Ethernet Switches & Routers

Reply
New Contributor
Posts: 3
Registered: ‎01-10-2011
Accepted Solution

How to write deny statements in an IPv6 ACL to block certain option type values

What is the syntax  for a deny statement in an IPv6 ACL to block option type values?  For example, I am supposed to block/deny option type values such as 0x8a, 0xc3, 0x02, 0x03.  Also, I need to block option type values that are 0x06 through 0x89 "inclusive"

I'm not sure how to write proper deny statements in the IPv6 ACL to mitigate these option type values.  Thanks in advance.

Frequent Contributor
Posts: 144
Registered: ‎11-07-2013

Re: How to write deny statements in an IPv6 ACL to block certain option type values

Hi Robert,

    Are you after ICMPv6 Options code blocking?

 

Thanks

Michael.

Thanks
Michael
New Contributor
Posts: 3
Registered: ‎01-10-2011

Re: How to write deny statements in an IPv6 ACL to block certain option type values

Michael, yes!

Frequent Contributor
Posts: 144
Registered: ‎11-07-2013

Re: How to write deny statements in an IPv6 ACL to block certain option type values

Hi Robert,

     Note you need to covert the Hex values to decimal. Also I do not see a range setting for the command , so lot of ACL lines.

 

SSH@swtich(config-ipv6-access-list test)#exi
SSH@swtich(config)#ipv6 access-list test
SSH@swtich(config-ipv6-access-list test)#deny icmp any any <decimal value>

The above will message type.

 

Some extra info fromt he manual;

 

For ICMP
 
Syntax: [no] ipv6 access-list <acl name>
 
Syntax: permit | deny [ vlan <vlan-id>] icmp
<ipv6-source-prefix/prefix-length> | any | host <source-ipv6_address>
<ipv6-destination-prefix/prefix-length> | any | host <ipv6-destination-address>
[ipv6-operator [<value>]]
[ [<icmp-type>][<icmp-code>] ] | [<icmp-messge>] | beyond-scope |
destination-unreachable | echo-reply | echo-request | header | hop-limit | mld-query |
mld-reduction | mld-report | nd-na | nd-ns | next-header | no-admin | no-route |
packet-too-big | parameter-option | parameter-problem | port-unreachable |
reassembly-timeout | renum-command | renum-result | renum-seq-number |
router-advertisement | router-renumbering | router-solicitation] | [copy-sflow] | |
[drop-precedence <dp-value>] | [drop-precedence-force <dp-value>] | [dscp-marking
<number>] | [dscp <dscp-value>] | [mirror] | [priority-force <number>] | [sequence]
 
The icmp protocol indicates the you are filtering ICMP packets.
 
To specify an ICMP type, enter a value from 0 through 255 for the <icmp-type> parameter.
 
To specify an ICMP code, enter a value from 0 through 255 for the <icmp-code> parameter.
 
You can use these ICMP wild cards for IPv6 packet filtering.
• destination-unreachable – Matches all unreachable type codes.
• time-exceeded – Matches all timeout type codes.
• router-renumbering – Matches all router renumbering type codes.
 
To specify an ICMP message, enter one of the following options:
• beyond-scope
• destination-unreachable
• dscp-marking
• dscp
• echo-reply
• echo-request
• flow-label
• fragments
• header
• hop-limit
• mld-query
• mld-reduction
• mld-report
• nd-na
• nd-ns
• next-header
• no-admin
• no-route
• packet-too-big
• parameter-option
• parameter-problem
• port-unreachable
• reassembly-timeout
• renum-command
• renum-result
• renum-seq-number
• router-advertisement
• router-renumbering
• router-solicitation
• routing
• sequence
• time-exceeded
• unreachable
 
Thanks
Michael.
Thanks
Michael
Frequent Contributor
Posts: 144
Registered: ‎11-07-2013

Re: How to write deny statements in an IPv6 ACL to block certain option type values

Also you will need to apply the ACL Smiley Happy

 

To apply an IPv6 ACL, (for example “access1”), to an interface, enter commands such as the
following.
Brocade(config)# interface ethernet 3/1
Brocade(config-if-e100-3/1)# ipv6 traffic-filter access1 in

Thanks
Michael
New Contributor
Posts: 3
Registered: ‎01-10-2011

Re: How to write deny statements in an IPv6 ACL to block certain option type values

Thanks!   I'll give it a shot.    

Frequent Contributor
Posts: 144
Registered: ‎11-07-2013

Re: How to write deny statements in an IPv6 ACL to block certain option type values

Thanks Robert, Please be sure to post your finding if successfully. 

Thanks
Michael

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.