Configuration Guide User guide
FastIron Configuration Guide 1761
53-1002494-02
Creating an IPv6 ACL
Creating an IPv6 ACL
Before an IPv6 ACL can be applied to an interface, it must first be created, and then IPv6 must be
enabled on that interface.
To create an IPv6 ACL, enter commands such as the following:
This creates an access list that blocks all Telnet traffic from IPv6 host 2000:2382:e0bb::2.
Syntax for creating an IPv6 ACL
NOTE
The following features are not supported:
• ipv6-operator flow-label
• ipv6-operator fragments when any protocol is specified. The option "fragments" can be
specified only when "permit/deny ipv6" is specified. If you specify "tcp" or any other protocol
instead of "ipv6" the keyword, "fragments" cannot be used.
• ipv6-operator routing when any protocol is specified. (Same limitation as for ipv6-operator
fragments)
When creating ACLs, use the appropriate syntax below for the protocol you are filtering.
For IPv6 and supported protocols other than ICMP, TCP, or UDP
Syntax: [no] ipv6 access-list <ACL name>
Syntax: permit | deny <protocol>
<ipv6-source-prefix/prefix-length> | any | host <source-ipv6_address>
<ipv6-destination-prefix/prefix-length> | any | host <ipv6-destination-address>
[ipv6-operator [<value>]]
[802.1p-priority-matching <number>]
[dscp-marking <number> 802.1p-priority-marking <number> internal-priority-marking
<number>] | [dscp-marking <dscp-value> dscp-cos-mapping] | [dscp-cos-mapping]
For ICMP
Syntax: [no] ipv6 access-list <ACL name>
Syntax: permit | deny icmp <ipv6-source-prefix/prefix-length> | any | host
<source-ipv6_address>
<ipv6-destination-prefix/prefix-length> | any | host <ipv6-destination-address>
[ipv6-operator [<value>]]
[ [<icmp-type>][<icmp-code>] ] | [<icmp-message>]
[dscp-marking <number>]
Brocade(config)# ipv6 access-list fdry
Brocade(config-ipv6-access-list-fdry)# deny tcp host 2000:2382:e0bb::2 any eq
telnet
Brocade(config-ipv6-access-list-fdry)# permit ipv6 any any
Brocade(config-ipv6-access-list-fdry)# exit