Within an exception filter policy, configure exception entries that contain criteria against which ingress and network traffic is matched. Packets that match the entry criteria are allowed to transit the IPsec domain in clear text.
Enter an exception filter entry ID. The system does not dynamically assign a value.
Specify matching criteria.
Use the following CLI syntax to configure IPv6 exception filter matching criteria:
- config>filter# ipv6-exception exception-id
- entry entry-id [create]
- description description-string
- match
- dst-ip {ipv6-address/prefix-length | ipv6-address | ipv6-prefix-list prefix-list-name}
- dst-port {lt | gt | eq} dst-port-number
- dst-port range dst-port-number dst-port-number
- icmp-code icmp-code
- icmp-type icmp-type
- src-ip {ipv6-address/prefix-length | ipv6-address | ipv6-prefix-list prefix-list-name}
- src-port {lt | gt | eq} src-port-number
- src-port range src-port-number src-port-number- config>filter>ipv6-except# entry 1 create
- config>filter>ipv6-except>entry# match
- config>filter>ipv6-except>entry>match# src-ip 2001:db8::1/128
- config>filter>ipv6-except>entry>match# dst-ip 2001:db8::2/128
- config>filter>ipv6-except>entry>match# exitThe following example displays a matching configuration.
A:domain1>config>filter>ipv6-exception# info
----------------------------------------------
description "exception-main"
entry 1
match
dst-ip 2001:db8::1/128
src-ip 2001:db8::2/128
exit
exit
----------------------------------------------
A:domain1>config>filter>ipv6-except#