Manualshelf

Security Guide (Supporting ADX v03.1.00) Instruction Manual

ManualsBrandsBrocade ManualsComputer AccessoriesVirtual ADX
61626364656667686970
50 Brocade Virtual ADX Security Guide
53-1003250-01
IPv6 ACL overview
3
NOTE
TCP and UDP filters will be matched only if they are listed as the first option in the extension header.
For TCP and UDP, you also can specify a comparison operator and port name or number. For
example, you can configure a policy to block web access to a specific website by denying all TCP
port 80 (HTTP) packets from a specified source IPv6 address to the website’s IPv6 address.
This chapter contains the following sections:
“Configuring an IPv6 ACL on page 50
Applying an IPv6 ACL to an interface” on page 55
“Displaying ACLs” on page 55
Configuration notes
Either IPv6 must be enabled globally or an IPV6 address must be configured on an interface
before IPv6 ACLs can be configured.
An IPv6 ACL can include up to 1024 entries or statements.
Only named ACLs are supported.
Only Inbound ACLs are supported.
If an IPv6 ACL has the implicit deny condition, make sure it also permits the IPv6 link-local
address, in addition to the global unicast address. Otherwise, routing protocols such as OSPF
will not work. To view the link-local address, use the show ipv6 interface command.
You cannot disable IPv6 on an interface to which an ACL is bound. Attempting to do so will
cause the system to return the following error message.
Virtual ADX(config-if-e1000-7)#no ipv6 enable
Error: Port 7 has IPv6 ACL configured. Cannot disable IPv6
To disable IPv6, first remove the ACL from the interface.
Configuring an IPv6 ACL
To configure an IPv6 ACL, do the following:
1. Create the IPv6 ACL.
2. Apply the IPv6 ACL to the interface.
Example configurations
To configure an access list that blocks all Telnet traffic received on port 1/1 from IPv6 host
2001:db8:2382:e0bb::2, enter the following commands.
Virtual ADX(config)#ipv6 access-list fdry
Virtual ADX(config-ipv6-access-list-fdry)#deny tcp host 2001:db8:2382:e0bb:
:2 any eq telnet
Virtual ADX(config-ipv6-access-list-fdry)#permit ipv6 any any
Virtual ADX(config-ipv6-access-list-fdry)#exit
Virtual ADX(config)#int ethernet 1/1
Virtual ADX(config-if-1/1)#ipv6 traffic-filter fdry in
Virtual ADX(config)#write memory