Step 1 |
enable
Example:
Switch> enable
|
Enables
privileged EXEC mode. Enter your password if prompted.
|
Step 2 | configure
terminal
Example:
Switch# configure terminal
|
Enters the global
configuration mode.
|
Step 3 |
[no]{ipv6 access-list
list-name| client
permit-control-packets|
log-update
threshold|
role-based
list-name}
Example:
Switch(config)# ipv6 access-list example_acl_list
|
Defines an IPv6
ACL name, and enters IPv6 access list configuration mode.
|
Step 4 | [no]{deny | permit} protocol {source-ipv6-prefix/|prefix-length|any threshold| host
source-ipv6-address} [ operator [
port-number ]] {
destination-ipv6-prefix/ prefix-length |
any |
host
destination-ipv6-address} [operator [port-number]][dscp
value]
[fragments] [log] [log-input] [routing]
[sequence
value]
[time-range
name]
|
Enter deny or
permit to specify whether to deny or permit the packet if conditions are
matched. These are the conditions:
-
For
protocol, enter the name or number of an Internet protocol:
ahp,
esp,
icmp,
ipv6,
pcp,
stcp,
tcp,
or
udp,
or an integer in the range 0 to 255 representing an IPv6 protocol number.
-
The
source-ipv6-prefix/prefix-length or
destination-ipv6-prefix/ prefix-length is the source or
destination IPv6 network or class of networks for which to set deny or permit
conditions, specified in hexadecimal and using 16-bit values between colons
(see RFC 2373).
-
Enter any as
an abbreviation for the IPv6 prefix ::/0.
-
For
host
source-ipv6-address or
destination-ipv6-address, enter the source or destination
IPv6 host address for which to set deny or permit conditions, specified in
hexadecimal using 16-bit values between colons.
-
(Optional)
For operator, specify an operand that compares the source or destination ports
of the specified protocol. Operands are
lt
(less than),
gt
(greater than),
eq
(equal),
neq
(not equal), and
range.
If the
operator follows the
source-ipv6-prefix/prefix-length argument, it must match the
source port. If the operator follows the
destination-ipv6- prefix/prefix-length argument, it must
match the destination port.
-
(Optional)
The
port-number is a decimal number from 0 to 65535 or the name
of a TCP or UDP port. You can use TCP port names only when filtering TCP. You
can use UDP port names only when filtering UDP.
-
(Optional)
Enter
dscp
value to match a differentiated services code point value against the traffic
class value in the Traffic Class field of each IPv6 packet header. The
acceptable range is from 0 to 63.
-
(Optional)
Enter
fragments to check noninitial fragments. This keyword is
visible only if the protocol is ipv6.
-
(Optional)
Enter
log
to cause an logging message to be sent to the console about the packet that
matches the entry. Enter
log-input to include the input interface in the log entry.
Logging is supported only for router ACLs.
-
(Optional)
Enter
routing to specify that IPv6 packets be routed.
-
(Optional)
Enter
sequence
value to specify the sequence number for the access list
statement. The acceptable range is from 1 to 4,294,967,295.
-
(Optional)
Enter
time-range name to specify the time range that applies to
the deny or permit statement.
|
Step 5 | {deny |
permit}
tcp
{source-ipv6-prefix/prefix-length |
any
|
host
source-ipv6-address} [operator [port-number]] {destination-ipv6-
prefix/prefix-length |
any
|
host
destination-ipv6-address} [operator [port-number]] [ack] [dscp
value] [established] [fin] [log] [log-input] [neq {port | protocol}]
[psh] [range {port | protocol}]
[rst]
[routing]
[sequence
value] [syn] [time-range
name] [urg]
|
(Optional)
Define a TCP access list and the access conditions.
Enter
tcp for
Transmission Control Protocol. The parameters are the same as those described
in Step 3a, with these additional optional parameters:
-
ack—Acknowledgment bit set.
-
established—An established connection. A match occurs if the
TCP datagram has the ACK or RST bits set.
-
fin—Finished bit set; no more data from sender.
-
neq
{port |
protocol}—Matches only packets that are not on a given port number.
-
psh—Push function bit set.
-
range
{port |
protocol}—Matches only packets in the port number range.
-
rst—Reset bit set.
-
syn—Synchronize bit set.
-
urg—Urgent pointer bit set.
|
Step 6 | {deny |
permit}
udp
{source-ipv6-prefix/prefix-length |
any
|
host
source-ipv6-address} [operator [port-number]] {destination-ipv6-prefix/prefix-length |
any
|
host
destination-ipv6-address} [operator [port-number]] [dscp
value] [log] [log-input] [neq {port |
protocol}] [range {port |
protocol}]
[routing]
[sequence
value] [time-range
name]]
|
(Optional)
Define a UDP access list and the access conditions.
Enter
udp for
the User Datagram Protocol. The UDP parameters are the same as those described
for TCP, except that the [operator [port]] port number or name must be a UDP port number or
name, and the established parameter is not valid for UDP.
|
Step 7 | {deny |
permit}
icmp
{source-ipv6-prefix/prefix-length |
any
|
host
source-ipv6-address} [operator [port-number]] {destination-ipv6-prefix/prefix-length |
any
|
host
destination-ipv6-address} [operator [port-number]] [icmp-type [icmp-code] |
icmp-message] [dscp
value] [log] [log-input]
[routing]
[sequence
value] [time-range
name]
|
(Optional)
Define an ICMP access list and the access conditions.
Enter
icmp for
Internet Control Message Protocol. The ICMP parameters are the same as those
described for most IP protocols in Step 1, with the addition of the ICMP
message type and code parameters. These optional keywords have these meanings:
-
icmp-type—Enter
to filter by ICMP message type, a number from 0 to 255.
-
icmp-code—Enter to filter ICMP packets that are filtered by
the ICMP message code type, a number from 0 to 255.
-
icmp-message—Enter to filter ICMP packets by the ICMP
message type name or the ICMP message type and code name. To see a list of ICMP
message type names and code names, use the ? key or see command reference for
this release.
|
Step 8 | end
|
Return to
privileged EXEC mode.
|
Step 9 | show ipv6 access-list
|
Verify the
access list configuration.
|
Step 10 | show running-config
Example:
Switch# show running-config
|
Verifies your entries.
|
Step 11 | copy running-config
startup-config
Example:
Switch# copy running-config startup-config
|
(Optional) Saves your entries
in the configuration file.
|