3Com Switch 8800 Advanced Software V5 Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 9400sl 4-Port 10-GbE Module

811

812

813

814

815

816

817

818

819

820

816 CHAPTER 58: IPV6 ACL CONFIGURATION

You will fail to create or modify a rule if its permit/deny statement is exactly the

same as another rule. In addition, if the ACL match order is set to auto rather than

config, you cannot modify ACL rules.

When defining ACL rules, you need not assign them IDs. The system can

automatically assign rule IDs starting with 0 and increasing in certain rule

numbering steps. A rule ID thus assigned is greater than the current highest rule

ID. For example, if the rule numbering step is five and the current highest rule ID is

28, the next rule will be numbered 30.

You may use the display acl ipv6 command to verify rules configured in an ACL.

If the match order for this IPv6 ACL is auto, rules are displayed in the depth-first

match order rather than by rule number.

CAUTION:

■ You can modify the match order of an IPv6 ACL with the acl ipv6 number

acl6-number match-order { auto | config } command but only when it does

not contain any rules.

■ The rule specified in the rule comment command must have existed.

Configuration Example # Create IPv6 ACL 2000 to permit IPv6 packets with source address

2030:5060::9050/64 to pass while denying IPv6 packets with source address

fe80:5060::8050/96.

<Sysname> system-view

[Sysname] acl ipv6 number 2000

[Sysname-acl6-basic-2000] rule permit source 2030:5060::9050/64

[Sysname-acl6-basic-2000] rule deny source fe80:5060::8050/96

# Verify the configuration.

[Sysname-acl6-basic-2000] display acl ipv6 2000

Basic IPv6 ACL 2000, 2 rules,

Acl’s step is 5

rule 0 permit source 2030:5060::9050/64 (4 times matched)

rule 5 deny source FE80:5060::8050/96 (5 times matched)

Configuring an

Advanced IPv6 ACL

Advanced ACLs filter packets based on the source IPv6 address, destination IPv6

address, protocol carried on IP, and other protocol header fields such as the

TCP/UDP source port, TCP/UDP destination port, ICMP message type, and ICMP

message code.

Advanced IPv6 ACLs are numbered in the range 3000 to 3999. Compared with

basic IPv6 ACLs, they allow of more flexible and accurate filtering.

Configuration

Prerequisites

If you want to reference a time range to a rule, define it with the time-range

command first.

Configuration Procedure Follow these steps to configure an advanced IPv6 ACL:

To do... Use the command... Remarks

Enter system view system-view --