Configuring an IPv6 object policy rule
You can specify an existing object group in an IPv6 object policy rule for matching target IPv6 packets. If no object group is specified for a rule, the rule applies to all IPv6 packets.
The following object groups can be used in a rule for packet matching:
Source IPv6 address object group—Used for matching the source IPv6 addresses of packets.
Destination IPv6 address object group—Used for matching the destination IPv6 addresses of packets.
Service object group—Used for matching the service types carried in packets.
VRF instance—Used for matching the MPLS L3VPN instances of packets.
Application/application group—Used for matching PBAR-classified application IDs of packets. NBAR-classified applications cannot match any packets. For more information about PBAR and NBAR, see "Configuring ARP."
For more information about object groups, see "Configuring object groups."
To configure an IPv6 object policy rule:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter IPv6 object policy view. | object-policy ipv6 object-policy-name | N/A |
3. Configure an IPv6 object policy rule. | rule [ rule-id ] { drop | pass | inspect app-profile-name } [ [ source-ip { object-group-name | any } ] [ destination-ip { object-group-name | any } ] [ service { object-group-name | any } ] [ vrf vrf-name ] [ application application-name ] [ app-group app-group-name ] [ counting ] [ disable ] [ logging ] [ track [ negative ] track-entry-number ] [ time-range time-range-name ] ] * | By default, no IPv6 object policy rules are configured. If you specify a nonexistent object group, the rule does not match packets. |
4. (Optional.) Configure a description for the rule. | rule rule-id comment text | By default, an object policy rule does not have a description. |