Cisco Systems 3560 Manual De Usuario
39-5
Catalyst 3560 Switch Software Configuration Guide
OL-8553-06
Chapter 39 Configuring IPv6 ACLs
Configuring IPv6 ACLs
Step 3a
deny | permit protocol
{source-ipv6-prefix/prefix-length
| any | host source-ipv6-address}
[operator [port-number]]
{destination-ipv6-prefix/
prefix-length | any |
| any | host source-ipv6-address}
[operator [port-number]]
{destination-ipv6-prefix/
prefix-length | any |
host destination-ipv6-address}
[operator [port-number]]
[operator [port-number]]
[dscp value] [fragments] [log]
[log-input] [sequence value]
[time-range name]
[log-input] [sequence value]
[time-range name]
Enter deny or permit to specify whether to deny or permit the packet if
conditions are matched. These are the conditions:
conditions are matched. These are the conditions:
•
For protocol, enter the name or number of an Internet protocol: ahp, esp,
icmp, ipv6, pcp, stcp, tcp, or udp, or an integer in the range 0 to 255
representing an IPv6 protocol number. For additional specific parameters for
ICMP, TCP, and UDP, see Steps 3b through 3d.
icmp, ipv6, pcp, stcp, tcp, or udp, or an integer in the range 0 to 255
representing an IPv6 protocol number. For additional specific parameters for
ICMP, TCP, and UDP, see Steps 3b through 3d.
•
The source-ipv6-prefix/prefix-length or destination-ipv6-prefix/
prefix-length is the source or destination IPv6 network or class of networks
for which to set deny or permit conditions, specified in hexadecimal and
using 16-bit values between colons (see RFC 2373).
prefix-length is the source or destination IPv6 network or class of networks
for which to set deny or permit conditions, specified in hexadecimal and
using 16-bit values between colons (see RFC 2373).
Note
Although the CLI help shows a prefix-length range of /0 to /128, the
switch supports IPv6 address matching only for prefixes in the range of
/0 to /64 and EUI-based /128 prefixes for aggregatable global unicast and
link-local host addresses.
switch supports IPv6 address matching only for prefixes in the range of
/0 to /64 and EUI-based /128 prefixes for aggregatable global unicast and
link-local host addresses.
•
Enter any as an abbreviation for the IPv6 prefix ::/0.
•
For host source-ipv6-address or destination-ipv6-address, enter the source
or destination IPv6 host address for which to set deny or permit conditions,
specified in hexadecimal using 16-bit values between colons.
or destination IPv6 host address for which to set deny or permit conditions,
specified in hexadecimal using 16-bit values between colons.
•
(Optional) For operator, specify an operand that compares the source or
destination ports of the specified protocol. Operands are lt (less than), gt
(greater than), eq (equal), neq (not equal), and range.
destination ports of the specified protocol. Operands are lt (less than), gt
(greater than), eq (equal), neq (not equal), and range.
If the operator follows the source-ipv6-prefix/prefix-length argument, it must
match the source port. If the operator follows the destination-ipv6-
prefix/prefix-length argument, it must match the destination port.
match the source port. If the operator follows the destination-ipv6-
prefix/prefix-length argument, it must match the destination port.
•
(Optional) The port-number is a decimal number from 0 to 65535 or the
name of a TCP or UDP port for filtering TCP or UDP, respectively.
name of a TCP or UDP port for filtering TCP or UDP, respectively.
•
(Optional) Enter dscp value to match a differentiated services code point
value against the traffic class value in the Traffic Class field of each IPv6
packet header. The acceptable range is from 0 to 63.
value against the traffic class value in the Traffic Class field of each IPv6
packet header. The acceptable range is from 0 to 63.
•
(Optional) Enter fragments to check noninitial fragments. This keyword is
visible only if the protocol is ipv6.
visible only if the protocol is ipv6.
•
(Optional) Enter log to cause an logging message to be sent to the console
about the packet that matches the entry. Enter log-input to include the input
interface in the log entry. Logging is supported only for router ACLs.
about the packet that matches the entry. Enter log-input to include the input
interface in the log entry. Logging is supported only for router ACLs.
•
(Optional) Enter sequence value to specify the sequence number for the
access list statement. The acceptable range is from 1 to 4294967295.
access list statement. The acceptable range is from 1 to 4294967295.
•
(Optional) Enter time-range name to specify a time range for the statement.
Command
Purpose