Brocade Communications Systems Brocade ICX 6650 6650 Manual De Usuario
Brocade ICX 6650 Security Configuration Guide
135
53-1002601-01
Creating an IPv6 ACL
ipv6-source-prefix/prefix-length
The ipv6-source-prefix/prefix-length parameter specify a source prefix and
prefix length that a packet must match for the specified action (deny or
permit) to occur. You must specify the ipv6-source-prefix parameter in
hexadecimal using 16-bit values between colons as documented in RFC
2373. You must specify the prefix-length parameter as a decimal value. A
slash mark (/) must follow the ipv6-prefix parameter and precede the
prefix-length parameter.
prefix length that a packet must match for the specified action (deny or
permit) to occur. You must specify the ipv6-source-prefix parameter in
hexadecimal using 16-bit values between colons as documented in RFC
2373. You must specify the prefix-length parameter as a decimal value. A
slash mark (/) must follow the ipv6-prefix parameter and precede the
prefix-length parameter.
ipv6-destination-prefix/prefix-lengt
h
The ipv6-destination-prefix/prefix-length parameter specify a destination
prefix and prefix length that a packet must match for the specified action
(deny or permit) to occur. You must specify the ipv6-destination-prefix
parameter in hexadecimal using 16-bit values between colons as
documented in RFC 2373. You must specify the prefix-length parameter as a
decimal value. A slash mark (/) must follow the ipv6-prefix parameter and
precede the prefix-length parameter
prefix and prefix length that a packet must match for the specified action
(deny or permit) to occur. You must specify the ipv6-destination-prefix
parameter in hexadecimal using 16-bit values between colons as
documented in RFC 2373. You must specify the prefix-length parameter as a
decimal value. A slash mark (/) must follow the ipv6-prefix parameter and
precede the prefix-length parameter
any
When specified instead of the ipv6-source-prefix/prefix-length or
ipv6-destination-prefix/prefix-length parameters, matches any IPv6 prefix
and is equivalent to the IPv6 prefix::/0.
ipv6-destination-prefix/prefix-length parameters, matches any IPv6 prefix
and is equivalent to the IPv6 prefix::/0.
host
Allows you specify a host IPv6 address. When you use this parameter, you do
not need to specify the prefix length. A prefix length of all128 is implied.
not need to specify the prefix length. A prefix length of all128 is implied.
tcp-udp-operator
The tcp-udp-operator parameter can be one of the following:
•
eq – The policy applies to the TCP or UDP port name or number you
enter after eq.
enter after eq.
•
gt – The policy applies to TCP or UDP port numbers greater than the
port number or the numeric equivalent of the port name you enter after
gt. Enter "?" to list the port names.
port number or the numeric equivalent of the port name you enter after
gt. Enter "?" to list the port names.
•
lt – The policy applies to TCP or UDP port numbers that are less than
the port number or the numeric equivalent of the port name you enter
after lt.
the port number or the numeric equivalent of the port name you enter
after lt.
•
neq – The policy applies to all TCP or UDP port numbers except the port
number or port name you enter after neq.
number or port name you enter after neq.
•
range – The policy applies to all TCP port numbers that are between
the first TCP or UDP port name or number and the second one you
enter following the range parameter. The range includes the port
names or numbers you enter. For example, to apply the policy to all
ports between and including 23 (Telnet) and 53 (DNS), enter the
following range 23 53. The first port number in the range must be
lower than the last number in the range.
the first TCP or UDP port name or number and the second one you
enter following the range parameter. The range includes the port
names or numbers you enter. For example, to apply the policy to all
ports between and including 23 (Telnet) and 53 (DNS), enter the
following range 23 53. The first port number in the range must be
lower than the last number in the range.
The source-port number and destination-port-number for the
tcp-udp-operator is the number of the port.
tcp-udp-operator is the number of the port.
ipv6-operator
Allows you to filter the packets further by using one of the following options:
•
dscp – The policy applies to packets that match the traffic class value
in the traffic class field of the IPv6 packet header. This operator allows
you to filter traffic based on TOS or IP precedence. You can specify a
value from 0 – 63.
in the traffic class field of the IPv6 packet header. This operator allows
you to filter traffic based on TOS or IP precedence. You can specify a
value from 0 – 63.
•
fragments – The policy applies to fragmented packets that contain a
non-zero fragment offset.
non-zero fragment offset.
NOTE: This option is not applicable to filtering based on source or
destination port, TCP flags, and ICMP flags.
•
routing – The policy applies only to IPv6 source-routed packets.
NOTE: This option is not applicable to filtering based on source or
destination port, TCP flags, and ICMP flags.
TABLE 18
Syntax descriptions (Continued)
IPv6 ACL arguments
Description