Онлайн-демонстрация
Связаться с нами
6.4.9. deny (IPv6)
Syntax
[sequence <1-2147483647>] deny (<0-255>| ipv6) (X:X::X:X / <0-128>| any) (X:X::X:X / <0-128>| any)[( dscp | precedence) VALUE]
[sequence <1-2147483647>] deny icmp (X:X::X:X / <0-128>| any)( X:X::X:X / <0-128>| any) (<0-255>| destination-unreachabletime-exceeded | parameter-problemecho-reply | mld-query | mld-report | mldv2-report|mld-done | router-solicitation | router-advertisement | nd-ns | nd-na | any) (<0-255>| any)[( dscp | precedence) VALUE]
[sequence <1-2147483647>] deny tcp (X:X::X:X / <0-128>| any) (<0-65535| echo | discard | daytime | ftp-data | ftp | telnet | smtp | time | hostname | whois | tacacs-ds | domain | www | pop2 | pop3 | syslog | talk | klogin | kshell | sunrpc | drip | PORT_RANGE | any) (X:X::X:X / <0-128>| any) (<0-65535>| echo | discard | daytime | ftp-data | ftp | telnet | smtp | time | hostname | whois | tacacs-ds | domain | www | pop2 | pop3 | syslog | talk | klogin | kshell | sunrpc | drip | PORT_RANGE | any) [match-all TCP_FLAG] [(dscp | precedence) VALUE]
[sequence <1-2147483647>] deny udp (X:X::X:X / <0-128>| any)(<0-65535>| echo | discard | time | nameserver | tacacs-ds | domain | bootps | bootpc | tftp | sunrpc | ntp | netbios-ns | snmp | snmptrap | who | syslog | talk | rip | PORT_RANGE | any) (X:X::X:X / <0-128>| any) (<0-65535>| echo | discard | time | nameserver | tacacs-ds | domain | bootps | bootpc | tftp | sunrpc | ntp | netbios-ns | snmp | snmptrap | who | syslog | PORT_RANGE | any) [(dscp | precedence) VALUE] [shutdown]
no sequence <1-2147483647>
Parameter
<1-2147483647> |
(Optional) Specify sequence index of ACE, the sequence index represent the priority of an ACE in ACL. |
(A.B.C.D/A.B.C.D|any) |
Specify the source IPv4 address and mask of packet or any IPv4 address. |
(A.B.C.D/A.B.C.D|any) |
Specify the destination IPv4 address and mask of packet or any IPv4 address |
[dscp VALUE] |
(Optional) Specify the DSCP of packet. |
[precedence VLAUE] |
(Optional) Specify the IP precedence of packet. |
icmp-type |
Specify ICMP message type for filtering ICMP packet. Enter a type name of list or a number of ICMP message type. |
icmp-code |
Specify ICMP message code for filtering ICMP packet. |
l4-source-port |
Specify TCP/UDP source port of for filtering TCP/UDP packet. Enter a port name of list or a number of TCP/UDP port. |
l4-destination-port |
Specify TCP/UDP destination port of for filtering TCP/UDP packet. Enter a port name of list or a number of TCP/UDP port. |
match-all |
Specify tcp flag for TCP packet. If a flag should be set it is prefixed by “+”.If a flag should be unset it is prefixed by “-”. Available options are +urg, +ack, +psh, +rst, +syn, +fin,-urg, -ack, -psh, -rst, -syn and -fin.To define more than 1 flag - enter additional flags one after another without a space (example +syn-ack). |
[shutdown] |
(Optional) Shutdown interface while ACE hit |
Default
No default is defined.
Mode
IP ACL Configuration
Usage
Use the deny command to add deny conditions for an IPv6 ACE that drop
those packets hit the ACE. The “sequence” also represents hit
priority when ACL bind to an interface. An ACE not specifies
“sequence” index would assign a sequence index which is the
largest existed index plus 20. If packet content can match more than
one ACE, the lowest sequence ACE is hit. An ACE can not be added if
has the same conditions as existed ACE. Use “shutdown” to shutdown
interface while ACE hit.
Example
The example shows how to add an ACE that denies packets with destination IP address fe80::abcd. You can verify settings by the following show acl command
Switch(config)# ipv6 acl ipv6test
Switch334455(ip-al)# deny ipv6 any fe80::abcd/128
Switch334455(ip-al)# show acl
IPv6 access list ipv6test
sequence 1 deny ipv6 any fe80::abcd/128