Configuring ACEs in an ACL

Configuring ACEs is done after using the ipv6 access-list <ascii–str> command to enter the IPv6 ACL (ipv6-acl) context of an ACL.

Syntax:

<deny|permit> <ipv6>

<any|host <SA>|SA/prefix–length> <any|host <DA>|DA/prefix–length> [log]

Appends an ACE to the end of the list of ACEs in the current ACL. In the default configuration, ACEs are automatically assigned consecutive sequence numbers in increments of 10 and can be renumbered using resequence, Resequencing the ACEs in an IPv6 ACL.

NOTE:

To insert a new ACE between two existing ACEs in an ACL, precede deny or permit with an appropriate sequence number. See Inserting an ACE in an existing ACL.

For a match to occur, a packet must have the source and destination IPv6 addressing criteria specified in the ACE, as well as:

  • The protocol-specific criteria configured in the ACE, including any optional elements (described later in this section)

  • Any (optional) DSCP settings configured in the ACE

<deny|permit>

These keywords are used in the IPv6 (ipv6-acl) context to specify whether the ACE denies or permits a packet matching the criteria in the ACE, as described below.

ipv6 - Any IPv6 packet.

ipv6-protocol -Any one of the following IPv6 protocol names:
  • esp
  • ah
  • sctp
  • icmp*
  • tcp*
  • udp*
*For TCP, UDP, and ICMP, additional, optional criteria can be specified, as described in Options for TCP and UDP traffic in IPv6 ACLs and subsequent sections.

ipv6-protocol-nbr -The protocol number of an IPv6 packet type, such as “8” for Exterior Gateway Protocol or 121 for Simple Message Protocol. (Range: 0–255)

(For a listing of IPv6 protocol numbers and their corresponding protocol names, refer to the IANA protocol number assignments at www.iana.com.)

<any|host <SA>|SA/<prefix-length>

This is the first instance of IPv6 addressing in an ACE. It follows the protocol specifier and defines the source IPv6 address (SA) a packet must carry for a match with the ACE.

any -Allows IPv6 packets from any IPv6 SA.

host <SA> - Specifies only packets having a single address as the SA. Use this criterion when you want to match only the IPv6 packets from a single SA.

SA prefix–length - Specifies packets received from one or more contiguous subnets or contiguous addresses within a single subnet. The prefix length is in CIDR format and defines the number of leftmost bits to use in determining a match. (See Using CIDR notation to enter the IPv6 ACL prefix length.) In a given ACE, the SA prefix length defines how many leftmost bits in a packet’s SA must exactly match the SA configured in the ACE.

Prefix-length applications

  • 2001:db8:0:e102::10:100/120 matches any IPv6 address in the range of 2001:db8:0:e102::10:<0100 - 01FF>

  • 2001:db8:a0:e102::/64 matches any IPv6 address having a prefix of 2001:db8:a0:e102.

  • FE80::/16 matches any link-local address on an interface.

NOTE:

For more information on how prefix lengths are used in IPv6 ACLs, see How an ACE uses a mask to screen packets for matches.

<any|host <DA>|DA/prefix-length>

This is the second instance of addressing in an IPv6 ACE. It follows the first (SA) instance, described earlier in this section, and defines the destination IPv6 address (DA) that a packet must carry to have a match with the ACE.

any -Allows IPv6 packets to any IPv6 DA.

host <DA> - Specifies only packets having DA as the destination address. Use this criterion when you want to match only the IPv6 packets for a single DA.

DA/prefix–length - Specifies packets intended for one or more contiguous subnets or contiguous addresses within a single subnet. The prefix length is in CIDR format and defines the number of leftmost bits to use in determining a match. (See Using CIDR notation to enter the IPv6 ACL prefix length.) In a given ACE, the DA prefix length defines how many leftmost bits in a packet’s DA must exactly match the DA configured in the ACE.

[log]

For a given ACE, if log is used, it must be the last keyword entered.