SubtaskTaskParameter
within a single subnet. The prefix length in
CIDR format defines the number of leftmost bits
to use in determining a match. See “Using
CIDR notation to enter the IPv6 ACL prefix
length” (page 80). In a given ACE, the DA
prefix-length defines how many leftmost
bits in a packet's DA must exactly match the
DA configured in the ACE.
Use this option after the DA to generate
an Event Log message if:
log
• The action is deny. (Does not apply to
permit actions.)
• There is a match.
• ACL logging is enabled. See “Enabling ACL
logging on the switch” (page 106).
TCP and UDP traffic in IPv6 ACLs
An ACE designed to permit or deny TCP or UDP traffic can optionally include port number criteria
for either the source, the destination, or both. Using TCP criteria also enables the established
option for controlling TCP connection traffic.
TCP :
<deny | permit> tcp
<SA> [comparison-operator <tcp-src-port>]
<DA> [comparison-operator <tcp-dest-port>]
[established]
[ack] [fin] [rst] [syn]
UDP :
<deny | permit> udp
<SA> [comparison-operator <udp-src-port>]
<DA> [comparison-operator <udp-dest-port>]
In an IPv6 ACL using either tcp or udp as the IP packet protocol type, you can
optionally apply comparison operators specifying TCP or UDP source or destination
port numbers or ranges of numbers to further define the criteria for a match. For
example:
#deny tcp host fe80::119 eq 23 host fe80::155
established
#permit tcp host 2001:db8::10.100 host
2001:db8::15:12 eq telnet
#deny udp 2001:db8::ad5:1f4 host 2001:db8::ad0:ff3
range 161 162
[comparison-operator <tcp/udp-src-port>]
To specify a TCP or UDP source port number in an ACE:
1. Select a comparison operator from the following list.
2. Enter the port number or a well-known port name.
Configuration commands 83
To Next Page
Loading...
Need help?
General
