Brocade Communications Systems Brocade ICX 6650 6650 Manual De Usuario
Brocade ICX 6650 Security Configuration Guide
129
53-1002601-01
Configuring an IPv6 ACL
•
IPv6 ACLs cannot be used with GRE
•
IPv6 ACLs cannot be employed to implement a user-based ACL scheme
•
If an IPv6 ACL has the implicit deny condition, make sure it also permits the IPv6 link-local
address, in addition to the global unicast address. Otherwise, routing protocols such as OSPF
will not work. To view the link-local address, use the show ipv6 interface command.
address, in addition to the global unicast address. Otherwise, routing protocols such as OSPF
will not work. To view the link-local address, use the show ipv6 interface command.
•
IPv6 must be enabled on the interface before an ACL can be applied to it. If IPv6 is not enabled
on the interface, the system will display the following error message.
on the interface, the system will display the following error message.
Brocade(config-if-e10000-1/1/7)# ipv6 traffic-filter netw in
Error: IPv6 is not enabled for interface 1/1/7
Error: IPv6 is not enabled for interface 1/1/7
To enable IPv6 on an interface, enter ipv6 enable at the Interface level of the CLI, or assign an
IPv6 address to the interface as described in Brocade ICX 6650 Administration Guide and
further discussed in Brocade ICX 6650 Security Configuration Guide.
IPv6 address to the interface as described in Brocade ICX 6650 Administration Guide and
further discussed in Brocade ICX 6650 Security Configuration Guide.
•
You cannot disable IPv6 on an interface to which an ACL is bound. Attempting to do so will
cause the system to return the following error message.
cause the system to return the following error message.
Brocade(config-if-e10000-1/1/7)# no ipv6 enable
Error: Port 7 has IPv6 ACL configured. Cannot disable IPv6
Error: Port 7 has IPv6 ACL configured. Cannot disable IPv6
To disable IPv6, first remove the ACL from the interface.
•
•
For notes on applying IPv6 ACLs to virtual ports, see
Configuring an IPv6 ACL
Follow the steps given below to configure an IPv6 ACL.
1. Create the ACL.
2. Enable IPv6 on the interface to which the ACL will be applied.
3. Apply the ACL to the interface.
Example IPv6 configurations
To configure an access list that blocks all Telnet traffic received on port 1/1/1 from IPv6 host
2001:db8:e0bb::2, enter the following commands.
2001:db8:e0bb::2, enter the following commands.
The following is another example of commands for configuring an ACL and applying it to an
interface.
interface.
Brocade(config)# ipv6 access-list fdry
Brocade(config-ipv6-access-list-fdry)# deny tcp host 2001:db8:e0bb::2 any eq
telnet
Brocade(config-ipv6-access-list-fdry)# permit ipv6 any any
Brocade(config-ipv6-access-list-fdry)# exit
Brocade(config)# interface ethernet 1/1/1
Brocade(config-if-10000-1/1/1)# ipv6 enable
Brocade(config-if-e10000-1/1/1)# ipv6 traffic-filter fdry in
Brocade(config)# write memory
Brocade(config-ipv6-access-list-fdry)# deny tcp host 2001:db8:e0bb::2 any eq
telnet
Brocade(config-ipv6-access-list-fdry)# permit ipv6 any any
Brocade(config-ipv6-access-list-fdry)# exit
Brocade(config)# interface ethernet 1/1/1
Brocade(config-if-10000-1/1/1)# ipv6 enable
Brocade(config-if-e10000-1/1/1)# ipv6 traffic-filter fdry in
Brocade(config)# write memory