OcNOS-SP : System Management Guide : System Management Configuration Guide : Access Control Lists Configurations : IPv6 ACL Configuration for 128-Bit Support
IPv6 ACL Configuration for 128-Bit Support
Configuration for Physical, PO, SA and MLAG Interfaces
Enable hardware-profile ingress-ipv6-ext:
(config)#hardware-profile filter ingress-ipv6-ext enable
Enable ingress IPv6 group for 128-bit address qualification on physical interfaces.
(config)#commit
Commit the candidate configuration to the running configuration.
(config)#ipv6 access-list test1
Create an IPv6 access list named test1.
(config-ipv6-acl)#permit any 2001::1/128 2002::1/128
Create an access rule to permit any IPv6 packet from 2001::1/128 to 2002::1/128.
(config-ipv6-acl)#commit
Commit the candidate configuration to the running configuration.
(config)#interface xe1
Enter interface mode.
(config-if)#ipv6 access-group test1 in
Attach IPv6 access list test1 to the interface.
(config-if)#commit
Commit the candidate configuration to the running configuration.
Validation
Use the commands below to verify the hardware-profile configurations.
#show hardware-profile filters
 
Note: Shared count is the calculated number from available resources.
Dedicated count provides allocated resource to the group.
If group shares the dedicated resource with other groups, then dedicated
count of group will reduce with every resource usage by other groups.
 
+-------------------------+---------+---------------+----------------------------+
| | Free | Used | Total Entries |
| Unit - TCAMS | Entries |---------------|----------------------------|
| | | % | Entries | Total | Dedicated | shared |
+-------------------------+---------+-----+---------+-------+-----------+--------+
0 INGRESS IPV6-ACL-EXT 1280 0 0 1280 0 1280
 
#
Use the commands below to verify the running configurations.
#show running-config ipv6 access-list
ipv6 access-list test1
10 permit any 2001::1/128 2002::1/128
!
#show running-config interface xe1
!
interface xe1
ipv6 access-group test1 in
!
#
Use the commands below to verify the match count.
#show ipv6 access-lists test1
IPv6 access list test1
10 permit any 2001::1/128 2002::1/128 [match=1000]
268435453 permit icmpv6 any any
default deny-all
#
Note: Use the command clear ipv6 access-list counters to clear statistics of all IPv6 ACLs configured or clear ipv6 access-list NAME counters to clear statistics of the particular IPv6 ACL.
Configuration for VLAN Interfaces and L3 Subinterfaces
Enable hardware-profile ingress-ipv6-ext-vlan.
(config)#hardware-profile filter ingress-ipv6-ext-vlan enable
Enable ingress IPv6 group for 128-bit address qualification on VLAN interfaces and subinterfaces.
(config)#commit
Commit the candidate configuration to the running configuration.
(config)#interface vlan1.20
Enter interface mode.
(config-if)#ipv6 access-group test1 in
Attach IPv6 access list test1 to the interface.
(config-if)#commit
Commit the candidate configuration to the running configuration.
(config)#interface xe1.2
Enter interface mode.
(config-if)#ipv6 access-group test1 in
Attach IPv6 access list test1 to the interface.
(config-if)#commit
Commit the candidate configuration to the running configuration.
Validation
Use the commands below to verify the hardware-profile configurations.
#show hardware-profile filters
Note: Shared count is the calculated number from available resources.
Dedicated count provides allocated resource to the group.
If group shares the dedicated resource with other groups, then dedicated
count of group will reduce with every resource usage by other groups.
 
+-------------------------+---------+---------------+----------------------------+
| | Free | Used | Total Entries |
| Unit - TCAMS | Entries |---------------|----------------------------|
| | | % | Entries | Total | Dedicated | shared |
+-------------------------+---------+-----+---------+-------+-----------+--------+
0 INGRESS IPV6-ACL-EXT-VLAN 1280 0 0 1280 0 1280
Use the commands below to verify the running configurations.
#show running-config ipv6 access-list
ipv6 access-list test1
10 permit any 2004::1/128 2005::1/128
!
 
#show running-config interface vlan1.20
!
interface vlan1.20
ipv6 access-group test1 in
#
 
#show running-config interface xe1.2
interface xe1.2
ipv6 access-group test1 in
!
Use the commands below to verify the match count.
#show ipv6 access-lists test1
IPv6 access list test1
10 permit any 2004::1/128 2005::1/128 [match=1000]
268435453 permit icmpv6 any any
default deny-all
Note: Use the command clear ipv6 access-list counters to clear statistics of all IPv6 ACLs configured or clear ipv6 access-list NAME counters to clear statistics of a particular IPv6 ACL.
Last modified date: 10/19/2023