Manualshelf

CLI Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch N1500 Series
561562563564565566567568569570
Layer 2 Switching Commands 567
Host - indicates /128 prefix length for IPv6.
Port ranges are not supported for egress (out) IPv6 traffic-filters. This means
that only the eq operator is supported for egress (out) ACLs.
The protocol type must be SCTP, TCP or UDP to specify a port range. The
protocol type must be IPv6, SCTP, TCP, ICMPv6, or UDP to specify a flow
label.
The IPv6 “fragment” and “routing” keywords are not supported on egress
(out) access groups. The log action is supported for both permit and deny
rules.
If a permit|deny clause is entered with the same sequence number as an
existing rule, the configuration is denied with an error message.
An implicit deny all condition is added by the system after the last MAC or
IP/IPv6 access group if no route-map is configured on the interface.
Every permit/deny rule that does not have a rate-limit parameter is assigned a
counter. If counter resources become exhausted, a warning is issued and the
rule is applied to the hardware without the counter.
If a permit|deny clause is entered with the same sequence number as an
existing rule, an error is displayed and the existing rule is not updated with
the new information.
Since ACLs have an implicit deny all at the end of the last access-group, IPv6
ACLs need an explicit permit icmp any any nd-na and permit icmp any any
nd-ns statements as match conditions. These additional conditions allow for
ICMPv6 neighbor discovery to occur.
For the N1100-ON/N1500/N2000/N2100-ON/N2200-ON/N3000-ON/N3100-
ON series switches, for ingress (in) ACLs:
The IPv6 ACL “fragment” keyword matches only on the first IPv6
extension header for the fragment header (next header code 44). If the
fragment header appears in the second or a subsequent header, it is not
matched.
The IPv6 ACL “routing” keyword matches only on the first IPv6 extension
header for the routing header (next header code 43). If the fragment
header appears in the second or a subsequent header, it is not matched.
For all series switches, port ranges are not supported on egress (out) ACLs.
Only the eq operator is supported in an egress ACL.