Skip to content
Any configuration changes made locally on the switch won't be synchronized with Sophos Central. We recommend making changes from the Sophos Central control panel instead.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/switch/help/en-us/index.html?contextId=user-guide-features-configure-access-control-IPv6-ACE

IPv6 ACE

Each IPv6 access control list (ACL) contains up to 16 individual rules called access control entries (ACEs). Each ACE is a set of parameters for specific network traffic and the switch's action when it identifies matching traffic.

To create a new ACE, go to Configure > Access control > IPv6 ACE and click Add.

To delete an ACE, click Delete for the ACE you want to delete.

To update an ACE's settings, click Edit.

You can configure the following settings:

  • ACL name: Select an ACL from the drop-down list to which you want to apply the ACE.
  • Sequence: The sequence number determines the order in which the switch processes ACEs across all ACLs on an interface. Enter a value from 1 to 2147483647, with '1' being processed first.

  • Action: Select one of the following actions to take on traffic that matches the ACE:

    • Permit: Forwards packets that match the ACL.
    • Deny: Drops packets that match the ACL.

  • Type of service: Allows you to set the Differentiated Services Field Codepoints (DSCP) value. Enter a value from 0 to 63. See Differentiated Services Field Codepoints (DSCP).

  • Destination IPv6: The destination IP address for the traffic.
  • Prefix length of destination IPv6: The IPv6 prefix length for the Destination IPv6.
  • Source IPv6: The source IP address for the traffic.
  • Prefix length of source IPv6: The IPv6 prefix length for the Source IPv6.
  • Destination port range: Select a destination port range for the traffic. See Port range.
  • Source port range: Select a source port range for the traffic. See Port range.

  • Protocol: Select one of the following options from the drop-down list:

    • Any: Matches all protocols.

    • Select from a List: Select one of the following protocols from the Protocol list:

      • TCP: Transmission Control Protocol (TCP) allows two hosts to communicate and exchange data streams. It guarantees packet delivery and ensures that packets are transmitted and received in the order they were sent.
      • UDP: User Datagram Protocol (UDP) is a communication protocol that transmits packets but does not guarantee delivery.
      • IPv6:ICMP: The Internet Control Message Protocol (ICMP) allows the gateway or destination host to communicate with the source host.

    • Select from ID: Enter a value from 0 to 255 for Protocol ID. See Protocol Numbers.

  • ICMP: Select one of the following from the drop-down list:

    • Any: Matches all ICMP traffic.

    • Select from List: Select one of the following options from the ICMP list:

      • Destination Unreachable: The ICMP packet couldn't reach its destination.
      • Packet Too Big: This indicates that the ICMP packet exceeds the network's MTU and is too big to travel on that network.
      • Time Exceeded: This message indicates the ICMP packet's time to live (TTL) expired in transit.
      • Parameter Problem: The device can't interpret an invalid parameter.
      • Echo Request: A message sent from one device to another to check if they can communicate and measure the time it takes.
      • Echo Reply: The response a device sends after receiving an ICMP echo request.
      • Router Solicitation: A message sent by a host to request router information.
      • Router Advertisement: A message a device sends to announce its availability as a router.
      • Nd Ns: This is an IPv6 Neighbor Discovery Protocol (NDP) neighbor advertisement message.
      • Nd Na: This is an IPv6 NDP neighbor advertisement message.

    • Select from ID: Enter a value from 0 to 255 for ICMP ID.

  • ICMP code: Enter a value from 0 to 255. See Internet Control Message Protocol (ICMP) Parameters.

  • TCP Flags: You can filter TCP traffic by whether the Urg, Ack, Psh, Rst, Syn, and Fin flags are Set or Unset. Select Don't care to ignore TCP flags.

Click Apply to save your ACE.