3com S7906E 安装指导
3-3
Configuring an Advanced IPv6 ACL
Advanced ACLs filter packets based on the source IPv6 address, destination IPv6 address, protocol
carried on IPv6, and other protocol header fields such as the TCP/UDP source port, TCP/UDP
destination port, ICMP message type, and ICMP message code.
Advanced IPv6 ACLs are numbered in the range 3000 to 3999. Compared with basic IPv6 ACLs, they
allow of more flexible and accurate filtering.
Configuration Prerequisites
If you want to reference a time range to a rule, define it with the time-range command first.
Configuration Procedure
Follow these steps to configure an advanced IPv6 ACL:
To do…
Use the command…
Remarks
Enter system view
system-view
––
Create and enter
advanced IPv6 ACL
view
advanced IPv6 ACL
view
acl ipv6 number acl6-number [ name
acl6-name ] [ match-order { auto |
config } ]
acl6-name ] [ match-order { auto |
config } ]
Required
The default match order is
config.
config.
If you specify a name for an IPv6
ACL when creating the ACL, you
can use the acl ipv6 name
acl6-name command to enter
the view of the ACL later.
ACL when creating the ACL, you
can use the acl ipv6 name
acl6-name command to enter
the view of the ACL later.
Create or modify a
rule
rule
rule [ rule-id ] { deny | permit } protocol
[ { established | { ack ack-value | fin
fin-value | psh psh-value | rst rst-value |
syn syn-value | urg urg-value } * } |
destination
[ { established | { ack ack-value | fin
fin-value | psh psh-value | rst rst-value |
syn syn-value | urg urg-value } * } |
destination
{ dest dest-prefix |
dest/dest-prefix | any
} |
destination-port operator port1
[ port2 ] | dscp dscp | fragment |
icmpv6-type { icmpv6-type
icmpv6-code | icmpv6-message } |
logging | source { source source-prefix
| source/source-prefix | any } |
source-port operator port1 [ port2 ] |
time-range time-range-name ] *
[ port2 ] | dscp dscp | fragment |
icmpv6-type { icmpv6-type
icmpv6-code | icmpv6-message } |
logging | source { source source-prefix
| source/source-prefix | any } |
source-port operator port1 [ port2 ] |
time-range time-range-name ] *
Required
To create multiple rules, repeat
this step.
this step.
Note that if the ACL is to be
referenced by a QoS policy for
traffic classification, the logging
and fragment keywords are not
supported and the operator
argument cannot be:
referenced by a QoS policy for
traffic classification, the logging
and fragment keywords are not
supported and the operator
argument cannot be:
z
neq, if the policy is for the
inbound traffic,
inbound traffic,
z
gt, lt, neq or range, if the
policy is for the outbound
traffic.
policy is for the outbound
traffic.
Set a rule numbering
step
step
step step-value
Optional
The default step is 5.
Create an ACL
description
description
description text
Optional
By default, no IPv6 ACL
description is present.
description is present.
Create a rule
description
description
rule rule-id comment text
Optional
By default, no rule description is
present.
present.