packets from a specific IP address or a group of IP addresses.

When specifying a group of addresses, the initial address is configured using this option. The range can then be configured using the source_wildcard parameter.

source_wildcard

This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.

The mask must be entered as a complement:

any

Specifies that the rule definition applies to all packets.

host

Specifies that the rule definition applies to a specific host as determined by its IP address.

source_host_address

The IP address of the source host to filter against expressed in IPv6 colon-separated-hexadecimal notation.

dest_host_address

The IP address of the destination host to filter against expressed in IPv6 colon-separated-hexadecimal notation.

eq source_port

Specifies a single, specific source TCP port number to be filtered.

source_port must be configured to an integer value from 0 to 65535.

gt source_port

Specifies that all source TCP port numbers greater than the one specified are to be filtered.

source_port must be configured to an integer value from 0 to 65535.

lt source_port

Specifies that all source TCP port numbers less than the one specified are to be filtered.

source_port must be configured to an integer value from 0 to 65535.

neq source_port

Specifies that all source TCP port numbers not equal to the one specified are to be filtered.

source_port must be configured to an integer value from 0 to 65535.

range start_source_port end_source_port

Specifies that all source TCP ports within a specific range are to be filtered.

start_source_port is the initial port in the range and end_source_port is the final port in the range.

Both start_source_port and end_source_port can be configured to an integer value from 0 to 65535.

dest_address

The IP address(es) to which the packet is to be sent.

This option is used to filter all packets to a specific IP address or a group of IP addresses.

When specifying a group of addresses, the initial address is configured using this parameter. The range can then be configured using the dest_wildcard parameter.

dest_wildcard

This option is used in conjunction with the dest_address option to specify a group of addresses for which packets are to be filtered.

The mask must be entered as a complement:

eq dest_port

Specifies a single, specific destination TCP port number to be filtered.

dest_port must be configured to an integer value from 0 to 65535.

gt dest_port

Specifies that all destination TCP port numbers greater than the one specified are to be filtered.

dest_port must be configured to an integer value from 0 to 65535.

lt dest_port

Specifies that all destination TCP port numbers less than the one specified are to be filtered.

dest_port must be configured to an integer value from 0 to 65535.

neq dest_port

Specifies that all destination TCP port numbers not equal to the one specified are to be filtered.

dest_port must be configured to an integer value from 0 to 65535.

range start_dest_port end_dest_port

Specifies that all destination TCP ports within a specific range are to be filtered.

start_dest_port is the initial port in the range and end_dest_port is the final port in the range.

Both start_dest_port and end_dest_port can be configured to an integer value from 0 to 65535.

Usage Guidelines

Block IP packets when the source and destination are of interest but for only a limited set of ports.

Used to redirect subscriber sessions based on any packet received in the uplink (to the Mobile Node) direction. This command is also used to set the access control list insertion point.

Product

All

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > IPv6 ACL Configuration

configure > context context_name > ipv6 access-list ipv6_acl_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-ipv6-acl)#

Syntax

Syntax Description

redirect css service svc_name [ log ] uplink any
after redirect css service svc_name [ log ] uplink any
before redirect css service svc_name [ log ] uplink any
no redirect css service svc_name [ log ] uplink any

after

Indicates all rule definitions subsequent to this command are to be inserted after the command identified by the exact options listed.

This moves the insertion point to be immediately after the rule definition which matches the exact options specified such that new rule definitions will be added, in order, after the matching rule definition.

before

Indicates all rule definitions subsequent to this command are to be inserted before the command identified by the exact options listed.

This moves the insertion point to be immediately before the rule definition which matches the exact options specified such that new rule definitions will be added, in order, before the matching rule definition.

no

Removes the rule definition which exactly matches the options specified.

css service svc_name

The name of the Content Service steering (CSS) service to which packets are to be redirected. At the executive mode prompt, use the show css service all command to display the names of all configured CSS services.

svc_name must be an alphanumeric string of 1 through 15 characters.

uplink

Apply this rule definition only to packets in the uplink (to the Mobile Node) direction.

log

Default: packets are not logged.

Indicates all packets which match the redirect are to be logged.

any

Indicates all packets will match the redirect regardless of source and/or destination.

Usage Guidelines

Define a catch all rule definition to place at the end of the list of rule definitions to provide explicit handling of rule definitions which do not fit any other criteria.

Used to redirect subscriber sessions based on the targeted host IP address in the uplink (to the Mobile Node) direction.

Product

All

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > IPv6 ACL Configuration

configure > context context_name > ipv6 access-list ipv6_acl_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-ipv6-acl)#

Syntax

Syntax Description

redirect css service svc_name [ log ] uplink host source_host_address
after redirect css service svc_name [ log ] uplink host source_host_address
before redirect css service svc_name [ log ] uplink host source_host_address
no redirect css service svc_name [ log ] uplink host source_host_address

uplink

Apply this rule definition only to packets in the uplink (to the Mobile Node) direction.

after

Indicates all rule definitions defined subsequent to this command are to be inserted after the command identified by the exact options listed.

This moves the insertion point to be immediately after the rule definition which matches the exact options specified such that new rule definitions will be added, in order, after the matching rule definition.

before

Indicates all rule definitions subsequent to this command are to be inserted before the command identified by the exact options listed.

This moves the insertion point to be immediately before the rule definition which matches the exact options specified such that new rule definitions will be added, in order, before the matching rule definition.

no

Removes the rule definition which exactly matches the options specified.

css service svc_name

The name of the Content service Steering (CSS) service to which packets are to be redirected. At the executive mode prompt, use the show css service all command to display the names of all configured CSS services.

svc_name must ben alphanumeric string of 1 through 15 characters.

uplink

Apply this rule definition only to packets in the uplink (to the Mobile Node) direction.

log

Default: packets are not logged.

Indicates all packets which match the redirect are to be logged.

host

Specifies that the rule definition applies to a specific host as determined by its IP address.

source_host_address

The IP address of the source host to filter against expressed in IPv6 colon notation.

Usage Guidelines

Define a rule definition when a very specific remote host is to be blocked. In simplified networks where the access controls need only block a few hosts, this command allows the rule definitions to be very clear and concise.

Used to redirect subscriber sessions based on the internet control message protocol packets in the uplink (to the Mobile Node) direction.

Product

All

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > IPv6 ACL Configuration

configure > context context_name > ipv6 access-list ipv6_acl_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-ipv6-acl)#

Syntax

Syntax Description

redirect css service svc_name [ log ] uplink icmp { any | host source_host_address | source_address source_wildcard } { any | host dest_host_address | dest_address dest_wildcard } [ icmp_type [ icmp_code ] ]

after

Indicates all rule definitions subsequent to this command are to be inserted after the command identified by the exact options listed.

This moves the insertion point to be immediately after the rule definition which matches the exact options specified such that new rule definitions will be added, in order, after the matching rule definition.

before

Indicates all rule definitions subsequent to this command are to be inserted before the command identified by the exact options listed.

This moves the insertion point to be immediately before the rule definition which matches the exact options specified such that new rule definitions will be added, in order, before the matching rule definition.

no

Removes the rule definition which exactly matches the options specified.

css service svc_name

The name of the Content Service Steering (CSS) service to which packets are to be redirected. At the executive mode prompt, use the show css service all command to display the names of all configured CSS services.

svc_name must be an alphanumeric string of 1 through 15 characters.

uplink

Apply this rule definition only to packets in the uplink (to the Mobile Node) direction.

log

Default: packets are not logged.

Indicates all packets which match the redirect are to be logged.

source_address

The IP address(es) form which the packet originated.

This option is used to filter all packets from a specific IP address or a group of IP addresses.

When specifying a group of addresses, the initial address is configured using this option. The range can then be configured using the source_wildcard parameter.

source_wildcard

This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.

The mask must be entered as a complement:

any

Specifies that the rule definition applies to all packets.

host

Specifies that the rule definition applies to a specific host as determined by its IP address.

source_host_address

The IP address of the source host to filter against expressed in IPv6 colon-separated-hexadecimal notation.

dest_host_address

The IP address of the destination host to filter against expressed in IPv6 colon-separated-hexadecimal notation.

dest_address

The IP address(es) to which the packet is to be sent.

This option is used to filter all packets to a specific IP address or a group of IP addresses.

When specifying a group of addresses, the initial address is configured using this parameter. The range can then be configured using the dest_wildcard parameter.

dest_wildcard

This option is used in conjunction with the dest_address option to specify a group of addresses for which packets are to be filtered.

The mask must be entered as a complement:

icmp_type

Specifies that all ICMP packets of a particular type are to be filtered. The type can be an integer value from 0 through 255.

icmp_code

Specifies that all ICMP packets of a particular code are to be filtered. The type can be an integer value from 0 through 255.

Usage Guidelines

Define a rule definition to block ICMP packets which can be used for address resolution and possibly be a security risk.

The IP redirecting allows flexible controls for pairs of individual hosts or groups by IP masking which allows the redirecting of entire subnets if necessary.

Used to redirect subscriber sessions based on the internet protocol packets in the uplink (to the Mobile Node) direction.

Product

All

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > IPv6 ACL Configuration

configure > context context_name > ipv6 access-list ipv6_acl_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-ipv6-acl)#

Syntax

Syntax Description

redirect css service svc_name [ log ] uplink ip { any | host source_host_address | source_address source_wildcard } { any | host dest_host_address | dest_address dest_wildcard } [ fragment ]
after redirect css service svc_name [ log ] uplink ip { any | host source_host_address | source_address source_wildcard } { any | host dest_host_address | dest_address dest_wildcard } [ fragment ]
before redirect css service svc_name [ log ] uplink ip { any | host source_host_address | source_address source_wildcard } { any | host dest_host_address | dest_address dest_wildcard } [ fragment ]
no redirect css service svc_name [ log ] uplink ip { any | host source_host_address | source_address source_wildcard } { any | host dest_host_address | dest_address dest_wildcard } [ fragment ]

after

Indicates all rule definitions subsequent to this command are to be inserted after the command identified by the exact options listed.

This moves the insertion point to be immediately after the rule definition which matches the exact options specified such that new rule definitions will be added, in order, after the matching rule definition.

before

Indicates all rule definitions subsequent to this command are to be inserted before the command identified by the exact options listed.

This moves the insertion point to be immediately before the rule definition which matches the exact options specified such that new rule definitions will be added, in order, before the matching rule definition.

no

Removes the rule definition which exactly matches the options specified.

css service svc_name

The name of the active charging service to which packets are to be redirected. At the executive mode prompt, use the show active-charging service all command to display the names of all configured charging services.

svc_name must be a string of 1 through 15 characters.

uplink

Apply this rule definition only to packets in the uplink (to the Mobile Node) direction.

log

Default: packets are not logged.

Indicates all packets which match the redirect are to be logged.

source_address

The IP address(es) form which the packet originated.

This option is used to filter all packets from a specific IP address or a group of IP addresses.

When specifying a group of addresses, the initial address is configured using this option. The range can then be configured using the source_wildcard parameter.

source_wildcard

This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.

The mask must be entered as a complement:

any

Specifies that the rule definition applies to all packets.

host

Specifies that the rule definition applies to a specific host as determined by its IP address.

source_host_address

The IP address of the source host to filter against expressed in IPv6 colon notation.

dest_host_address

The IP address of the destination host to filter against expressed in IPv6 colon notation.

dest_address

The IP address(es) to which the packet is to be sent.

This option is used to filter all packets to a specific IP address or a group of IP addresses.

When specifying a group of addresses, the initial address is configured using this parameter. The range can then be configured using the dest_wildcard parameter.

dest_wildcard

This option is used in conjunction with the dest_address option to specify a group of addresses for which packets are to be filtered.

The mask must be entered as a complement:

fragment

Indicates packet redirection is to be applied to IP packet fragments only.

Usage Guidelines

Block IP packets when the source and destination are of interest.

Used to redirect subscriber sessions based on the IP address mask sent by the source in the uplink (to the Mobile Node) direction.

Product

All

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > IPv6 ACL Configuration

configure > context context_name > ipv6 access-list ipv6_acl_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-ipv6-acl)#

Syntax

Syntax Description

redirect css service svc_name [ log ] uplink source_address source_wildcard

after

Indicates all rule definitions subsequent to this command are to be inserted after the command identified by the exact options listed.

This moves the insertion point to be immediately after the rule definition which matches the exact options specified such that new rule definitions will be added, in order, after the matching rule definition.

before

Indicates all rule definitions subsequent to this command are to be inserted before the command identified by the exact options listed.

This moves the insertion point to be immediately before the rule definition which matches the exact options specified such that new rule definitions will be added, in order, before the matching rule definition.

no

Removes the rule definition which exactly matches the options specified.

css service svc_name

The name of the active charging service to which packets are to be redirected. At the executive mode prompt, use the show active-charging service all command to display the names of all configured charging services.

svc_name must be a string of 1 through 15 characters.

uplink

Apply this rule definition only to packets in the uplink (to the Mobile Node) direction.

log

Default: packets are not logged.

Indicates all packets which match the filter are to be logged.

source_address

The IP address(es) form which the packet originated.

This option is used to filter all packets from a specific IP address or a group of IP addresses.

When specifying a group of addresses, the initial address is configured using this option. The range can then be configured using the source_wildcard parameter.

source_wildcard

This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.

The mask must be entered as a complement:

Usage Guidelines

Define a rule definition when any packet from the IP addresses which fall into the group of addresses matching the IP address masking. This allows the reduction of filtering rule definitions as it does not require a rule definition for each source and destination pair.

Used to redirect subscriber sessions to a charging service based on the transmission control protocol/user datagram protocol packets in the uplink (to the Mobile Node) direction.

Product

All

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > IPv6 ACL Configuration

configure > context context_name > ipv6 access-list ipv6_acl_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-ipv6-acl)#

Syntax

Syntax Description

redirect css service svc_name [ log ] uplink { tcp | udp } { { source_address source_wildcard | any | source_host_address } [ eq source_port | gt source_port | lt source_port | neq source_port | range start_source_port end_source_port ] } { { dest_address dest_wildcard | any | host dest_host_address } [ eq dest_port | gt dest_port | lt dest_port | neq dest_port | range start_dest_port end_dest_port ] }
after redirect css service svc_name [ log ] uplink { tcp | udp } { { source_address source_wildcard | any | source_host_address } [ eq source_port | gt source_port | lt source_port | neq source_port | range start_source_port end_source_port ] } { { dest_address dest_wildcard | any | host dest_host_address } [ eq dest_port | gt dest_port | lt dest_port | neq dest_port | range start_dest_port end_dest_port ] }
before redirect css service svc_name [ log ] uplink { tcp | udp } { { source_address source_wildcard | any | source_host_address } [ eq source_port | gt source_port | lt source_port | neq source_port | range start_source_port end_source_port ] } { { dest_address dest_wildcard | any | host dest_host_address } [ eq dest_port | gt dest_port | lt dest_port | neq dest_port | range start_dest_port end_dest_port ] }
no redirect css service svc_name [ log ] uplink { tcp | udp } { { source_address source_wildcard | any | source_host_address } [ eq source_port | gt source_port | lt source_port | neq source_port | range start_source_port end_source_port ] } { { dest_address dest_wildcard | any | host dest_host_address } [ eq dest_port | gt dest_port | lt dest_port | neq dest_port | range start_dest_port end_dest_port ] }

after

Indicates all rule definitions subsequent to this command are to be inserted after the command identified by the exact options listed.

This moves the insertion point to be immediately after the rule definition which matches the exact options specified such that new rule definitions will be added, in order, after the matching rule definition.

before

Indicates all rule definitions subsequent to this command are to be inserted before the command identified by the exact options listed.

This moves the insertion point to be immediately before the rule definition which matches the exact options specified such that new rule definitions will be added, in order, before the matching rule definition.

no

Removes the rule definition which exactly matches the options specified.

css service svc_name

The name of the active charging service to which packets are to be redirected. At the executive mode prompt, use the show active-charging service all command to display the names of all configured charging services.

svc_name must be a string of 1 through 15 characters.

uplink

Apply this rule definition only to packets in the uplink (to the Mobile Node) direction.

log

Default: packets are not logged.

Indicates all packets which match the redirect are to be logged.

tcp | udp

Specifies the redirect is to be applied to IP-based transmission control protocol or the user datagram protocol.

source_address

The IP address(es) form which the packet originated.

This option is used to filter all packets from a specific IP address or a group of IP addresses.

When specifying a group of addresses, the initial address is configured using this option. The range can then be configured using the source_wildcard parameter.

source_wildcard

This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.

The mask must be entered as a complement:

any

Specifies that the rule definition applies to all packets.

host

Specifies that the rule definition applies to a specific host as determined by its IP address.

source_host_address

The IP address of the source host to filter against expressed in IPv6 colon notation.

dest_host_address

The IP address of the destination host to filter against expressed in IPv6 colon notation.

eq source_port

Specifies a single, specific source TCP port number to be filtered.

source_port must be configured to an integer value from 0 to 65535.

gt source_port

Specifies that all source TCP port numbers greater than the one specified are to be filtered.

source_port must be configured to an integer value from 0 to 65535.

lt source_port

Specifies that all source TCP port numbers less than the one specified are to be filtered.

source_port must be configured to an integer value from 0 to 65535.

neq source_port

Specifies that all source TCP port numbers not equal to the one specified are to be filtered.

source_port must be configured to an integer value from 0 to 65535.

range start_source_port end_source_port

Specifies that all source TCP ports within a specific range are to be filtered.

start_source_port is the initial port in the range and end_source_port is the final port in the range.

Both start_source_port and end_source_port can be configured to an integer value from 0 to 65535.

dest_address

The IP address(es) to which the packet is to be sent.

This option is used to filter all packets to a specific IP address or a group of IP addresses.

When specifying a group of addresses, the initial address is configured using this parameter. The range can then be configured using the dest_wildcard parameter.

dest_wildcard

This option is used in conjunction with the dest_address option to specify a group of addresses for which packets are to be filtered.

The mask must be entered as a complement:

eq dest_port

Specifies a single, specific destination TCP port number to be filtered.

dest_port must be configured to an integer value from 0 to 65535.

gt dest_port

Specifies that all destination TCP port numbers greater than the one specified are to be filtered.

dest_port must be configured to an integer value from 0 to 65535.

lt dest_port

Specifies that all destination TCP port numbers less than the one specified are to be filtered.

dest_port must be configured to an integer value from 0 to 65535.

neq dest_port

Specifies that all destination TCP port numbers not equal to the one specified are to be filtered.

dest_port must be configured to an integer value from 0 to 65535.

range start_dest_port end_dest_port

Specifies that all destination TCP ports within a specific range are to be filtered.

start_dest_port is the initial port in the range and end_dest_port is the final port in the range.

Both start_dest_port and end_dest_port can be configured to an integer value from 0 to 65535.

Usage Guidelines

Block IP packets when the source and destination are of interest but for only a limited set of ports.

Used to redirect subscriber sessions based on the IP address mask sent by the source to the mobile node or the network.

Product

All

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > IPv6 ACL Configuration

configure > context context_name > ipv6 access-list ipv6_acl_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-ipv6-acl)#

Syntax

Syntax Description

redirect nexthop nexthop_addr { context context_id | interface interface_name } [ log ] source_address source_wildcard
after redirect nexthop nexthop_addr { context context_id | interface interface_name } [ log ] source_address source_wildcard
before redirect nexthop nexthop_addr { context context_id | interface interface_name } [ log ] source_address source_wildcard
no redirect nexthop nexthop_addr { context context_id | interface interface_name } [ log ] source_address source_wildcard

after

Indicates all rules defined subsequent to this command are to be inserted after the command identified by the exact options listed.

This moves the insertion point to be immediately after the rule which matches the exact options specified such that new rules will be added, in order, after the matching rule.

before

Indicates all rules defined subsequent to this command are to be inserted before the command identified by the exact options listed.

This moves the insertion point to be immediately before the rule which matches the exact options specified such that new rules will be added, in order, before the matching rule.

no

Removes the rule which exactly matches the options specified.

nexthop nexthop_addr

The IP address to which the IP packets are redirected.

context context_id

The context identification number of the context to which packets are redirected. At the executive mode prompt, use the show context all command to display context names and context IDs.

interface interface_name

The name of the logical interface to which the packets should be redirected. interface_name must be an alpha and/or numeric string from 1 to 79 characters.

log

Default: packets are not logged.

Indicates all packets which match the redirect are to be logged.

source_address

The IP address(es) form which the packet originated.

This option is used to filter all packets from a specific IP address or a group of IP addresses.

When specifying a group of addresses, the initial address is configured using this option. The range can then be configured using the source_wildcard parameter.

source_wildcard

This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.

The mask must be entered as a complement:

Usage Guidelines

Define a rule when any packet from the IP addresses which fall into the group of addresses matching the IP address masking. This allows the reduction of redirect rules as it does not require a rule for each source and destination pair.

Used to redirect subscriber sessions based on any packet received. This command is also used to set the access control list insertion point.

Product

All

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > IPv6 ACL Configuration

configure > context context_name > ipv6 access-list ipv6_acl_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-ipv6-acl)#

Syntax

Syntax Description

redirect nexthop nexthop_addr { context context_id | interface interface_name } [ log ] any
after redirect nexthop nexthop_addr { context context_id | interface interface_name } [ log ] any
before redirect nexthop nexthop_addr { context context_id | interface interface_name } [ log ] any
no redirect nexthop nexthop_addr { context context_id | interface interface_name } [ log ] any

after

Indicates all rules defined subsequent to this command are to be inserted after the command identified by the exact options listed.

This moves the insertion point to be immediately after the rule which matches the exact options specified such that new rules will be added, in order, after the matching rule.

before

Indicates all rules defined subsequent to this command are to be inserted before the command identified by the exact options listed.

This moves the insertion point to be immediately before the rule which matches the exact options specified such that new rules will be added, in order, before the matching rule.

no

Removes the rule which exactly matches the options specified.

nexthop nexthop_addr

The IP address to which the IP packets are redirected.

context context_id

The context identification number of the context to which packets are redirected. At the executive mode prompt, use the show context all command to display context names and context IDs.

interface interface_name

The name of the logical interface to which the packets should be redirected. interface_name must be an alpha and/or numeric string from 1 to 79 characters.

log

Default: packets are not logged.

Indicates all packets which match the redirect are to be logged.

any

Indicates all packets will match the redirect regardless of source and/or destination.

Usage Guidelines

Define a catch all rule to place at the end of the list of rules to provide explicit handling of rules which do not fit any other criteria.

Used to redirect subscriber sessions based on the targeted host IP address sent by the source to the mobile node or the network.

Product

All

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > IPv6 ACL Configuration

configure > context context_name > ipv6 access-list ipv6_acl_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-ipv6-acl)#

Syntax

Syntax Description

redirect nexthop nexthop_addr { context context_id | interface interface_name } [ log ] host source_ip_address
after redirect nexthop nexthop_addr { context context_id | interface interface_name } [ log ] host source_ip_address
before redirect nexthop nexthop_addr { context context_id | interface interface_name } [ log ] host source_ip_address
no redirect nexthop nexthop_addr { context context_id | interface interface_name } [ log ] host source_ip_address

after

Indicates all rules defined subsequent to this command are to be inserted after the command identified by the exact options listed.

This moves the insertion point to be immediately after the rule which matches the exact options specified such that new rules will be added, in order, after the matching rule.

before

Indicates all rules defined subsequent to this command are to be inserted before the command identified by the exact options listed.

This moves the insertion point to be immediately before the rule which matches the exact options specified such that new rules will be added, in order, before the matching rule.

no

Removes the rule which exactly matches the options specified.

nexthop nexthop_addr

The IP address to which the IP packets are redirected.

context context_id

The context identification number of the context to which packets are redirected. At the executive mode prompt, use the show context all command to display context names and context IDs.

interface interface_name

The name of the logical interface to which the packets should be redirected. interface_name must be an alpha and/or numeric string from 1 to 79 characters.

log

Default: packets are not logged.

Indicates all packets which match the redirect are to be logged.

host

Specifies that the rule applies to a specific host as determined by its IP address.

source_host_address

The IP address of the source host to filter against expressed in IPv6 colon notation.

Usage Guidelines

Define a rule when a very specific remote host is to be blocked. In simplified networks where the access controls need only block a few hosts, this command allows the rules to be very clear and concise.

Used to redirect subscriber sessions based on the internet control message protocol packets sent by the source to the mobile node or the network.

Product

All

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > IPv6 ACL Configuration

configure > context context_name > ipv6 access-list ipv6_acl_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-ipv6-acl)#

Syntax

Syntax Description

redirect nexthop nexthop_addr { context context_id | interface interface_name } [ log ] icmp { source_address source_wildcard | any | host source_host_address } { dest_address dest_wildcard | any | host dest_host_address } [ icmp_type [ icmp_code ] ]
after redirect nexthop nexthop_addr { context context_id | interface interface_name } [ log ] icmp { source_address source_wildcard | any | host source_host_address } { dest_address dest_wildcard | any | host dest_host_address } [ icmp_type [ icmp_code ] ]
before redirect nexthop nexthop_addr { context context_id | interface interface_name } [ log ] icmp { source_address source_wildcard | any | host source_host_address } { dest_address dest_wildcard | any | host dest_host_address } [ icmp_type [ icmp_code ] ]
no redirect nexthop nexthop_addr { context context_id | interface interface_name } [ log ] icmp { source_address source_wildcard | any | host source_host_address } { dest_address dest_wildcard | any | host dest_host_address } [ icmp_type [ icmp_code ] ]

after

Indicates all rules defined subsequent to this command are to be inserted after the command identified by the exact options listed.

This moves the insertion point to be immediately after the rule which matches the exact options specified such that new rules will be added, in order, after the matching rule.

before

Indicates all rules defined subsequent to this command are to be inserted before the command identified by the exact options listed.

This moves the insertion point to be immediately before the rule which matches the exact options specified such that new rules will be added, in order, before the matching rule.

no

Removes the rule which exactly matches the options specified.

nexthop nexthop_addr

The IP address to which the IP packets are redirected.

context context_id

The context identification number of the context to which packets are redirected. At the executive mode prompt, use the show context all command to display context names and context IDs.

interface interface_name