command is similar to the
command, except that it is IPv6-specific.
command following the
access-list command to define the conditions under
which a packet passes the access list or to define the access list as a
reflexive access list.
argument matches against the IPv6 header of the packet.
By default, the
first statement in an access list is number 10, and the subsequent statements
are incremented by 10.
You can add
statements to an existing access list without retyping the entire list. To add
a new statement anywhere other than at the end of the list, create a new
statement with an appropriate entry number that falls between two existing
entry numbers to indicate where it belongs.
In Cisco IOS
Release 12.2(2)T or later releases, 12.0(21)ST, and 12.0(22)S, IPv6 access
control lists (ACLs) are defined and their deny and permit conditions are set
by using the
access-list command with the
keywords in global configuration mode. In Cisco IOS Release 12.0(23)S or later
releases, IPv6 ACLs are defined by using the
access-list command in global configuration mode
and their permit and deny conditions are set by using the
commands in IPv6 access list configuration mode. Refer to the
access-list command for more information on
defining IPv6 ACLs.
In Cisco IOS
Release 12.0(23)S or later releases, every IPv6 ACL has implicit
any statements as its last match conditions. (The
former two match conditions allow for ICMPv6 neighbor discovery.) An IPv6 ACL
must contain at least one entry for the implicit
any statement to take effect. The IPv6 neighbor
discovery process makes use of the IPv6 network layer service; therefore, by
default, IPv6 ACLs implicitly allow IPv6 neighbor discovery packets to be sent
and received on an interface. In IPv4, the Address Resolution Protocol (ARP),
which is equivalent to the IPv6 neighbor discovery process, makes use of a
separate data link layer protocol; therefore, by default, IPv4 ACLs implicitly
allow ARP packets to be sent and received on an interface.
arguments are used for traffic filtering (the source prefix filters traffic
based upon the traffic source; the destination prefix filters traffic based
upon the traffic destination).
lists, not access lists, should be used for filtering routing protocol
keyword is an option only if the
arguments are not specified.
The following is
a list of ICMP message names:
Reflexive Access Lists
To define an IPv6
reflexive list, a form of session filtering, use the
keyword in the
keyword creates an IPv6 reflexive access list and triggers the creation of
entries in the reflexive access list. The
keyword must be an entry (condition statement) in an IPv6 access list.
reflexive access lists to work, you must nest the reflexive access list using
If you are
configuring IPv6 reflexive access lists for an external interface, the IPv6
access list should be one that is applied to outbound traffic.
If you are
configuring an IPv6 reflexive access list for an internal interface, the IPv6
access list should be one that is applied to inbound traffic.
that originate from within your network are initiated with a packet exiting
your network. When such a packet is evaluated against the statements in the
IPv6 access list, the packet is also evaluated against the IPv6 reflexive
As with all IPv6
access list entries, the order of entries is important, because they are
evaluated in sequential order. When an IPv6 packet reaches the interface, it
will be evaluated sequentially by each entry in the access list until a match
If the packet
matches an entry prior to the reflexive permit entry, the packet will not be
evaluated by the reflexive permit entry, and no temporary entry will be created
for the reflexive access list (session filtering will not be triggered).
The packet will
be evaluated by the reflexive permit entry if no other match occurs first.
Then, if the packet matches the protocol specified in the reflexive permit
entry, the packet is forwarded and a corresponding temporary entry is created
in the reflexive access list (unless the corresponding entry already exists,
indicating that the packet belongs to a session in progress). The temporary
entry specifies criteria that permit traffic into your network only for the
of Reflexive Access List Entries
command with the
keyword enables the creation of temporary entries in the same IPv6 reflexive
access list that was defined by the
command. The temporary entries are created when an IPv6 packet exiting your
network matches the protocol specified in the
command. (The packet “triggers” the creation of a temporary entry.) These
entries have the following characteristics:
The entry is
a permit entry.
specifies the same IP upper-layer protocol as the original triggering packet.
specifies the same source and destination addresses as the original triggering
packet, except that the addresses are swapped.
original triggering packet is TCP or UDP, the entry specifies the same source
and destination port numbers as the original packet, except that the port
numbers are swapped.
original triggering packet is a protocol other than TCP or UDP, port numbers do
not apply, and other criteria are specified. For example, for ICMP, type
numbers are used: The temporary entry specifies the same type number as the
original packet (with only one exception: if the original ICMP packet is type
8, the returning ICMP packet must be type 0 to be matched).
inherits all the values of the original triggering packet, with exceptions only
as noted in the previous four bullets.
entering your internal network will be evaluated against the entry, until the
entry expires. If an IPv6 packet matches the entry, the packet will be
forwarded into your network.
will expire (be removed) after the last packet of the session is matched.
If no packets
belonging to the session are detected for a configured length of time (the
timeout period), the entry will expire.
example configures two IPv6 access lists named OUTBOUND and INBOUND and applies
both access lists to outbound and inbound traffic on Ethernet interface 0. The
first and second permit entries in the OUTBOUND list permit all TCP and UDP
packets from network 2001:ODB8:0300:0201::/64 to exit out of Ethernet interface
0. The entries also configure the temporary IPv6 reflexive access list named
REFLECTOUT to filter returning (incoming) TCP and UDP packets on Ethernet
interface 0. The first deny entry in the OUTBOUND list keeps all packets from
the network FEC0:0:0:0201::/64 (packets that have the site-local prefix
FEC0:0:0:0201 as the first 64 bits of their source IPv6 address) from exiting
out of Ethernet interface 0. The third permit entry in the OUTBOUND list
permits all ICMP packets to exit out of Ethernet interface 0.
The permit entry
in the INBOUND list permits all ICMP packets to enter Ethernet interface 0. The
command in the list applies the temporary IPv6 reflexive access list named
REFLECTOUT to inbound TCP and UDP packets on Ethernet interface 0. When
outgoing TCP or UDP packets are permitted on Ethernet interface 0 by the
OUTBOUND list, the INBOUND list uses the REFLECTOUT list to match (evaluate)
the returning (incoming) TCP and UDP packets. Refer to the
evaluate command for more information on nesting
IPv6 reflexive access lists within IPv6 ACLs.
ipv6 access-list OUTBOUND
permit tcp 2001:0DB8:0300:0201::/64 any reflect REFLECTOUT
permit udp 2001:0DB8:0300:0201::/64 any reflect REFLECTOUT
deny FEC0:0:0:0201::/64 any
permit icmp any any
ipv6 access-list INBOUND
permit icmp any any
interface ethernet 0
ipv6 traffic-filter OUTBOUND out
ipv6 traffic-filter INBOUND in
Given that a
any statement is not included as the last entry in
the OUTBOUND or INBOUND access list, only TCP, UDP, and ICMP packets will be
permitted out of and in to Ethernet interface 0 (the implicit deny all
condition at the end of the access list denies all other packet types on the
example shows how to allow the matching of any UDP traffic. The authentication
header may be present.
permit udp any any sequence 10
example shows how to allow the matching of only TCP traffic if the
authentication header is also present.
permit tcp any any auth sequence 20
example shows how to allow the matching of any IPv6 traffic where the
authentication header is present.
permit ahp any any sequence 30