Online demo
Contact us
11.7. ACLv6 Commands
11.7.1. ipv6 access-list
Command Purpose
Use this command to create IPv6 ACL and then enter IPv6 ACL in global configuration mode.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
ipv6 access-list ACL_NAME
no ipv6 access-list ACL_NAME
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
ACL_NAME |
The name of the IPv6 ACL |
A string with up to 40 characters |
Command Mode
Global Config
Default
None
Usage
If the system already has an IPv6 ACL with the same name, this command will enter the IPv6 ACL configuration mode. However, if the ACL name is used by other type of ACL, a prompt message will be shown.
When the name is not used by any ACL, this command is to create the IPv6 ACL firstly and then enter the IPv6 ACL configuration mode.
Examples
This example shows how to create an IPv6 ACL named list_ipv6_1 and then enter the IPv6 ACL configuration mode:
Switch# configure terminal
Switch(config)# ipv6 access-list list_ipv6_1
Switch(config-ipv6-acl)#
This example shows how to remove the IPv6 ACL named list_ipv6_1:
Switch# configure terminal
Switch(config)# no ipv6 access-list list_ipv6_1
11.7.2. sequence-num
Command Purpose
Use this command to remove a filter from IPv6 ACL.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
no sequence-num SEQUENCE_NUM
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
SEQUENCE_NUM |
The sequence number of a IPv6 filter |
The range is 1 to 131071 |
Command Mode
IPv6 ACL Configuration
Default
None
Usage
None
Examples
This example shows how to remove a filter with the sequence-num 10 from IPv6 ACL:
Switch# configure terminal
Switch(config)# ipv6 access-list list_ipv6_1
Switch(config-ipv6-acl)# no sequence-num 10
Related Commands
deny
deny tcp
deny udp
deny icmp
permit
permit tcp
permit udp
permit icmp
11.7.3. remark
Command Purpose
Use this command to add remarks for the IPv6 ACL.
To remove remarks of the IPv6 ACL, use the no form of this command.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
remark REMARK
no remark
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
REMARK |
The remarks of the IPv6 ACL |
String with up to 100 characters |
Command Mode
IPv6 ACL Configuration
Default
None
Usage
The remarks are up to 100 characters. The exceed parts will not be stored and will be truncated.
Examples
This example shows how to add a remark to describe the IPv6 ACL:
Switch# configure terminal
Switch(config)# ipv6 access-list list_ipv6_1
Switch(config-ipv6-acl)# remark remark of List for ipv6
This example shows how to remove the remark of the IPv6 ACL:
Switch# configure terminal
Switch(config)# ipv6 access-list list_ipv6_1
Switch(config-ipv6-acl)# no remark
Related Commands
ipv6 access-list
11.7.4. deny
Command Purpose
Use this command to discard ongoing IPv6 packets matching the IPv6 filter.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
( SEQUENCE_NUM | ) deny ( PROTO_NUM | any ) ( SRC_IPV6 SRC_IPV6_MASK | any | host SRC_IPV6 ) ( DST_IPV6 DST_IPV6_MASK | any | host DST_IPV6 ) ( flow-label FLOW_LABEL | ) ( non-fragment | first-fragment | non-or-first-fragment | small-fragment | non-first-fragment | ) ( dscp DSCP | ) ( routed-packet | ) (packet-length OPERATOR LENGTH | ) ( time-range TIME-RANGE-NAME | )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
SEQUENCE_NUM |
The sequence number of the filter in IPv6 ACL. An auto-generated sequence number will be assigned to the filter if this field is not presented. |
1-131071 |
PROTO_NUM |
An IPv6 protocol number |
0-255 |
any |
Any IPv6 protocol |
- |
SRC_IPV6 SRC_IPV6_MASK |
The source IPv6 prefix address |
IPv6 Address and mask length |
host SRC_IPV6 |
The source IPv6 address of a host |
IPv6 Address |
DST_IPV6 DST_IPV6_MASK |
The destination IPv6 prefix address |
IPv6 Address and mask length |
host DST_IPV6 |
The destination IPv6 address of a host |
IPv6 Address |
flow-label FLOW_LABEL |
Flow label number |
0-1048575 |
non-fragment |
Match packets with non fragment |
- |
first-fragment |
Match packets with first fragment |
- |
-non-or-first-fragment |
Match packets with non first fragment |
- |
small-fragment |
Match packets with small fragment |
- |
non-first-fragment |
Match packets with non first fragment |
- |
DSCP |
Match packets with given dscp value |
0-63 |
routed-packet |
Match routed packet |
- |
TIME-RANGE-NAME |
The time-range used by the IPv6 filter |
A string with up to 40 characters |
OPERATOR |
Packet length,operator including eq (equal to), lt (less than), gt (greater than), and range |
eq (equal to), lt (less than), gt (greater than), and range |
LENGTH |
The length value |
64-16382 |
Command Mode
IPv6 ACL Configuration
Default
None
Usage
An auto-generated sequence number will be assigned to the filter if the sequence-num field is not presented. The auto-generated sequence number is incremented by 10 on the maximum existing sequence number in the IPv6 ACL. For example, when the maximum existing sequence number is 100, the sequence number of subsequent created IPv6 filter is 110.
Examples
This example shows how to create a filter in IPv6 ACL to deny any IPv6 packets:
Switch# configure terminal
Switch(config)# ipv6 access-list list_ipv6_1
Switch(config-ipv6-acl)# 1 deny any any any
This example shows how to create a filter in IPv6 ACL to deny any routed packets:
Switch# configure terminal
Switch(config)# ipv6 access-list list_ipv6_1
Switch(config-ipv6-acl)# 2 deny any any any routed-packet
Related Commands
no sequence-num
11.7.5. deny tcp
Command Purpose
Use this command to reject TCP packets matching the IPv6 filter.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
( SEQUENCE_NUM | ) deny tcp ( SRC_IPV6 SRC_IPV6_MASK | any | host SRC_IPV6 ) ( src-port OPERATOR SRC_PORT | ) ( DST_IPV6 DST_IPV6_MASK | any | host DST_IPV6 ) ( dst-port OPERATOR DST_PORT | ) ( flow-label FLOW_LABEL | ) ( non-fragment | first-fragment | non-or-first-fragment | small-fragment | non-first-fragment | ) ( dscp DSCP | ) ( routed-packet | ) ( packet-length OPERATOR LENGTH | ) ( time-range TIME-RANGE-NAME | )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
SEQUENCE_NUM |
The sequence number of the filter in IPv6 ACL. An auto-generated sequence number will be assigned to the filter if this field is not presented. |
1-131071 |
SRC_IPV6 SRC_IPV6_MASK |
The source IPv6 prefix address |
IPv6 Address and mask length |
any |
Any destination host |
- |
host SRC_IPV6 |
The source IPv6 address of a host |
IPv6 Address |
OPERATOR SRC_PORT |
Source port operator and value |
Source port, the range is 0-65535. Operator including eq (equal to), lt (less than), gt (greater than), neq (not equal to) and range |
DST_IPV6 DST_IPV6_MASK |
The destination IPv6 prefix address |
IPv6 Address and mask length |
host DST_IPV6 |
The destination IPv6 address of a host |
IPv6 Address |
OPERATOR DST_PORT |
Destination port operator and value |
Destination port, the range is 0-65535. Operator including eq (equal to), lt (less than), gt (greater than), neq (not equal to) and range |
flow-label FLOW_LABEL |
Flow label number |
0-1048575 |
non-fragment |
Match packets with non fragment |
- |
first-fragment |
Match packets with first fragment |
- |
-non-or-first-fragment |
Match packets with non first fragment |
- |
small-fragment |
Match packets with small fragment |
- |
non-first-fragment |
Match packets with non first fragment |
- |
DSCP |
Match packets with given dscp value |
0-63 |
routed-packet |
Match routed packet |
- |
TIME-RANGE-NAME |
The time-range used by the IPv6 filter |
A string with up to 40 characters |
OPERATOR |
Packet length,operator including eq (equal to), lt (less than), gt (greater than), and range |
eq (equal to), lt (less than), gt (greater than), and range |
LENGTH |
The length value |
64-16382 |
Command Mode
IPv6 ACL Configuration
Default
None
Usage
None
Examples
This example shows how to create a filter in IPv6 ACL to deny any TCP packets:
Switch# configure terminal
Switch(config)# ipv6 access-list list_ipv6_1
Switch(config-ipv6-acl)# 1 deny tcp any any
This example shows how to create a filter in IPv6 ACL to deny the TCP packets with the source IPv6 address 2001::2020, source port 8080:
Switch# configure terminal
Switch(config)# ipv6 access-list list_ipv6_1
Switch(config-ipv6-acl)# 2 deny tcp host 2001::2020 src-port eq 8080 any
Related Commands
no sequence-num
11.7.6. deny udp
Command Purpose
Use this command to reject UDP packets matching the IPv6 filter.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
( SEQUENCE_NUM | ) deny udp ( SRC_IPV6 SRC_IPV6_MASK | any | host SRC_IPV6 ) ( src-port OPERATOR SRC_PORT | ) ( DST_IPV6 DST_IPV6_MASK | any | host DST_IPV6 ) ( dst-port OPERATOR DST_PORT | ) ( flow-label FLOW_LABEL | ) ( non-fragment | first-fragment | non-or-first-fragment | small-fragment | non-first-fragment | ) ( dscp DSCP | ) ( routed-packet | ) ( packet-length OPERATOR LENGTH | ) ( time-range TIME-RANGE-NAME | )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
SEQUENCE_NUM |
The sequence number of the filter in IPv6 ACL. An auto-generated sequence number will be assigned to the filter if this field is not presented. |
1-131071 |
SRC_IPV6 SRC_IPV6_MASK |
The source IPv6 prefix address |
IPv6 Address and mask length |
any |
Any destination host |
- |
host SRC_IPV6 |
The source IPv6 address of a host |
IPv6 Address |
OPERATOR SRC_PORT |
Source port operator and value |
Source port, the range is 0-65535. Operator including eq (equal to), lt (less than), gt (greater than), neq (not equal to) and range |
DST_IPV6 DST_IPV6_MASK |
The destination IPv6 prefix address |
IPv6 Address and mask length |
host DST_IPV6 |
The destination IPv6 address of a host |
IPv6 Address |
OPERATOR DST_PORT |
Destination port operator and value |
Destination port, the range is 0-65535. Operator including eq (equal to), lt (less than), gt (greater than), neq (not equal to) and range |
flow-label FLOW_LABEL |
Flow label number |
0-1048575 |
non-fragment |
Match packets with non fragment |
- |
first-fragment |
Match packets with first fragment |
- |
-non-or-first-fragment |
Match packets with non first fragment |
- |
small-fragment |
Match packets with small fragment |
- |
non-first-fragment |
Match packets with non first fragment |
- |
DSCP |
Match packets with given dscp value |
0-63 |
routed-packet |
Match routed packet |
- |
TIME-RANGE-NAME |
The time-range used by the IPv6 filter |
A string with up to 40 characters |
OPERATOR |
Packet length,operator including eq (equal to), lt (less than), gt (greater than), and range |
eq (equal to), lt (less than), gt (greater than), and range |
LENGTH |
The length value |
64-16382 |
Command Mode
IPv6 ACL Configuration
Default
None
Usage
None
Examples
This example shows how to create a filter in IPv6 ACL to deny any UDP packets:
Switch# configure terminal
Switch(config)# ipv6 access-list list_ipv6_1
Switch(config-ipv6-acl)# 1 deny udp any any
This example shows how to create a filter in IPv6 ACL to deny the UDP packets with the source IPv6 address 2001::2020, source port 8080:
Switch# configure terminal
Switch(config)# ipv6 access-list list_ipv6_1
Switch(config-ipv6-acl)# 2 deny udp host 2001::2020 src-port eq 8080 any
Related Commands
no sequence-num
11.7.7. deny icmp
Command Purpose
Use this command to reject ICMP packets matching the IPv6 filter.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
( SEQUENCE_NUM | ) deny icmp ( SRC_IPV6 SRC_IPV6_MASK | any | host SRC_IPV6 ) ( DST_IPV6 DST_IPV6_MASK | any | host DST_IPV6 ) ( icmp-type TYPE-NUM ( icmp-code CODE-NUM | ) | ) ( flow-label FLOW_LABEL | ) ( non-fragment | first-fragment | non-or-first-fragment | small-fragment | non-first-fragment | ) ( dscp DSCP | ) ( routed-packet | ) ( packet-length OPERATOR LENGTH | ) ( time-range TIME-RANGE-NAME | )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
TYPE-NUM |
ICMP message type |
0-255 |
CODE-NUM |
ICMP message code |
0-255 |
SEQUENCE_NUM |
The sequence number of the filter in IPv6 ACL. An auto-generated sequence number will be assigned to the filter if this field is not presented. |
1-131071 |
SRC_IPV6 SRC_IPV6_MASK |
The source IPv6 prefix address |
IPv6 Address and mask length |
any |
Any source host |
- |
host SRC_IPV6 |
The source IPv6 address of a host |
IPv6 Address |
DST_IPV6 DST_IPV6_MASK |
The destination IPv6 prefix address |
IPv6 Address and mask length |
host DST_IPV6 |
The destination IPv6 address of a host |
IPv6 Address |
flow-label FLOW_LABEL |
Flow label number |
0-1048575 |
non-fragment |
Match packets with non fragment |
- |
first-fragment |
Match packets with first fragment |
- |
-non-or-first-fragment |
Match packets with non first fragment |
- |
small-fragment |
Match packets with small fragment |
- |
non-first-fragment |
Match packets with non first fragment |
- |
DSCP |
Match packets with given dscp value |
0-63 |
routed-packet |
Match routed packet |
- |
TIME-RANGE-NAME |
The time-range used by the IPv6 filter |
A string with up to 40 characters |
OPERATOR |
Packet length,operator including eq (equal to), lt (less than), gt (greater than), and range |
eq (equal to), lt (less than), gt (greater than), and range |
LENGTH |
The length value |
64-16382 |
Command Mode
IPv6 ACL Configuration
Default
None
Usage
None
Examples
This example shows how to create a filter in IPv6 ACL to deny any ICMP packets:
Switch# configure terminal
Switch(config)# ipv6 access-list list_ipv6_1
Switch(config-ipv6-acl)# 1 deny icmp any any
This example shows how to create a filter in IPv6 ACL to deny the ICMP packets with the icmp-type 3 and icmp-code 3:
Switch# configure terminal
Switch(config)# ipv6 access-list list_ipv6_1
Switch(config-ipv6-acl)# 2 deny icmp any any icmp-type 3 icmp-code 3
Related Commands
no sequence-num
11.7.8. deny gre
Command Purpose
Use this command to reject GRE packets matching the IPv6 filter.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
( SEQUENCE_NUM | ) deny gre ( SRC_IPV6 SRC_IPV6_MASK | any | host SRC_IPV6 ) ( DST_IPV6 DST_IPV6_MASK | any | host DST_IPV6 ) ( flow-label FLOW-LABEL-VALUE | ) ( key KEY mask KEY-MASK ) ( dscp DSCP | ) ( ecn <0-3> | ) ( non-fragment | first-fragment | non-or-first-fragment | small-fragment | non-first-fragment | ) ( routed-packet | ) ( options | ) ( packet-length OPERATOR LENGTH | ) ( time-range TIME-RANGE-NAME | )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
FLOW-LABEL-VALUE |
Flow label |
0-1048575 |
KEY |
GRE key |
0-4294967295 |
KEY-MASK |
GRE key mask |
0-0xFFFFFFFF |
SEQUENCE_NUM |
The sequence number of the filter in IPv6 ACL. An auto-generated sequence number will be assigned to the filter if this field is not presented. |
1-131071 |
SRC_IPV6 SRC_IPV6_MASK |
The source IPv6 prefix address |
IPv6 Address and mask length |
any |
Any source host |
- |
host SRC_IPV6 |
The source IPv6 address of a host |
IPv6 Address |
DST_IPV6 DST_IPV6_MASK |
The destination IPv6 prefix address |
IPv6 Address and mask length |
host DST_IPV6 |
The destination IPv6 address of a host |
IPv6 Address |
routed-packet |
Match routed packet |
- |
TIME-RANGE-NAME |
The time-range used by the IPv6 filter |
A string with up to 40 characters |
OPERATOR |
Packet length,operator including eq (equal to), lt (less than), gt (greater than), and range |
eq (equal to), lt (less than), gt (greater than), and range |
LENGTH |
The length value |
64-16382 |
ECN |
ecn value |
0-3 |
Command Mode
IPv6 ACL Configuration
Default
None
Usage
None
Examples
Switch# configure terminal
Switch(config)# ipv6 access-list list_ipv6_1
Switch(config-ipv6-acl)# 1 deny gre any any key 0 mask 0
Switch# configure terminal
Switch(config)# ipv6 access-list list_ipv6_1
Switch(config-ipv6-acl)# 2 deny gre host 2000::1 any key 10 mask 0xffffffff
Related Commands
no sequence-num
11.7.9. deny nvgre
Command Purpose
Use this command to reject NVGRE packets matching the IPv6 filter.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
( SEQUENCE_NUM | ) deny nvgre ( SRC_IPV6 SRC_IPV6_MASK | any | host SRC_IPV6 ) ( DST_IPV6 DST_IPV6_MASK | any | host DST_IPV6 ) ( flow-label FLOW-LABEL-VALUE | ) ( vsid VSID mask VSID-MASK ) ( dscp DSCP | ) ( ecn <0-3> | ) ( non-fragment | first-fragment | non-or-first-fragment | small-fragment | non-first-fragment | ) ( routed-packet | ) ( options | ) ( packet-length OPERATOR LENGTH | ) ( time-range TIME-RANGE-NAME | )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
FLOW-LABEL-VALUE |
Flow label |
0-1048575 |
VSID |
NVGRE VSID |
0-16777215 |
VSID-MASK |
NVGRE VSID MASK |
0-0xFFFFFF |
SEQUENCE_NUM |
The sequence number of the filter in IPv6 ACL. An auto-generated sequence number will be assigned to the filter if this field is not presented. |
1-131071 |
SRC_IPV6 SRC_IPV6_MASK |
The source IPv6 prefix address |
IPv6 Address and mask length |
any |
Any source host |
- |
host SRC_IPV6 |
The source IPv6 address of a host |
IPv6 Address |
DST_IPV6 DST_IPV6_MASK |
The destination IPv6 prefix address |
IPv6 Address and mask length |
host DST_IPV6 |
The destination IPv6 address of a host |
IPv6 Address |
routed-packet |
Match routed packet |
- |
TIME-RANGE-NAME |
The time-range used by the IPv6 filter |
A string with up to 40 characters |
OPERATOR |
Packet length,operator including eq (equal to), lt (less than), gt (greater than), and range |
eq (equal to), lt (less than), gt (greater than), and range |
LENGTH |
The length value |
64-16382 |
ECN |
ecn value |
0-3 |
Command Mode
IPv6 ACL Configuration
Default
None
Usage
None
Examples
Switch# configure terminal
Switch(config)# ipv6 access-list list_ipv6_1
Switch(config-ipv6-acl)# 1 deny nvgre any any vsid 0 mask 0
Switch# configure terminal
Switch(config)# ipv6 access-list list_ipv6_1
Switch(config-ipv6-acl)# 2 deny gre host 2000::1 any vsid 10 mask 0xffffff
Related Commands
no sequence-num
11.7.10. permit
Command Purpose
Use this command to permit ongoing IPv6 packets matching the IPv6 filter.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
( SEQUENCE_NUM | ) permit ( PROTO_NUM | any ) ( SRC_IPV6 SRC_IPV6_MASK | any | host SRC_IPV6 ) ( DST_IPV6 DST_IPV6_MASK | any | host DST_IPV6 ) ( flow-label FLOW_LABEL | ) ( non-fragment | first-fragment | non-or-first-fragment | small-fragment | non-first-fragment | ) ( dscp DSCP | ) ( routed-packet | ) ( packet-length OPERATOR LENGTH | ) ( time-range TIME-RANGE-NAME | )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
SEQUENCE_NUM |
The sequence number of the filter in IPv6 ACL. An auto-generated sequence number will be assigned to the filter if this field is not presented. |
1-131071 |
PROTO_NUM |
An IPv6 protocol number |
0-255 |
any |
Any IPv6 protocol |
- |
SRC_IPV6 SRC_IPV6_MASK |
The source IPv6 prefix address |
IPv6 Address and mask length |
host SRC_IPV6 |
The source IPv6 address of a host |
IPv6 Address |
DST_IPV6 DST_IPV6_MASK |
The destination IPv6 prefix address |
IPv6 Address and mask length |
host DST_IPV6 |
The destination IPv6 address of a host |
IPv6 Address |
flow-label FLOW_LABEL |
Flow label number |
0-1048575 |
non-fragment |
Match packets with non fragment |
- |
first-fragment |
Match packets with first fragment |
- |
-non-or-first-fragment |
Match packets with non first fragment |
- |
small-fragment |
Match packets with small fragment |
- |
non-first-fragment |
Match packets with non first fragment |
- |
DSCP |
Match packets with given dscp value |
0-63 |
routed-packet |
Match routed packet |
- |
TIME-RANGE-NAME |
The time-range used by the IPv6 filter |
A string with up to 40 characters |
OPERATOR LENGTH |
Packet length,operator including eq (equal to), lt (less than), gt (greater than), and range |
eq (equal to), lt (less than), gt (greater than), and range |
LENGTH |
The length value |
64-16382 |
Command Mode
IPv6 ACL Configuration
Default
None
Usage
An auto-generated sequence number will be assigned to the filter if the sequence-num field is not presented. The auto-generated sequence number is incremented by 10 on the maximum existing sequence number in the IPv6 ACL. For example, when the maximum existing sequence number is 100, the sequence number of subsequent created IPv6 filter is 110.
Examples
This example shows how to create a filter in IPv6 ACL to permit any IPv6 packets:
Switch# configure terminal
Switch(config)# ipv6 access-list list_ipv6_1
Switch(config-ipv6-acl)# 1 permit any any any
This example shows how to create a filter in IPv6 ACL to permit any routed packets:
Switch# configure terminal
Switch(config)# ipv6 access-list list_ipv6_1
Switch(config-ipv6-acl)# 2 permit any any any routed-packet
Related Commands
no sequence-num
11.7.11. permit tcp
Command Purpose
Use this command to permitTCP packets matching the IPv6 filter.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
( SEQUENCE_NUM | ) permit tcp ( SRC_IPV6 SRC_IPV6_MASK | any | host SRC_IPV6 ) ( src-port OPERATOR SRC_PORT | ) ( DST_IPV6 DST_IPV6_MASK | any | host DST_IPV6 ) ( dst-port OPERATOR DST_PORT | ) ( flow-label FLOW_LABEL | ) ( non-fragment | first-fragment | non-or-first-fragment | small-fragment | non-first-fragment | ) ( dscp DSCP | ) ( routed-packet | ) ( packet-length OPERATOR LENGTH | ) ( time-range TIME-RANGE-NAME | )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
SEQUENCE_NUM |
The sequence number of the filter in IPv6 ACL. An auto-generated sequence number will be assigned to the filter if this field is not presented. |
1-131071 |
SRC_IPV6 SRC_IPV6_MASK |
The source IPv6 prefix address |
IPv6 Address and mask length |
any |
Any destination host |
- |
host SRC_IPV6 |
The source IPv6 address of a host |
IPv6 Address |
OPERATOR SRC_PORT |
Source port operator and value |
Source port, the range is 0-65535. Operator including eq (equal to), lt (less than), gt (greater than), neq (not equal to) and range |
DST_IPV6 DST_IPV6_MASK |
The destination IPv6 prefix address |
IPv6 Address and mask length |
host DST_IPV6 |
The destination IPv6 address of a host |
IPv6 Address |
OPERATOR DST_PORT |
Destination port operator and value |
Destination port, the range is 0-65535. Operator including eq (equal to), lt (less than), gt (greater than), neq (not equal to) and range |
flow-label FLOW_LABEL |
Flow label number |
0-1048575 |
non-fragment |
Match packets with non fragment |
- |
first-fragment |
Match packets with first fragment |
- |
-non-or-first-fragment |
Match packets with non first fragment |
- |
small-fragment |
Match packets with small fragment |
- |
non-first-fragment |
Match packets with non first fragment |
- |
DSCP |
Match packets with given dscp value |
0-63 |
routed-packet |
Match routed packet |
- |
TIME-RANGE-NAME |
The time-range used by the IPv6 filter |
A string with up to 40 characters |
OPERATOR |
Packet length,operator including eq (equal to), lt (less than), gt (greater than), and range |
eq (equal to), lt (less than), gt (greater than), and range |
LENGTH |
The length value |
64-16382 |
Command Mode
IPv6 ACL Configuration
Default
None
Usage
None
Examples
This example shows how to create a filter in IPv6 ACL to permit any TCP packets:
Switch# configure terminal
Switch(config)# ipv6 access-list list_ipv6_1
Switch(config-ipv6-acl)# 1 permit tcp any any
This example shows how to create a filter in IPv6 ACL to permit the TCP packets with the source IPv6 address 2001::2020, source port 8080:
Switch# configure terminal
Switch(config)# ipv6 access-list list_ipv6_1
Switch(config-ipv6-acl)# 2 permit tcp host 2001::2020 src-port eq 8080 any
Related Commands
no sequence-num
11.7.12. permit udp
Command Purpose
Use this command to permit UDP packets matching the IPv6 filter.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
( SEQUENCE_NUM | ) permit udp ( SRC_IPV6 SRC_IPV6_MASK | any | host SRC_IPV6 ) ( src-port OPERATOR SRC_PORT | ) ( DST_IPV6 DST_IPV6_MASK | any | host DST_IPV6 ) ( dst-port OPERATOR DST_PORT | ) ( flow-label FLOW_LABEL | ) ( non-fragment | first-fragment | non-or-first-fragment | small-fragment | non-first-fragment | ) ( dscp DSCP | ) ( routed-packet | ) ( packet-length OPERATOR LENGTH | ) ( time-range TIME-RANGE-NAME | )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
SEQUENCE_NUM |
The sequence number of the filter in IPv6 ACL. An auto-generated sequence number will be assigned to the filter if this field is not presented. |
1-131071 |
SRC_IPV6 SRC_IPV6_MASK |
The source IPv6 prefix address |
IPv6 Address and mask length |
any |
Any destination host |
- |
host SRC_IPV6 |
The source IPv6 address of a host |
IPv6 Address |
OPERATOR SRC_PORT |
Source port operator and value |
Source port, the range is 0-65535. Operator including eq (equal to), lt (less than), gt (greater than), neq (not equal to) and range |
DST_IPV6 DST_IPV6_MASK |
The destination IPv6 prefix address |
IPv6 Address and mask length |
host DST_IPV6 |
The destination IPv6 address of a host |
IPv6 Address |
OPERATOR DST_PORT |
Destination port operator and value |
Destination port, the range is 0-65535. Operator including eq (equal to), lt (less than), gt (greater than), neq (not equal to) and range |
flow-label FLOW_LABEL |
Flow label number |
0-1048575 |
non-fragment |
Match packets with non fragment |
- |
first-fragment |
Match packets with first fragment |
- |
-non-or-first-fragment |
Match packets with non first fragment |
- |
small-fragment |
Match packets with small fragment |
- |
non-first-fragment |
Match packets with non first fragment |
- |
DSCP |
Match packets with given dscp value |
0-63 |
routed-packet |
Match routed packet |
- |
TIME-RANGE-NAME |
The time-range used by the IPv6 filter |
A string with up to 40 characters |
OPERATOR |
Packet length,operator including eq (equal to), lt (less than), gt (greater than), and range |
eq (equal to), lt (less than), gt (greater than), and range |
LENGTH |
The length value |
64-16382 |
Command Mode
IPv6 ACL Configuration
Default
None
Usage
None
Examples
This example shows how to create a filter in IPv6 ACL to permit any UDP packets:
Switch# configure terminal
Switch(config)# ipv6 access-list list_ipv6_1
Switch(config-ipv6-acl)# 1 permit udp any any
This example shows how to create a filter in IPv6 ACL to permit the UDP packets with the source IPv6 address 2001::2020, source port 8080:
Switch# configure terminal
Switch(config)# ipv6 access-list list_ipv6_1
Switch(config-ipv6-acl)# 2 permit udp host 2001::2020 src-port eq 8080 any
Related Commands
no sequence-num
11.7.13. permit icmp
Command Purpose
Use this command to reject ICMP packets matching the IPv6 filter.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
( SEQUENCE_NUM | ) permit icmp ( SRC_IPV6 SRC_IPV6_MASK | any | host SRC_IPV6 ) ( DST_IPV6 DST_IPV6_MASK | any | host DST_IPV6 ) ( icmp-type TYPE-NUM ( icmp-code CODE-NUM | ) | ) ( flow-label FLOW_LABEL | ) ( non-fragment | first-fragment | non-or-first-fragment | small-fragment | non-first-fragment | ) ( dscp DSCP | ) ( routed-packet | ) ( packet-length OPERATOR LENGTH | ) ( time-range TIME-RANGE-NAME | )
For descriptions of other parameters, please refer to the “permit” section above.
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
icmp-type TYPE-NUM |
ICMP message type |
0-255 |
icmp-code CODE-NUM |
ICMP message code |
0-255 |
SEQUENCE_NUM |
The sequence number of the filter in IPv6 ACL. An auto-generated sequence number will be assigned to the filter if this field is not presented. |
1-131071 |
SRC_IPV6 SRC_IPV6_MASK |
The source IPv6 prefix address |
IPv6 Address and mask length |
any |
Any source host |
- |
host SRC_IPV6 |
The source IPv6 address of a host |
IPv6 Address |
DST_IPV6 DST_IPV6_MASK |
The destination IPv6 prefix address |
IPv6 Address and mask length |
host DST_IPV6 |
The destination IPv6 address of a host |
IPv6 Address |
flow-label FLOW_LABEL |
Flow label number |
0-1048575 |
non-fragment |
Match packets with non fragment |
- |
first-fragment |
Match packets with first fragment |
- |
-non-or-first-fragment |
Match packets with non first fragment |
- |
small-fragment |
Match packets with small fragment |
- |
non-first-fragment |
Match packets with non first fragment |
- |
DSCP |
Match packets with given dscp value |
0-63 |
routed-packet |
Match routed packet |
- |
TIME-RANGE-NAME |
The time-range used by the IPv6 filter |
A string with up to 40 characters |
OPERATOR |
Packet length,operator including eq (equal to), lt (less than), gt (greater than), and range |
eq (equal to), lt (less than), gt (greater than), and range |
LENGTH |
The length value |
64-16382 |
Command Mode
IPv6 ACL Configuration
Default
None
Usage
None
Examples
This example shows how to create a filter in IPv6 ACL to permit any ICMP packets:
Switch# configure terminal
Switch(config)# ipv6 access-list list_ipv6_1
Switch(config-ipv6-acl)# 1 permit icmp any any
This example shows how to create a filter in IPv6 ACL to permit the ICMP packets with the icmp-type 3 and icmp-code 3:
Switch# configure terminal
Switch(config)# ipv6 access-list list_ipv6_1
Switch(config-ipv6-acl)# 2 permit icmp any any icmp-type 3 icmp-code 3
Related Commands
no sequence-num
11.7.14. permit gre
Command Purpose
Use this command to permit GRE packets matching the IPv6 filter.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
( SEQUENCE_NUM | ) permit gre ( SRC_IPV6 SRC_IPV6_MASK | any | host SRC_IPV6 ) ( DST_IPV6 DST_IPV6_MASK | any | host DST_IPV6 ) ( flow-label FLOW-LABEL-VALUE | ) ( key KEY mask KEY-MASK ) ( dscp DSCP | ) ( ecn <0-3> | ) ( non-fragment | first-fragment | non-or-first-fragment | small-fragment | non-first-fragment | ) ( routed-packet | ) ( options | ) ( packet-length OPERATOR LENGTH | ) ( time-range TIME-RANGE-NAME | )
For descriptions of other parameters, please refer to the “deny gre” section above.
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
FLOW-LABEL-VALUE |
Flow label |
0-1048575 |
KEY |
GRE key |
0-4294967295 |
KEY-MASK |
GRE key mask |
0-0xFFFFFFFF |
SEQUENCE_NUM |
The sequence number of the filter in IPv6 ACL. An auto-generated sequence number will be assigned to the filter if this field is not presented. |
1-131071 |
SRC_IPV6 SRC_IPV6_MASK |
The source IPv6 prefix address |
IPv6 Address and mask length |
any |
Any source host |
- |
host SRC_IPV6 |
The source IPv6 address of a host |
IPv6 Address |
DST_IPV6 DST_IPV6_MASK |
The destination IPv6 prefix address |
IPv6 Address and mask length |
host DST_IPV6 |
The destination IPv6 address of a host |
IPv6 Address |
routed-packet |
Match routed packet |
- |
TIME-RANGE-NAME |
The time-range used by the IPv6 filter |
A string with up to 40 characters |
OPERATOR |
Packet length,operator including eq (equal to), lt (less than), gt (greater than), and range |
eq (equal to), lt (less than), gt (greater than), and range |
LENGTH |
The length value |
64-16382 |
ECN |
ecn value |
0-3 |
Command Mode
IPv6 ACL Configuration
Default
None
Usage
None
Examples
Switch# configure terminal
Switch(config)# ipv6 access-list list_ipv6_1
Switch(config-ipv6-acl)# 1 permit gre any any key 0 mask 0
Switch# configure terminal
Switch(config)# ipv6 access-list list_ipv6_1
Switch(config-ipv6-acl)# 2 permit gre host 2000::1 any key 10 mask 0xffffffff
Related Commands
no sequence-num
11.7.15. permit nvgre
Command Purpose
Use this command to permit NVGRE packets matching the IPv6 filter.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
( SEQUENCE_NUM | ) permit nvgre ( SRC_IPV6 SRC_IPV6_MASK | any | host SRC_IPV6 ) ( DST_IPV6 DST_IPV6_MASK | any | host DST_IPV6 ) ( flow-label FLOW-LABEL-VALUE | ) ( vsid VSID mask VSID-MASK ) ( dscp DSCP | ) ( ecn <0-3> | ) ( non-fragment | first-fragment | non-or-first-fragment | small-fragment | non-first-fragment | ) ( routed-packet | ) ( options | ) ( packet-length OPERATOR LENGTH | ) ( time-range TIME-RANGE-NAME | )
For descriptions of other parameters, please refer to the “deny nvgre” section above.
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
FLOW-LABEL-VALUE |
Flow label |
0-1048575 |
VSID |
NVGRE VSID |
0-16777215 |
VSID-MASK |
NVGRE VSID MASK |
0-0xFFFFFF |
SEQUENCE_NUM |
The sequence number of the filter in IPv6 ACL. An auto-generated sequence number will be assigned to the filter if this field is not presented. |
1-131071 |
SRC_IPV6 SRC_IPV6_MASK |
The source IPv6 prefix address |
IPv6 Address and mask length |
any |
Any source host |
- |
host SRC_IPV6 |
The source IPv6 address of a host |
IPv6 Address |
DST_IPV6 DST_IPV6_MASK |
The destination IPv6 prefix address |
IPv6 Address and mask length |
host DST_IPV6 |
The destination IPv6 address of a host |
IPv6 Address |
routed-packet |
Match routed packet |
- |
TIME-RANGE-NAME |
The time-range used by the IPv6 filter |
A string with up to 40 characters |
OPERATOR |
Packet length,operator including eq (equal to), lt (less than), gt (greater than), and range |
eq (equal to), lt (less than), gt (greater than), and range |
LENGTH |
The length value |
64-16382 |
ECN |
ecn value |
0-3 |
Command Mode
IPv6 ACL Configuration
Default
None
Usage
None
Examples
Switch# configure terminal
Switch(config)# ipv6 access-list list_ipv6_1
Switch(config-ipv6-acl)# 1 permit nvgre any any vsid 0 mask 0
Switch# configure terminal
Switch(config)# ipv6 access-list list_ipv6_1
Switch(config-ipv6-acl)# 2 permit gre host 2000::1 any vsid 10 mask 0xffffff
Related Commands
no sequence-num
11.7.16. show access-list ipv6
Command Purpose
Use this command to show the IPv6 ACL information.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
show access-list ipv6 ( ACL_NAME | )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
ACL_NAME |
The name of the IPv6 ACL |
A string with up to 40 characters |
Command Mode
Privileged EXEC
Default
None
Usage
If no ipv6 acl are specified, all ipv6 access-lists in the system should be shown.
Examples
This example shows how to show the IPv6 ACL information:
Switch# show access-list ipv6
ipv6 access-list list_ipv6_1
10 deny any 2001::/48 any
20 permit any any any
Related Commands
ipv6 access-list