Previous Topic

Next Topic

Book Contents

Book Index

IPv6 Access Control Lists

An IPv6 ACL consists of a set of rules which are matched sequentially against a packet. When a packet meets the match criteria of a rule, the specified rule action (Permit/Deny) is taken and the additional rules are not checked for a match. On this menu the interfaces to which an IPv6 ACL applies must be specified, as well as whether it applies to inbound or outbound traffic. Rules for the IPv6 ACL are specified/created using the IPv6 ACL Rule Configuration menu.

The IP Access Control List folder contains links to web pages that allow you to configure and view IPv6 ACL.

To configure an IPv6 ACL:

  1. Use the “IPv6 ACL Configuration” page to define the IP ACL type and assign an ID to it.
  2. Use the “IPv6 ACL Rule Configuration” page to create rules for the ACL.
  3. Use the “ACL Interface Configuration” and/or “ACL Interface/VLAN Summary” pages to assign the ACL by its ID number to a port or VLAN.
  4. Optionally, use the “IPv6 ACL Summary” page to view the configurations.

IPv6 ACL Configuration

Use the IP ACL Configuration page to add or remove IP-based ACLs.

To display the IP ACL Configuration page, click QoS > Access Control Lists > IPv6 Access Control Lists > Configuration in the navigation menu.

IPv6 ACL Configuration

IPv6 ACL Configuration Fields

Field

Description

IPv6 ACL

Select a type of ACL to create, or select an existing ACL to delete from the dropdown menu.

IPv6 ACL

Name Specify an IPv6 ACL name string which includes alphanumeric characters only. The name must start with an alphabetic character. This field displays the name of the currently selected IPv6 ACL if the ACL has already been created.

The ACL Table at the bottom of the page shows the current size of the ACL table versus the maximum size of the ACL table. The current size is equal to the number of configured IPv4/IPv6 ACLs plus the number of configured MAC ACLs. The maximum size is 100.

IPv6 ACL Summary

Use the IP ACL Summary page to view all IP ACLs and their related data.

To display the IP ACL Summary page, click QoS > Access Control Lists > IPv6 IP Access Control Lists > Summary in the navigation menu.

IPv6 ACL Summary

IPv6 ACL Summary Fields

Field

Description

IPv6 ACL Name

Describes the number ranges for IPv4 ACL standard versus extended. The range for a standard IP ACL is 1-99. For an extended IP ACL, the ID range is 101-199. Rules Shows the number of rules currently configured for the IP ACL.

Direction

Shows the direction of packet traffic affected by the IP ACL, which can be Inbound or blank.

Interface

Shows the interfaces to which the IP ACL applies.

VLAN ID

The VLAN(s) to which the IPv6 ACL applies.

Click Refresh to update the information on the screen.

IPv6 ACL Rule Configuration

Use the IPv6 ACL Rule Configuration page to define rules for IPv6-based ACLs. The access list definition includes rules that specify whether traffic matching the criteria is forwarded normally or discarded. Additionally, you can specify to assign traffic to a particular queue, filter on some traffic, change VLAN tag, shut down a port, and/or redirect the traffic to a particular port. By default, no specific value is in effect for any of the IPv6 ACL rules.

NOTE: There is an implicit "deny all" rule at the end of an ACL list. This means that if an ACL is applied to a packet and if none of the explicit rules match, then the final implicit "deny all" rule applies and the packet is dropped.

To display the IPv6 ACL Rule Configuration page, click QoS > Access Control Lists > IPv6 Access Control Lists > Rule Configuration in the navigation menu.

Figure below shows the fields available when Create Rule is selected in the Rule field.

IPv6 ACL Rule Configuration (Create Rule)

After you specify a Rule ID, select the action and match type, and click Submit, additional fields appear on the page.

IPv6 ACL Rule Configuration (Create Rule)-2

Table below shows all possible fields on the IP ACL Rule Configuration page. The actual fields available on the page depend on what type of rule you configure, whether you create a new rule or modify an existing rule, and whether the rule action is Permit or Deny.

IPv6 ACL Rule Configuration Fields

Field

Description

IPv6 ACL

Select the ACL you want to configure.

Rule

Select an existing Rule ID to modify or select Create Rule to configure a new ACL Rule.New rules cannot be created if the maximum number of rules has been reached. For each rule, a packet must match all the specified criteria in order to be true against that rule and for the specified rule action (Permit/Deny) to take place.

Rule ID

If you selected an existing rule ID in the Rule field, that ID displays here. If you are creating a new rule, then enter the next available ID number (or any other number). The number of rules you can create in an ACL is platform dependent.

Action

Specify what action should be taken if a packet matches the rule’s criteria. The choices are Permit or Deny.

Logging

When set to 'True', logging is enabled for this ACL rule (subject to resource availability in the device). If the Access List Trap Flag is also enabled, this will cause periodic traps to be generated indicating the number of times this rule was 'hit' during the current report interval. A fixed 5 minute report interval is used for the entire system. A trap is not issued if the ACL rule hit count is zero for the current interval. This field is visible for a 'Deny' Action.

Time Range Name

Use this field to impose a time limitation on the ACL rule. When you click Configure, you can select a configured time range or create a new named time range. To configure the time range values, use the System > Time Ranges > Time Range Entry Configuration page.

If a time range with the specified name does not exist and the ACL containing this ACL rule is applied to an interface or bound to a VLAN, then the ACL rule is applied immediately. If a time range with specified name exists and the ACL containing this ACL rule is applied to an interface or bound to a VLAN, then the ACL rule is applied when the time-range with specified name becomes active. The ACL rule is removed when the time-range with specified name becomes inactive.

Match Every

Select True or False from the pulldown menu.

True signifies that all packets will match the selected IPv6 ACL and rule and will be either permitted or denied. In this case, since all packets match the rule, the option of configuring other match criteria will not be offered. To configure specific match criteria for the rule, remove the rule and re-create it, or re-configure 'Match Every' to 'False' for the other match criteria to be visible.

Protocol

There are two ways to configure IPv6 protocol.

  • Specify an integer ranging from 0 to 255 after selecting protocol keyword "other". This number represents the IP protocol.
  • Select name of a protocol from the existing list of Internet Protocol (IP), Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Internet Control Message Protocol (ICMP) and Internet Group Management Protocol (IGMP).

Additional Fields when Action = Deny

Source Prefix/

PrefixLength

Specify IPv6 Prefix combined with IPv6 Prefix length of the network or host from which the packet is being sent. Prefix length can be in the range (0 to 128).

Source L4 Port

Specify a packet's source layer 4 port as a match condition for the selected IPv6 ACL rule. Source port information is optional. Source port information can be specified in two ways:

  • Select keyword "other" from the drop down menu and specify the number of the port in the range from 0 to 65535.
  • Select one of the keyword from the list: DOMAIN, ECHO, FTP, FTPDATA, HTTP, SMTP, SNMP, TELNET, TFTP, and WWW. Each of these values translates into its equivalent port number, which is used as both the start and end of the port range.

Destination Prefix/

Prefix Length

Enter up to a 128-bit prefix combined with the prefix length to be compared to a packet's destination IP address as a match criteria for the selected IPv6 ACL rule. The prefix length can be in the range 0 to 128.

Destination L4 Port Number

Specify a packet's destination layer 4 port number match condition for the selected IPv6 ACL rule. This is an optional configuration.

Destination L4 Port Keyword

Specify the destination layer 4 port match conditions for the selected IPv6 ACL rule. The possible values are DOMAIN, ECHO, FTP, FTPDATA, HTTP, SMTP, SNMP, TELNET, TFTP, and WWW. Each of these values translates into its equivalent port number, which is used as both the start and end of the port range. This is an optional configuration.

Flow Label

A 20-bit number that is unique to an IPv6 packet that is used by end stations to signify QoS handling in routers. The flow label can specified within the range 0 to 1048575.

IPv6 DSCP Service

Specify the IP DiffServ Code Point (DSCP) value, which is defined as the high-order six bits of the Service Type octet in the IPv6 header. This is an optional configuration. Enter an integer from 0 to 63. The IPv6 DSCP can be selected from one of the DSCP keywords in the dropdown box. To specify a DSCP by its numeric value, select the 'Other' option in the menu and a text box displays for entering the numeric value.

Additional Fields when Action = Permit (for any field not listed below, see the Action = Deny field definitions

above)

Assign Queue ID

Specifies the hardware egress queue identifier used to handle all packets matching this IPv6 ACL rule. Valid range of Queue IDs is 0 to 6.

Mirror Interface

Specifies the egress interface where the matching traffic stream is copied, in addition to it being forwarded normally by the device. This field cannot be set if a Redirect Interface is already configured for the ACL rule.

Redirect Interface

Specifies the egress interface where the matching traffic stream is forced, bypassing any forwarding decision normally performed by the device. This field cannot be set if a Mirror Interface is already configured for the ACL rule.

These changes will not be retained across a power cycle unless a save configuration is performed.

IPv6 ACL Rule Status Summary

Use the IPv6 ACL Rule Status Summary page to view whether the time-based rule within an ACL is currently active or inactive.

To display the IPv6 ACL Rule Status Summary page, click QoS > Access Control Lists > IPv6 Access Control Lists > Rule Status Summary in the navigation menu.

IPv6 ACL Rule Status Summary

IPv6 ACL Rule Status Summary Fields

Field

Description

IPv6 ACL

Shows the user-configured name associated with the ACL.

Rules

Identifies a rule currently configured for the IP ACL.

Time Range Name

Identifies the time range associated with the rule.

Rule Status

Identifies whether the time-based rule is active. If the current time is outside of the defined time range, the rule is inactive.

Click Refresh to update the information on the screen.

See Also

Configuring Quality of Service

Configuring Access Control Lists

MAC Access Control Lists

Configuring Differentiated Services

Configuring Class of Service

Configuring Auto VoIP