Онлайн-демонстрация
Связаться с нами
7.6. Configuring IPv6 ACL
Overview
Function Introduction
Access control lists for IPv6 (ACLv6) classify traffic with the same characteristics. The ACLv6 can have multiple access control entries (ACEs), which are commands that match fields against the contents of the packet. ACLv6 can filter packets received on interface by many fields such as ipv6 address and deny or permit the packets.
Principle Description
The following terms and concepts are used to describe ACLv6:
Access control entry (ACE) Each ACE includes an action element (permit or deny) and a filter element based on criteria such as source address, destination address, protocol, and protocol-specific parameters.
IPv6 ACL IPv6 ACL can filter packet by ipv6-sa and ipv6-da, and ipv6-address can be masked, or configured as host id, or configured as any to filter all IPv6 address. IPv6 ACL can also filter other L3 fields such as L4 protocol and L4 fields such as TCP port, UDP port, and so on.
Time Range Time range can define a period of time only between which the ACE can be valid if the ACE is associated to the time range.
Configuration
step 1 Enter the configure mode
Switch# configure terminal
step 2 Enable IPv6 globally
Switch(config)# ipv6 enable
step 3 Create access list
MAC access list:
Switch(config)# mac access-list mac
Switch(config-mac-acl)# permit src-mac host 0000.0000.1111 dest-mac any
Switch(config-mac-acl)# deny src-mac any dest-mac any
Switch(config-mac-acl)# exit
ipv6 access list:
Switch(config)# ipv6 access-list ipv6
Switch(config-ipv6-acl)# permit any 2001::/64 any
Switch(config-ipv6-acl)# deny any any any
Switch(config-ipv6-acl)# exit
step 4 Create class-map, and bind the access list
Switch(config)# class-map cmap1
Switch(config-cmap)# match access-group mac
Switch(config-cmap)# exit
Switch(config)# class-map cmap2
Switch(config-cmap)# match access-group ipv6
Switch(config-cmap)# exit
step 5 Create policy-map and bind the class map
Switch(config)# policy-map pmap1
Switch(config-pmap)# class cmap1
Switch(config-pmap-c)# exit
Switch(config-pmap)# exit
Switch(config)# policy-map pmap2
Switch(config-pmap)# class cmap2
Switch(config-pmap-c)# exit
Switch(config-pmap)# exit
step 6 Apply the policy to the interface
Switch(config)# interface eth-0-1
Switch(config-if)# service-policy input pmap1
Switch(config-if)# exit
Switch(config-if)# interface eth-0-2
Switch(config-if)# service-policy input pmap2
Switch(config-if)# exit
step 7 Exit the configure mode
Switch(config)# end
step 8 Validation
If IPv6 is enabled globally, the IPv6 packet will not obey the MAC ACL rules:
Switch# show running-config
mac access-list mac
10 permit src-mac host 0000.0000.1111 dest-mac any
20 deny src-mac any dest-mac any
!
ipv6 access-list ipv6
10 permit any 2001::/64 any
20 deny any any any
!
class-map match-any cmap1
match access-group mac
!
class-map match-any cmap2
match access-group ipv4
!
policy-map pmap1
class cmap1
!
policy-map pmap2
class cmap2
!
interface eth-0-1
service-policy input pmap1
!
interface eth-0-2
service-policy input pmap2
!
Application cases
N/A