Technical data

ManualsBrandsBrocade Communications Systems ManualsHome Theater ServerServerIron ADX 12.4.00

101

102

103

104

105

106

107

108

109

110

ServerIron ADX NAT64 Configuration Guide 97

53-1002444-02

DRAFT: BROCADE CONFIDENTIAL

Chapter

IPv6 Access Control Lists

In this chapter

•In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

•Configuring IPv6 ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

•Applying IPv6 ACLs to interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

•Displaying IPv6 ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

•Using an ACL to restrict SSH access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

•Using an ACL to restrict Telnet access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

•Logging IPv6 ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

IPv6 ACL overview

ServerIron ADX supports IPv6 access control lists (ACLs) in hardware. You can configure up to a

maximum of 1024 ACL entries in any combination of different ACLs. The total number of entries in

all ACLs cannot exceed the system maximum of 1024 entries.

By default, IPv6 ACLs are processed in hardware and all IPv6 ACL rules are stored in ternary

content-addressable memory (TCAM).

An IPv6 ACL is composed of one or more conditional statements that cause an action (permit or

deny) if a packet matches a specified source or destination prefix. If the maximum number of IPv6

ACL rules is reached, the following error message is displayed on the console:

IPv6 Hardware ACL rules cannot be configured,exceeds the maximum hardware limit of

1024 entries

Insufficient hardware resource for binding the ACL scale1 to interface Port or

Slot/Port.

In ACLs with multiple statements, you can specify a priority for each statement. The specified

priority determines the order in which the statement appears in the ACL. The last statement in each

IPv6 ACL is an implicit deny statement for all packets that do not match the previous statements in

the ACL.

You can configure an IPv6 ACL on a global basis, and then apply it to the incoming IPv6 packets on

specified interfaces. You can apply only one IPv6 ACL to an interface’s incoming traffic. When an

interface receives an IPv6 packet, it applies the statements within the ACL in their order of

appearance to the packet. As soon as a match occurs, the ServerIron ADX takes the specified

action (permit or deny the packet) and stops further comparison for that packet.

Foundry IPv6 ACLs enable traffic filtering based on the following information:

• IPv6 protocol

• Source IPv6 address

• Destination IPv6 address