Technical data

ManualsBrandsBrocade Communications Systems ManualsHome Theater ServerServerIron ADX 12.4.00

101

102

103

104

105

106

107

108

109

110

98 ServerIron ADX NAT64 Configuration Guide

53-1002444-02

IPv6 ACL overview

DRAFT: BROCADE CONFIDENTIAL

• Source TCP or UDP port (if the IPv6 protocol is TCP or UDP)

• Destination TCP or UDP port (if the IPv6 protocol is TCP or UDP)

The IPv6 protocol can be one of the following well-known names or any IPv6 protocol number from

0 through 255:

• IP Authentication Header (AH)

• Encapsulating Security Payload (ESP)

• Internet Control Message Protocol (ICMP)

• Internet Protocol version 6 (IPv6)

• Stream Control Transmission Protocol (SCTP)

• Transmission Control Protocol (TCP)

• User Datagram Protocol (UDP)

NOTE

TCP and UDP filters will be matched only if they are listed as the first option in the extension header.

For TCP and UDP, you can specify a comparison operator and port name or number. For example,

you can configure a policy to block web access to a specific website by denying all TCP port 80

(HTTP) packets from a specified source IPv6 address to the website’s IPv6 address.

Configuration notes

• Either IPv6 must be enabled globally or an IPv6 address must be configured on an interface

before IPv6 ACLs can be configured.

• An IPv6 ACL can include up to 1024 entries or statements.

• Only named ACLs are supported.

• Only inbound ACLs are supported.

• If an IPv6 ACL has the implicit deny condition, make sure it also permits the IPv6 link-local

address in addition to the global unicast address. Otherwise, routing protocols such as OSPF

will not work. To view the link-local address, use the show ipv6 interface command.

• You cannot disable IPv6 on an interface to which an ACL is bound. Attempting to do so will

cause the system to return the following error message.

Error: Port 7 has IPv6 ACL configured. Cannot disable IPv6

To disable IPv6, first remove the ACL from the interface.

Processing of IPv6 ACLs

There are two ways that IPv6 ACLs are processed in Foundry devices: in software and in hardware.

The processing differs depending on the software release that you are running. These differences

are described in the following sections.

Prior to ServerIron ADX 12.3.01

Prior to the release of ServerIron ADX 12.3.01, all permit and deny packets for IPv6 ACLs are

forwarded to the barrel processors (BPs) and the BPs perform the ACL processing.