Difference between revisions of "Access-list IPv6 Cisco IOS"

From Teknologisk videncenter
Jump to: navigation, search
m
m (Extended ACL)
 
(One intermediate revision by the same user not shown)
Line 3: Line 3:
 
<source lang=cli>
 
<source lang=cli>
 
ipv6 access-list PERMIT-LOCAL
 
ipv6 access-list PERMIT-LOCAL
 +
deny ipv6 2001:16D8:DD85:4::/64 2001:16D8:DD85:3::/64
 
  permit ipv6 2001:16D8:DD85:4::/64 any
 
  permit ipv6 2001:16D8:DD85:4::/64 any
  deny ipv6 2001:16D8:DD85:4::/64 2001:16D8:DD85:3::/64
+
   
 
!
 
!
 
interface FastEthernet0/1
 
interface FastEthernet0/1
 
  ipv6 traffic-filter PERMIT-LOCAL out
 
  ipv6 traffic-filter PERMIT-LOCAL out
 
</source>
 
</source>
 +
 
=Extended ACL=
 
=Extended ACL=
 
<source lang=cli>
 
<source lang=cli>
Line 19: Line 21:
 
  ipv6 traffic-filter DMZ in
 
  ipv6 traffic-filter DMZ in
 
</source>
 
</source>
 +
==Examples==
 +
*[[IPv6 Firewall Cisco IOS ACL based]] example
 +
 
=Reflexive ACL=
 
=Reflexive ACL=
 
[[Image:IPv6 Reflexive ACL eksempel.png|500px|left|thumb|Reflexive example. Only ICMP incoming traffic allowed]]
 
[[Image:IPv6 Reflexive ACL eksempel.png|500px|left|thumb|Reflexive example. Only ICMP incoming traffic allowed]]

Latest revision as of 10:35, 21 May 2014

Cisco Access Lists for IPv6 for IPv4 see Access-list Cisco IOS

Standard ACL

ipv6 access-list PERMIT-LOCAL
 deny ipv6 2001:16D8:DD85:4::/64 2001:16D8:DD85:3::/64
 permit ipv6 2001:16D8:DD85:4::/64 any
 
!
interface FastEthernet0/1
 ipv6 traffic-filter PERMIT-LOCAL out

Extended ACL

ipv6 access-list DMZ
 permit tcp any 2001:16D8:DD85:4::/64 eq www
 permit tcp any 2001:16D8:DD85:4::/64 eq 443
 permit tcp any 2001:16D8:DD85:4::/64 eq smtp
!
interface FastEthernet0/1
 ipv6 traffic-filter DMZ in

Examples

Reflexive ACL

Reflexive example. Only ICMP incoming traffic allowed
ipv6 access-list OUTGOING
 permit tcp 2001:410:0:2::/64 any reflect REFLECTOUT
 permit udp 2001:410:0:2::/64 any reflect REFLECTOUT
 deny ipv6 FC00::/7 any
 permit icmp any any
 deny ipv6 any any log
!
ipv6 access-list INCOMING
 permit icmp any any
 evaluate REFLECTOUT
 deny ipv6 any any log
!
interface FastEthernet0/1
 ipv6 traffic-filter INCOMING in
 ipv6 traffic-filter OUTGOING out