Transport IPv6 Access Control List Feature
Configure IPv6 access control lists (ACLs) to influence the traffic flowing in or out the interfaces.
Diagram
Section titled “Diagram”
Classes
Section titled “Classes”transport_profiles (sdwan.feature_profiles)
Section titled “transport_profiles (sdwan.feature_profiles)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| ipv6_acls | List | [ipv6_acls] | No |
ipv6_acls (sdwan.feature_profiles.transport_profiles)
Section titled “ipv6_acls (sdwan.feature_profiles.transport_profiles)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Regex: ^[^&<>! "]{1,128}$ | Yes | |
| description | String | No | ||
| default_action | Choice | accept, drop | No | |
| sequences | List | [sequences] | No |
sequences (sdwan.feature_profiles.transport_profiles.ipv6_acls)
Section titled “sequences (sdwan.feature_profiles.transport_profiles.ipv6_acls)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| id | Integer | min: 1, max: 65536 | Yes | |
| name | String | min: 1, max: 19 | No | acl |
| base_action | Choice | accept, drop | Yes | |
| match_entries | Class | [match_entries] | No | |
| actions | Class | [actions] | No |
match_entries (sdwan.feature_profiles.transport_profiles.ipv6_acls.sequences)
Section titled “match_entries (sdwan.feature_profiles.transport_profiles.ipv6_acls.sequences)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| destination_data_prefix | IP | No | ||
| destination_data_prefix_list | String | Regex: ^[^&<>! "]{1,128}$ | No | |
| destination_ports | List | Integer[min: 0, max: 65535] | No | |
| traffic_class | List | Integer[min: 0, max: 63] | No | |
| icmp6_messages | List | Choice[beyond-scope, cp-advertisement, cp-solicitation, destination-unreachable, dhaad-reply, dhaad-request, echo-reply, echo-request, header, hop-limit, ind-advertisement, ind-solicitation, mld-query, mld-reduction, mld-report, mldv2-report, mpd-advertisement, mpd-solicitation, mr-advertisement, mr-solicitation, mr-termination, nd-na, nd-ns, next-header-type, ni-query, ni-query-name, ni-query-v4-address, ni-query-v6-address, ni-response, ni-response-qtype-unknown, ni-response-refuse, ni-response-success, no-admin, no-route, packet-too-big, parameter-option, parameter-problem, port-unreachable, reassembly-timeout, redirect, reject-route, renum-command, renum-result, renum-seq-number, router-advertisement, router-renumbering, router-solicitation, rpl-control, source-policy, source-route-header, time-exceeded, unreachable] | No | |
| next_header | Integer | min: 0, max: 255 | No | |
| packet_length | Integer | min: 0, max: 65535 | No | |
| source_data_prefix | IP | No | ||
| source_data_prefix_list | String | Regex: ^[^&<>! "]{1,128}$ | No | |
| source_ports | List | Integer[min: 0, max: 65535] | No | |
| tcp_state | Choice | syn | No |
actions (sdwan.feature_profiles.transport_profiles.ipv6_acls.sequences)
Section titled “actions (sdwan.feature_profiles.transport_profiles.ipv6_acls.sequences)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| counter_name | String | Regex: ^[a-zA-Z0-9-_]{1,20}$ | No | |
| traffic_class | Integer | min: 0, max: 63 | No | |
| ipv6_next_hop | IP | No | ||
| log | Boolean | true, false | No | |
| mirror | String | Regex: ^[^&<>! "]{1,128}$ | No | |
| policer | String | Regex: ^[^&<>! "]{1,128}$ | No |
Examples
Section titled “Examples”Example-1: The example below demonstrates how to configure transport IPv6 access list with default action accept and two sequences. Sequence 1 matches all web traffic destined to 2001:db8:1::/64 coming with traffic class value of 46, from 2001:db8:2::/64 with specific source ports 1023, 60000-65535. This traffic is logged and counter is applied. Sequence 2 matches all traffic coming with traffic class 48, remarks to traffic class 46 with log and counter applied.
sdwan: feature_profiles: transport_profiles: - name: basic_transport ipv6_acls: - name: vpn0_ipv6_acl_out description: "control vpn 0 outbound traffic" default_action: accept sequences: - id: 1 name: "Allow-ICMPv6" base_action: accept match_entries: destination_data_prefix: 2001:db8:1::/64 source_data_prefix: 2001:db8:2::/64 source_ports: - 60000-65535 - 1023 destination_ports: - 80 - 443-444 traffic_class: - 46 actions: log: true counter_name: "IPv6ACLCounter" - id: 2 name: "remark" base_action: accept match_entries: traffic_class: - 48 actions: log: true traffic_class: 46 counter_name: "RemarkCounter"