Security Configuration Guide: Access Control Lists, Cisco IOS XE Release 3S
IPv6 Template ACL
Downloads: This chapterpdf (PDF - 1.24MB) The complete bookPDF (PDF - 3.52MB) | The complete bookePub (ePub - 469.0KB) | Feedback

IPv6 Template ACL

IPv6 Template ACL

When user profiles are configured using vendor-specific attribute (VSA) Cisco AV-pairs, similar per-user IPv6 ACLs may be replaced by a single template ACL. That is, one ACL represents many similar ACLs. By using IPv6 template ACLs, you can increase the total number of per-user ACLs while minimizing the memory and Ternary Content Addressable Memory (TCAM) resources needed to support the ACLs.

The IPv6 Template ACL feature can create templates using the following ACL fields:

  • IPv6 source and destination addresses
  • TCP and UDP, including all associated ports (0 through 65535)
  • ICMP neighbor discovery advertisements and solicitations
  • IPv6 DSCP with specified DSCP values

ACL names are dynamically generated by this feature; for example:

  • 6Temp_#152875854573--Example of a dynamically generated template name for a template ACL parent
  • Virtual-Access2.32135#152875854573--Example of a child ACL or an ACL that has not yet been made part of a template.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Information About IPv6 ACL—Template ACL

IPv6 Template ACL

When user profiles are configured using vendor-specific attribute (VSA) Cisco AV-pairs, similar per-user IPv6 ACLs may be replaced by a single template ACL. That is, one ACL represents many similar ACLs. By using IPv6 template ACLs, you can increase the total number of per-user ACLs while minimizing the memory and Ternary Content Addressable Memory (TCAM) resources needed to support the ACLs.

The IPv6 Template ACL feature can create templates using the following ACL fields:

  • IPv6 source and destination addresses
  • TCP and UDP, including all associated ports (0 through 65535)
  • ICMP neighbor discovery advertisements and solicitations
  • IPv6 DSCP with specified DSCP values

ACL names are dynamically generated by this feature; for example:

  • 6Temp_#152875854573--Example of a dynamically generated template name for a template ACL parent
  • Virtual-Access2.32135#152875854573--Example of a child ACL or an ACL that has not yet been made part of a template.

How to Enable IPv6 ACL—Template ACL

Enabling IPv6 Template Processing

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    access-list template [number-of-rules]

    4.    exit

    5.    show access-list template {summary | aclname | exceed number | tree}


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example:
    Router> enable 
     

    Enables privileged EXEC mode.

    • Enter your password if prompted.
     
    Step 2 configure terminal


    Example:
    Router# configure terminal 
     

    Enters global configuration mode.

     
    Step 3 access-list template [number-of-rules]


    Example:
    Router(config)# access-list template 50 
     

    Enables template ACL processing.

    • The example in this task specifies that ACLs with 50 or fewer rules will be considered for template ACL status.
    • The number-of-rules argument default is 100.
     
    Step 4 exit


    Example:
    Router(config)# exit 
     

    Exits global configuration mode and places the router in privileged EXEC mode.

     
    Step 5 show access-list template {summary | aclname | exceed number | tree}


    Example:
    Router# show access-list template summary
     

    Displays information about ACL templates.

     

    Configuration Examples for IPv6 ACL—Template ACL

    Example: IPv6 Template ACL Processing

    In this example, the contents of ACL1 and ACL2 are the same, but the names are different:

    ipv6 access-list extended ACL1 (PeerIP: 2001:1::1/64) 
    permit igmp any                  2003:1::1/64 
    permit icmp 2002:5::B/64         any 
    permit udp  any                  host 2004:1::5 
    permit udp  any                  host 2002:2BC::a 
    permit icmp host 2001:BC::7      host 2003:3::7 
    ipv6 access-list extended ACL2 (PeerIP: 2007:2::7/64) 
    permit igmp any                  2003:1::1/64 
    permit icmp 2002:5::B/64         any 
    permit udp  any                  host 2004:1::5 
    permit udp  any                  host 2002:2BC::a 
    permit icmp host 2001:BC::7      host 2003:3::7 
    

    The template for these ACLs is as follows:

    ipv6 access-list extended Template_1 
    permit igmp any                  2003:1::1/64 
    permit icmp 2002:5::B/64         any 
    permit udp  any                  host 2004:1::5 
    permit udp  any                  host 2002:2BC::a 
    permit icmp host 2001:BC::7      host 2003:3::7 

    Additional References

    Related Documents

    Related Topic

    Document Title

    IPv6 addressing and connectivity

    IPv6 Configuration Guide

    Cisco IOS commands

    Cisco IOS Master Commands List, All Releases

    IPv6 commands

    Cisco IOS IPv6 Command Reference

    Cisco IOS IPv6 features

    Cisco IOS IPv6 Feature Mapping

    Standards and RFCs

    Standard/RFC

    Title

    RFCs for IPv6

    IPv6 RFCs

    MIBs

    MIB

    MIBs Link

    To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

    http:/​/​www.cisco.com/​go/​mibs

    Technical Assistance

    Description

    Link

    The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

    http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

    Feature Information for IPv6 ACL—Template ACL

    Table 1 Feature Information for IPv6 ACL—Template ACL

    Feature Name

    Releases

    Feature Information

    IPv6 ACL—Template ACL

    Cisco IOS XE Release 3.2S

    This feature allows similar per-user IPv6 ACLs to be replaced by a single template ACL.

    The following commands were introduced or modified: access-list template, show access-list template.