Cisco�7600 Series Router Software Configuration Guide Cisco IOS Release 15S
Configuring IPv6 PACL
Downloads: This chapterpdf (PDF - 257.0KB) The complete bookPDF (PDF - 14.89MB) | Feedback

Table Of Contents

Configuring IPv6 PACL

Understanding IPv6 PACL

Restrictions for IPv6 PACL feature

Configuring IPv6 PACL

Creating Access List

Configuring PACL mode and Applying IPv6 PACL

Verifying IPv6 PACL

Troubleshooting Tips


Configuring IPv6 PACL


This chapter describes how to configure the IPv6 Port based Access Control List (PACL).

This chapter includes the following sections:

Understanding IPv6 PACL

Configuring IPv6 PACL

Verifying IPv6 PACL

Understanding IPv6 PACL

The c7600 has mechanisms to apply Access Control Lists (ACLs) at various levels such as Router, VLAN, and Port level. Router Access Control Lists (RACLs) are applied on a Switch Virtual Interface (SVI) or physical interface to filter out the layer 3 traffic. VLAN Access Control Lists (VACLs) are configured on VLANs, and are applicable on the layer 2 and the layer 3 packets passing through the VLAN.

PACLs help filter the incoming Layer 3 packets based on layer 2 and layer 4 parameters at the layer 2 switchports.

Figure 40-1 PACL on Physical Ports

Restrictions for IPv6 PACL feature

Following restrictions apply to the IPv6 PACL feature:

IPv6 PACL is not supported in the IOS software path.

IPv6 PACL is not supported in the egress direction.

IPv6 PACL logging is not supported.

IPv6 PACL does not support routing header match and Differentiated Services Code Point (DSCP) ACL match as these features do not have hardware support.

IPv6 supports fragment keyword and layer 4 information.

IPv6 PACL supports time-based ACLs.

When you configure the platform ipv6 acl icmp optimize neighbor-discovery command, a global Internet Control Message Protocol (ICMP) Neighbor Discovery (ND) Value Mask Result (VMR) is appended at the top of the Ternary Content-Addressable Memory (TCAM). This ICMP entry overrides the applicable PACL configured on the interface.

IPv6 PACL is supported on the layer 2 etherchannel, but not on its member ports.

IPv6 PACL is supported on the trunk ports only in the port prefer mode.

IPv6 PACL does not support the access-list log and reflect/evaluate keywords. These keywords are ignored if you add them to the access list for a PACL.

Due to the limited size of the flow key in the TCAM, IPv6 addresses along with the layer 4 port information cannot be accommodated unless the IPv6 addresses are compressed. Use the mls ipv6 acl compress address unicast command to compress the IPv6 address. You cannot apply the IPv6 PACL to non-compressible addresses, if the filtering is based on layer 4 ports.

Configuring IPv6 PACL

The following sections describe how to configure IPv6 PACL on c7600:

Creating Access List

Configuring PACL mode and Applying IPv6 PACL

Creating Access List

Complete the following steps to create an access list:

SUMMARY STEPS


Step 1 enable

Step 2 configure terminal

Step 3 ipv6 access-list access-list-name

Step 4 {permit | deny} {protocol/ IPv6 source prefix} source [source-ipv6-address] destination [destination-ipv6-address]

Step 5 end

ETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router# enable

Enables privileged EXEC mode. Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

ipv6 access-list access-list-name

Example:

Router(config)# ipv6 access-list list1

Defines an IPv6 ACL, and enters the IPv6 access list configuration mode.

access-list name: Specifies the name of the IPv6 ACL. IPv6 ACL names cannot contain a space or quotation mark, or begin with a numeral.

Step 4 

{permit | deny} {protocol/ IPv6 source prefix} source [source-ipv6-address] destination [destination-ipv6-address]

Example:

Router(config-ipv6-acl)# permit tcp 1000::1/64 any

Specifies permit or deny conditions for an IPv6 ACL.

permit | deny: Determines whether the specified traffic is blocked or allowed to pass.

protocol / IPv6 source prefix: Specifies any source ipv6 prefix, protocol (IPv6 ,ICMP ,tcp ,udp) or a number between 0 and 254.

source: Specifies the source of the traffic.

destination: Specifies the destination of the traffic.

source-ipv6-address: Specifies the source IPv6 address.

destination-ipv6-address: Specifies the destination IPv6 address.

Note The source or destination can be an IPv6 prefix, in the format prefix/length, to indicate a range of addresses, the keyword any to specify any address, or a specific host designated by host host_ipv6_addr.

Step 5 

end

Example:

Router(config-ipv6-acl)# end

Ends the current configuration session.

Configuration Example

This example shows how to create an IPv6 ACL:

Router# enable
Router# configure terminal
Router(config)# ipv6 access-list list1
Router(config-ipv6-acl)# permit tcp 1000::1/64 any
Router(config-ipv6-acl)# end

Configuring PACL mode and Applying IPv6 PACL

Complete the following steps to configure the PACL mode, and apply IPv6 PACL on a switchport interface:

SUMMARY STEPS


Step 1 enable

Step 2 configure terminal

Step 3 interface type number

Step 4 switchport

Step 5 switchport mode {access | trunk}

Step 6 switchport access vlan vlan-id [or] switchport trunk allowed vlan vlan-list

Step 7 access-group mode {prefer {port | vlan} | merge}

Step 8 ipv6 traffic-filter access-list-name in

Step 9 end

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router# enable

Enables privileged EXEC mode. Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

interface type number

Example:

Router(config)# interface gigabitethernet 3/24

Configures an interface, and enters the interface configuration mode.

Step 4 

switchport

Example:

Router(config-if)# switchport

Moves the interface into Layer 2 mode.

Step 5 

switchport mode {access | trunk}

Example:

Router(config-if)# switchport mode access

Sets the interface type.

Step 6 

switchport access vlan vlan-id

[or]

switchport trunk allowed vlan vlan-list

Example:

Router(config-if)# switchport access vlan 1000

or

Router(config-if)# switchport trunk allowed vlan 1000, 2000

Sets the VLAN when an interface is in access mode.

or

Sets the list of allowed VLANs when in trunk mode.

Step 7 

access-group mode {prefer {port | vlan} | merge}

Example:

Router(config-if)# access-group mode prefer port

Sets the mode for the switchport interface.

Note IPv6 PACL is applied on the trunk port only if the access-group mode on the trunk port is set to prefer port. On access ports, if the access-group mode is set to prefer port, then the features between the SVI and the switchport do not merge.

Step 8 

ipv6 traffic-filter access-list-name in

Example:

Router(config-if)# ipv6 traffic-filter list1 in

Filters the incoming IPv6 traffic on a switchport interface.

Step 9 

end

Example:

Router(config-if)# end

Ends the current configuration session.

Configuration Example

This example shows how to configure a PACL mode and apply an IPv6 PACL on a switchport interface:

Router# enable
Router# configure terminal
Router(config)# interface gigabitethernet 3/24
Router(config-if)# switchport
Router(config-if)# switchport mode access
Router(config-if)# switchport access vlan 1000
Router(config-if)# access-group mode prefer port
Router(config-if)# ipv6 traffic-filter list1 in
Router(config-if)# end
 
 

Verifying IPv6 PACL

Use these commands to verify the configuration of IPv6 PACL on c7600:

The show ipv6 access-list command displays the details of all the IPv6 access lists created.

Router# show ipv6 access-list
 
 
IPv6 access list PACL
    permit ipv6 host 2001:410:1:0:200:FF:FE00:1 host 2001:410:2:0:200:FF:FE00:1 
sequence 10
    deny ipv6 host 2001:410:1:0:200:FF:FE00:2 host 2001:410:2:0:200:FF:FE00:2 sequence 
20
    permit ipv6 host 2001:410:1::3 host 2001:410:2::3 sequence 30
 
 

The show run interface GigabitEthernet command displays the IOS interface configuration.

Router# show run interface GigabitEthernet 7/0/1
 
 
Current configuration : 179 bytes
!
interface GigabitEthernet7/0/1
 switchport
 switchport access vlan 10
 switchport mode access
ipv6 traffic-filter PACL in
end
 
 

The show tcam interface GigabitEthernet acl in ipv6 command displays the following output when the IPv6 PACL is configured on an interface.

Router# show  tcam interface GigabitEthernet 7/0/1 acl in ipv6 
* Global Defaults shared
-------------------------------------------------------
ICMP Neighbor Discovery Packet Types: 
na - neighbor advertisement  ra - router advertisement
ns - neighbor solicit        rs - router solicit 
r  - redirect 
 
 
IPV6 Address Types:
full - IPv6 Full             eui - IPv6 EUI 
eipv4 - IPv6 embeded IPv4 
-------------------------------------------------------
    permit       ipv6 host 0:2001:410:1:0:200:0:1(eui) host 
0:2001:410:2:0:200:0:1(eui)
    deny         ipv6 host 0:2001:410:1:0:200:0:2(eui) host 
0:2001:410:2:0:200:0:2(eui)
    permit       ipv6 host 2001:410:1::3(full) host 2001:410:2::3(full)
    permit       icmp(nd-ra) any(eui) any
    permit       icmp(nd-na) any(eui) any
    permit       icmp(nd-rs) any(eui) any
    permit       icmp(nd-ra) any(full) any
    permit       icmp(nd-na) any(full) any
    permit       icmp(nd-rs) any(full) any
    deny         ipv6 any(eipv4) any
    deny         ipv6 any(eui) any
    deny         ipv6 any(full) any
 
 

The show fm interface FastEthernet command displays all the features configured on a specific interface including the PACLs.

Router# show fm interface FastEthernet 2/1

Interface: FastEthernet2/1 IP is disabled
  hw_state[INGRESS] = not reduced, hw_state[EGRESS] = not reduced
  mcast = 0
  priority = 0
  flags = 0x0
  parent[INGRESS] = none
  inbound label: 65
    Feature IPV6_PACL:
        ACL: test
-----------------------------------------------------------------------------
 FM_FEATURE_IPV6_PACL - PACL Name: test          Direction:Ingress 
=============================================================================
DPort  - Destination Port  SPort  - Source Port       Pro    - Protocol        
PT     - Packet Type       DPT    - Dst. Packet Type  SPT    - Src. Packet Type
X      - XTAG              TOS    - TOS Value         Res    - VMR Result      
RFM    - R-Recirc. Flag    MRTNPC - M-Multicast Flag  R      - Reflexive flag  
       - F-Fragment flag          - T-Tcp Control     N      - Non-cachable    
       - M-More Fragments         - P-Mask Priority(H-High, L-Low) 
Adj.   - Adj. Index        C      - Capture Flag      T      - M(Mask)/V(Value)
FM     - Flow Mask         NULL   - Null FM           SAO    - Source Only FM  
DAO    - Dest. Only FM     SADA   - Sour.& Dest. Only VSADA  - Vlan SADA Only  
ISADA  - Intf. SADA        FF     - Full Flow         VFF    - Vlan Full Flow  
IFF    - Intf. FF          F-VFF  - Either FF or VFF  IFF-FF - Either IFF or FF
A-VSD  - Atleast VSADA     A-FF   - Atleast FF        A-VFF  - Atleast VFF     
A-SON  - Atleast SAO       A-DON  - Atleast DAO       A-SD   - Atleast SADA    
SHORT  - Shortest          ISADA-L- ISADA Least       FF-L   - FF Least        
IFF-L  - IFF Least         A-SFF  - Any short than FF A-EFF  - Any except FF   
A-EVFF - Any except VFF    SA-L   - Source Least      DA-L   - Dest. Least     
SADA-L - SADA Least        FF-LESS- FF Less           N-FF   - Not FF          
N-IFF  - Not IFF           A-LVFF - Any less than VFF FULL   - Full Pkt Type   
EUI    - EUI 64 Pkt Type   EMBD   - Embedded Pkt Type ELNK   - EUI Link Overlap
ESIT   - EUI Site Overlap  LINK   - Link Pkt Type     SITE   - Site Pkt Type   
ERR    - Flowmask Error  

 
    
+----+-+----------------------------------------+----------------------+----+----+----+---+---+-+------+----+------+
|Indx|T|    Dest IPv6 Addr                      |    Source IPv6 Addr  | DPT| SPT| PT |Pro|RFM|X|MRTNPC|Adj.| 
FM  |
+----+-+----------------------------------------+----------------------+----+----+----+---+---+-+------+----+------+
          
 1    V                                     14::                    2:: FULL FULL ----   0 --- - ----L- ---- SHORT   
      M                    FFFF:FFFF:FFFF:FFFF::  FFFF:FFFF:FFFF:FFFF:: EMBD EMBD        0   0
      TM_PERMIT_RESULT              
          
 2    V                                    15::1                     :: FULL  EUI ----   0 --- - ----L- ---- SHORT   
      M  FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF                     :: EMBD  EUI        0   0
      TM_PERMIT_RESULT              
          
 3    V                                    15::1                     :: FULL FULL ----   0 --- - ----L- ---- SHORT   
      M  FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF                     :: EMBD EMBD        0   0
      TM_PERMIT_RESULT              
          
 4    V                                       ::                     :: ----  EUI ----  58 --- - ----L- ---- SHORT   
      M                                       ::                     :: ----  EUI      255   0
      TM_PERMIT_RESULT              
          
 5    V                                       ::                     :: ---- FULL ----  58 --- - ----L- ---- SHORT   
      M                                       ::                     :: ---- EMBD      255   0
      TM_PERMIT_RESULT              
          
 6    V                                       ::                     :: ----  EUI ----  58 --- - ----L- ---- SHORT   
      M                                       ::                     :: ----  EUI      255   0
      TM_PERMIT_RESULT              
          
 7    V                                       ::                     :: ---- FULL ----  58 --- - ----L- ---- SHORT   
      M                                       ::                     :: ---- EMBD      255   0
      TM_PERMIT_RESULT              
          
 8    V                                       ::                     :: ----  EUI ----  58 --- - ----L- ---- SHORT   
      M                                       ::                     :: ----  EUI      255   0
      TM_PERMIT_RESULT              
          
 9    V                                       ::                     :: ---- FULL ----  58 --- - ----L- ---- SHORT   
      M                                       ::                     :: ---- EMBD      255   0
      TM_PERMIT_RESULT              
          
 10   V                                       ::                     :: ---- ---- ----   0 --- - ----L- ---- SHORT   
      M                                       ::                     :: ---- ----        0   0

Troubleshooting Tips

For troubleshooting information, contact Cisco Technical Assistance Center (TAC) at:

http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html