Manualshelf

Configuration Guide User guide

ManualsBrandsBrocade ManualsComputer AccessoriesFastIron
1811181218131814181518161817181818191820
FastIron Configuration Guide 1757
53-1002494-02
IPv6 ACL configuration notes
For TCP and UDP, you also can specify a comparison operator and port name or number. For
example, you can configure a policy to block web access to a specific website by denying all TCP
port 80 (HTTP) packets from a specified source IPv6 address to the website IPv6 address.
IPv6 ACLs also provide support for filtering packets based on DSCP.
IPv6 ACL configuration notes
IPv4 ACLs that filter based on VLAN membership or VE port membership
(ACL-per-port-per-VLAN), are supported together with IPv6 ACLs on the same device, as long as
they are not bound to the same port or virtual interface.
IPv4 source guard and IPv6 ACLs are supported together on the same device, as long as they
are not configured on the same port or virtual Interface.
IPv6 ACLs do not support ACL filtering based on VLAN membership or VE port membership.
IPv6 ACLs cannot be used with GRE
IPv6 ACLs cannot be employed to implement a user-based ACL scheme
If an IPv6 ACL has the implicit deny condition, make sure it also permits the IPv6 link-local
address, in addition to the global unicast address. Otherwise, routing protocols such as OSPF
will not work. To view the link-local address, use the show ipv6 interface command.
IPv6 must be enabled on the interface before an ACL can be applied to it. If IPv6 is not
enabled on the interface, the system will display the following error message.
Brocade(config-if-e1000-7)#ipv6 traffic-filter netw in
Error: IPv6 is not enabled for interface 7
To enable IPv6 on an interface, enter ipv6 enable at the Interface level of the CLI, or assign an
IPv6 address to the interface as described in “IPv6 configuration on each router interface” on
page 362 and further discussed in “Enabling IPv6 on an interface to which an ACL will be
applied” on page 1768.
You cannot disable IPv6 on an interface to which an ACL is bound. Attempting to do so will
cause the system to return the following error message.
Brocade(config-if-e1000-7)#no ipv6 enable
Error: Port 7 has IPv6 ACL configured. Cannot disable IPv6
To disable IPv6, first remove the ACL from the interface.
For notes on applying IPv6 ACLs to trunk ports, see “Applying an IPv6 ACL to a trunk group” on
page 1769.
For notes on applying IPv6 ACLs to virtual ports, see Applying an IPv6 ACL to a virtual interface
in a protocol-based or subnet-based VLAN on page 1769.
The dscp-cos-mapping option is supported on FESX and FSX devices only.