Creating an Advanced IPv6 ACL

An advanced IPv6 ACL filters traffic by source IPv6 address, destination IPv6 address, time range, and protocol type.

Context

Table 1 describes the matching conditions of advanced IPv6 ACL rules.

**Table 1** Matching conditions of advanced IPv6 ACL rules
Matching Condition	Parameter	Description
Protocol type	protocol	You can specify a protocol using either of the following parameters: specifies a protocol number. specifies a protocol name.
Source/Destination IP address	source or destination	source-ipv6-address prefix-length or source-ipv6-address/prefix-length: specifies a source IPv6 address with a wildcard mask or mask length. destination-ipv6-address prefix-length or destination-ipv6-address/prefix-length: specifies a destination IPv6 address with a wildcard mask or mask length. any: indicates any IPv6 address.
Source/Destination TCP/UDP port range	source-port or destination-port	Specify the port range by the operator expression. operator supported comparison operations include eq (equal to), gt (greater than), lt (lower than), and range (between). If the operator is range, two port numbers are used.
ICMPv6 message type	icmp6-type	You can specify an ICMPv6 message type using either of the following parameters: icmpv6-type-name: specifies an ICMPv6 message type by the ICMPv6 type name. icmpv6-type-number icmpv6-code: specifies an ICMPv6 message type by the ICMPv6 type number and ICMPv6 code.
Time range	time-range time-name	For details of time ranges, see Schedule.

Procedure

Access the system view.
system-view
Create an advanced IPv6 ACL and access the advanced IPv6 ACL view.
acl ipv6 [ number ] ipv6-acl-number [ vpn-instance vpn-instance-name ]

acl-number determines the type of an IPv6 ACL. The advanced IPv6 ACL number ranges from 3000 to 3999.
Optional: Set a step for the IPv6 ACL.
step step

The default step is 5.

After you set a step for the ACL, the system can automatically assign rule IDs if you do not specify the rule IDs. The automatically assigned rule IDs are multiple of the step in ascending order. The step allows you to insert rules between two rules.

You can set a step for an ACL only when no rule is configured for the ACL. After you configure an ACL rule, you are not allowed to change the step.
Configure an IPv6 ACL rule.
rule [ rule-id ] { permit | deny } protocol [ source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } | source-port operator port [ port2 ] | destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } | destination-port operator port [ port2 ] | icmp6-type { icmpv6-type-name | icmpv6-type-number icmpv6-code } | time-range time-name | logging ] ^*

The parameters vary according to protocol. source-port and destination-port are available only when the protocol is TCP/UDP. icmp6-type is available only when the protocol is ICMPv6.

When you configure an ACL rule, note the following points:
- If rule-id is not specified during the configuration, a new rule is added. In this case, the system automatically assigns a minimum number that is larger than the maximum number of the existing rule, to the new rule according to the step. For example, if the maximum number of the existing rule is 21 and the step is 5, the system assigns number 26 to the new rule.
- If rule-id is specified and the related rule with the same ID exists, the existing rule is edited. If no related rule with the same ID exists, a new rule is added and inserted to the corresponding position according to its rule-id.
- A new or modified rule should be different from any existing one; otherwise, the creation or modification fails and the system prompts you that the rule already exists.
Parameter logging specifies that matched packets are logged.