Cisco Systems 3560 Manual Do Utilizador
39-7
Catalyst 3560 Switch Software Configuration Guide
OL-8553-06
Chapter 39 Configuring IPv6 ACLs
Configuring IPv6 ACLs
Use the no deny | permit IPv6 access-list configuration commands with keywords to remove the deny
or permit conditions from the specified access list.
or permit conditions from the specified access list.
This example configures the IPv6 access list named CISCO. The first deny entry in the list denies all
packets that have a destination TCP port number greater than 5000. The second deny entry denies
packets that have a source UDP port number less than 5000. The second deny also logs all matches to
the console. The first permit entry in the list permits all ICMP packets. The second permit entry in the
list permits all other traffic. The second permit entry is necessary because an implicit deny -all condition
is at the end of each IPv6 access list.
packets that have a destination TCP port number greater than 5000. The second deny entry denies
packets that have a source UDP port number less than 5000. The second deny also logs all matches to
the console. The first permit entry in the list permits all ICMP packets. The second permit entry in the
list permits all other traffic. The second permit entry is necessary because an implicit deny -all condition
is at the end of each IPv6 access list.
Switch(config)# ipv6 access-list CISCO
Switch(config-ipv6-acl)# deny tcp any any gt 5000
Switch config-ipv6-acl)# deny ::/0 lt 5000 ::/0 log
Switch(config-ipv6-acl)# permit icmp any any
Switch(config-ipv6-acl)# permit any any
Applying an IPv6 ACL to an Interface
This section describes how to apply IPv6 ACLs to network interfaces. You can apply an ACL to
outbound or inbound traffic on Layer 3 interfaces, or to inbound traffic on Layer 2 interfaces.
outbound or inbound traffic on Layer 3 interfaces, or to inbound traffic on Layer 2 interfaces.
Beginning in privileged EXEC mode, follow these steps to control access to an interface:
Use the no ipv6 traffic-filter access-list-name interface configuration command to remove an access list
from an interface.
from an interface.
This example shows how to apply the access list Cisco to outbound traffic on a Layer 3 interface:
Switch(config)# interface gigabitethernet 0/3
Switch(config-if)# no switchport
Switch(config-if)# ipv6 address 2001::/64 eui-64
Switch(config-if)# ipv6 traffic-filter CISCO out
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
interface interface-id
Identify a Layer 2 interface (for port ACLs) or Layer 3 interface (for router
ACLs) on which to apply an access list, and enter interface configuration mode.
ACLs) on which to apply an access list, and enter interface configuration mode.
Note
Switches running the IP base image do not support port ACLs.
Step 3
no switchport
If applying a router ACL, change the interface from Layer 2 mode (the default)
to Layer 3 mode.
to Layer 3 mode.
Step 4
ipv6 address ipv6-address
Configure an IPv6 address on a Layer 3 interface (for router ACLs).
This command is not required on Layer 2 interfaces or if the interface has
already been configured with an explicit IPv6 address.
already been configured with an explicit IPv6 address.
Step 5
ipv6 traffic-filter access-list-name
{in | out}
{in | out}
Apply the access list to incoming or outgoing traffic on the interface.
The out keyword is not supported for Layer 2 interfaces (port ACLs). If the
switch is running the IP base image, the out keyword is not supported for Layer
3 interfaces.
switch is running the IP base image, the out keyword is not supported for Layer
3 interfaces.
Step 6
end
Return to privileged EXEC mode.
Step 7
show running-config
Verify the access list configuration.
Step 8
copy running-config
startup-config
startup-config
(Optional) Save your entries in the configuration file.