Adding Rules (ACEs) for an IPv6-Based ACL

  1. Click Access Control > IPv6 Based ACE. The IPv6 Based ACE page opens.
  2. This window displays the ACE (rules) for a specified ACL (group of rules).

  3. Select an ACL, and click Go. All currently-defined IP ACEs for the selected ACL are displayed.
  4. Click Add. The Add IPv6 Based ACE page opens.
  5. Enter the parameters.
    • ACL Name--Displays the name of the ACL to which an ACE is being added.
    • Priority--Enter the priority. ACEs with higher priority are processed first.
    • Action--Select the action assigned to the packet matching the ACE. The options are as follows:
      • Permit--Forward packets that meet the ACE criteria.
      • Deny--Drop packets that meet the ACE criteria.
      • Shutdown--Drop packets that meet the ACE criteria, and disable the port to which the packets were addressed. Ports are reactivated from the Port Management page.
    • Protocol--Select to create an ACE based on a specific protocol. Select Any (IPv6) to accept all IP protocols. Otherwise select one of the following protocols:
      • TCP--Transmission Control Protocol. Enables two hosts to communicate and exchange data streams. TCP guarantees packet delivery, and guarantees that packets are transmitted and received in the order they were sent.
      • UDP--User Datagram Protocol. Transmits packets but does not guarantee their delivery.
      • ICMP--Matches packets to the Internet Control Message Protocol (ICMP).
    • Protocol ID to Match--Enter the ID of the protocol to be matched.
    • Source IP Address--Select Any if all source address are acceptable or User defined to enter a source address or range of source addresses.
    • Source IP Address Value--Enter the IP address to which the source IP address will be matched and its mask (if relevant).
    • Source IP Prefix Length--Enter the prefix length of the source IP address.
    • Destination IP Address--Select Any if all destination address are acceptable or User defined to enter a destination address or a range of destination addresses.
    • Destination IP Address Value--Enter the IP address to which the destination MAC address will be matched and its mask (if relevant).
    • Destination IP Prefix Length--Enter the prefix length of the IP address.
    • Source Port--Select one of the following:
      • Any--Match to all source ports.
      • Single--Enter a single TCP/UDP source port to which packets are matched. This field is active only if 800/6-TCP or 800/17-UDP is selected in the IP Protocol drop-down menu.
      • Range--Select a range of TCP/UDP source ports to which the packet is matched.
    • Destination Port--Select one of the available values. (They are the same as for the Source Port field described above).

    NOTE     You must specify the IPv6 protocol for the ACL before you can configure the source and/or destination port.

    • TCP Flags--Select one of more TCP flags with which to filter packets. Filtered packets are either forwarded or dropped. Filtering packets by TCP flags increases packet control, which increases network security.
      • Set--Match if the flag is SET.
      • Unset--Match if the flag is Not SET.
      • Don’t care--Ignore the TCP flag.
    • Type of Service--The service type of the IP packet.
    • ICMP--If the ACL is based on ICMP, select the ICMP message type that will be used for filtering purposes. Either select the message type by name or enter the message type number. If all message types are accepted, select Any.
      • Any--All message types are accepted.
      • Select from list--Select message type by name from the drop-down list.
      • ICMP Type to Match--Number of message type that will be used for filtering purposes.
    • ICMP Code--The ICMP messages may have a code field that indicates how to handle the message. Select one of the following options, to configure whether to filter on this code:
      • Any--Accept all codes.
      • User defined--Enter an ICMP code for filtering purposes.
  6. Click Apply.