Security Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)
Configuring IPv6 ACLs
Downloads: This chapterpdf (PDF - 1.33MB) The complete bookPDF (PDF - 7.42MB) | The complete bookePub (ePub - 1.5MB) | Feedback

Configuring IPv6 ACLs

Configuring IPv6 ACLs

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http:/​/​www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

IPv6 ACLs Overview

You can filter IP Version 6 (IPv6) traffic by creating IPv6 access control lists (ACLs) and applying them to interfaces similarly to the way that you create and apply IP Version 4 (IPv4) named ACLs. You can also create and apply input router ACLs to filter Layer 3 management traffic when the switch is running the IP base and LAN base feature sets.

A switch supports two types of IPv6 ACLs:

  • IPv6 router ACLs are supported on outbound or inbound traffic on Layer 3 interfaces, which can be routed ports, switch virtual interfaces (SVIs), or Layer 3 EtherChannels. IPv6 router ACLs apply only to IPv6 packets that are routed.
  • IPv6 port ACLs are supported on inbound and outbound Layer 2 interfaces. IPv6 port ACLs are applied to all IPv6 packets entering the interface.

The switch does not support VLAN ACLs (VLAN maps) for IPv6 traffic.

You can apply both IPv4 and IPv6 ACLs to an interface. As with IPv4 ACLs, IPv6 port ACLs take precedence over router ACLs.

Switch Stacks and IPv6 ACLs

The active switch supports IPv6 ACLs in hardware and distributes the IPv6 ACLs to the stack members.

If a standby switch takes over as the active switch, it distributes the ACL configuration to all stack members. The member switches sync up the configuration distributed by the new active switch and flush out entries that are not required.

When an ACL is modified, attached to, or detached from an interface, the active switch distributes the change to all stack members.

Interactions with Other Features and Switches

  • If an IPv6 router ACL is configured to deny a packet, the packet is not routed. A copy of the packet is sent to the Internet Control Message Protocol (ICMP) queue to generate an ICMP unreachable message for the frame.
  • If a bridged frame is to be dropped due to a port ACL, the frame is not bridged.
  • You can create both IPv4 and IPv6 ACLs on a switch or switch stack, and you can apply both IPv4 and IPv6 ACLs to the same interface. Each ACL must have a unique name; an error message appears if you try to use a name that is already configured. You use different commands to create IPv4 and IPv6 ACLs and to attach IPv4 or IPv6 ACLs to the same Layer 2 or Layer 3 interface. If you use the wrong command to attach an ACL (for example, an IPv4 command to attach an IPv6 ACL), you receive an error message.
  • You cannot use MAC ACLs to filter IPv6 frames. MAC ACLs can only filter non-IP frames.
  • If the hardware memory is full, packets are dropped on the interface and an unload error message is logged.

Restrictions for IPv6 ACLs

With IPv4, you can configure standard and extended numbered IP ACLs, named IP ACLs, and MAC ACLs. IPv6 supports only named ACLs.

The switch supports most Cisco IOS-supported IPv6 ACLs with some exceptions:

  • The switch does not support matching on these keywords: flowlabel, routing header, and undetermined-transport.
  • The switch does not support reflexive ACLs (the reflect keyword).
  • This release supports only port ACLs and router ACLs for IPv6; it does not support VLAN ACLs (VLAN maps).
  • The switch does not apply MAC-based ACLs on IPv6 frames.
  • You cannot apply IPv6 port ACLs to Layer 2 EtherChannels.
  • When configuring an ACL, there is no restriction on keywords entered in the ACL, regardless of whether or not they are supported on the platform. When you apply the ACL to an interface that requires hardware forwarding (physical ports or SVIs), the switch checks to determine whether or not the ACL can be supported on the interface. If not, attaching the ACL is rejected.
  • If an ACL is applied to an interface and you attempt to add an access control entry (ACE) with an unsupported keyword, the switch does not allow the ACE to be added to the ACL that is currently attached to the interface.

IPv6 ACLs on the switch have these characteristics:

  • Fragmented frames (the fragments keyword as in IPv4) are supported
  • The same statistics supported in IPv4 are supported for IPv6 ACLs.
  • If the switch runs out of hardware space, the packets associated with the ACL are dropped on the interface.
  • Logging is supported for router ACLs, but not for port ACLs.
  • The switch supports IPv6 address-matching for a full range of prefix-lengths.

Default Configuration for IPv6 ACLs

The default IPv6 ACL configuration is as follows:

Switch# show access-lists preauth_ipv6_acl
IPv6 access list preauth_ipv6_acl (per-user)
permit udp any any eq domain sequence 10
permit tcp any any eq domain sequence 20
permit icmp any any nd-ns sequence 30
permit icmp any any nd-na sequence 40
permit icmp any any router-solicitation sequence 50
permit icmp any any router-advertisement sequence 60
permit icmp any any redirect sequence 70
permit udp any eq 547 any eq 546 sequence 80
permit udp any eq 546 any eq 547 sequence 90
deny ipv6 any any sequence 100

Configuring IPv6 ACLs

To filter IPv6 traffic, you perform these steps:

SUMMARY STEPS

    1.    configure terminal

    2.    [no]{ipv6 access-list list-name| client permit-control-packets| log-update threshold| role-based list-name}

    3.    [no]{deny | permit} protocol {source-ipv6-prefix/|prefix-length|any threshold| host source-ipv6-address} [ operator [ port-number ]] { destination-ipv6-prefix/ prefix-length | any | host destination-ipv6-address} [operator [port-number]][dscp value] [fragments] [log] [log-input][sequence value] [time-range name]

    4.    {deny | permit} tcp {source-ipv6-prefix/prefix-length | any | host source-ipv6-address} [operator [port-number]] {destination-ipv6- prefix/prefix-length | any | host destination-ipv6-address} [operator [port-number]] [ack] [dscp value] [established] [fin] [log] [log-input] [neq {port | protocol}] [psh] [range {port | protocol}] [rst] [sequence value] [syn] [time-range name] [urg]

    5.    {deny | permit} udp {source-ipv6-prefix/prefix-length | any | host source-ipv6-address} [operator [port-number]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address} [operator [port-number]] [dscp value] [log] [log-input] [neq {port | protocol}] [range {port | protocol}] [sequence value] [time-range name]]

    6.    {deny | permit} icmp {source-ipv6-prefix/prefix-length | any | host source-ipv6-address} [operator [port-number]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address} [operator [port-number]] [icmp-type [icmp-code] | icmp-message] [dscp value] [log] [log-input] [sequence value] [time-range name]

    7.    end

    8.    show ipv6 access-list


DETAILED STEPS
     Command or ActionPurpose
    Step 1configure terminal


    Example:
    
    Switch# configure terminal
    
    
     

    Enters the global configuration mode.

     
    Step 2 [no]{ipv6 access-list list-name| client permit-control-packets| log-update threshold| role-based list-name}


    Example:
    Switch(config)# ipv6 access-list example_acl_list
     

    Defines an IPv6 ACL name, and enters IPv6 access list configuration mode.

     
    Step 3 [no]{deny | permit} protocol {source-ipv6-prefix/|prefix-length|any threshold| host source-ipv6-address} [ operator [ port-number ]] { destination-ipv6-prefix/ prefix-length | any | host destination-ipv6-address} [operator [port-number]][dscp value] [fragments] [log] [log-input][sequence value] [time-range name]
     

    Enter deny or permit to specify whether to deny or permit the packet if conditions are matched. These are the conditions:

    • For protocol, enter the name or number of an Internet protocol: ahp, esp, icmp, ipv6, pcp, stcp, tcp, or udp, or an integer in the range 0 to 255 representing an IPv6 protocol number.
    • The source-ipv6-prefix/prefix-length or destination-ipv6-prefix/ prefix-length is the source or destination IPv6 network or class of networks for which to set deny or permit conditions, specified in hexadecimal and using 16-bit values between colons (see RFC 2373).
    • Enter any as an abbreviation for the IPv6 prefix ::/0.
    • For host source-ipv6-address or destination-ipv6-address, enter the source or destination IPv6 host address for which to set deny or permit conditions, specified in hexadecimal using 16-bit values between colons.
    • (Optional) For operator, specify an operand that compares the source or destination ports of the specified protocol. Operands are lt (less than), gt (greater than), eq (equal), neq (not equal), and range. If the operator follows the source-ipv6-prefix/prefix-length argument, it must match the source port. If the operator follows the destination-ipv6- prefix/prefix-length argument, it must match the destination port.
    • (Optional) The port-number is a decimal number from 0 to 65535 or the name of a TCP or UDP port. You can use TCP port names only when filtering TCP. You can use UDP port names only when filtering UDP.
    • (Optional) Enter dscp value to match a differentiated services code point value against the traffic class value in the Traffic Class field of each IPv6 packet header. The acceptable range is from 0 to 63.
    • (Optional) Enter fragments to check noninitial fragments. This keyword is visible only if the protocol is ipv6.
    • (Optional) Enter log to cause an logging message to be sent to the console about the packet that matches the entry. Enter log-input to include the input interface in the log entry. Logging is supported only for router ACLs.
    • (Optional) Enter routing to specify that IPv6 packets be routed.
    • (Optional) Enter sequence value to specify the sequence number for the access list statement. The acceptable range is from 1 to 4,294,967,295.
    • (Optional) Enter time-range name to specify the time range that applies to the deny or permit statement.
     
    Step 4{deny | permit} tcp {source-ipv6-prefix/prefix-length | any | host source-ipv6-address} [operator [port-number]] {destination-ipv6- prefix/prefix-length | any | host destination-ipv6-address} [operator [port-number]] [ack] [dscp value] [established] [fin] [log] [log-input] [neq {port | protocol}] [psh] [range {port | protocol}] [rst] [sequence value] [syn] [time-range name] [urg]
     

    (Optional) Define a TCP access list and the access conditions.

    Enter tcp for Transmission Control Protocol. The parameters are the same as those described in Step 3a, with these additional optional parameters:

    • ack—Acknowledgment bit set.
    • established—An established connection. A match occurs if the TCP datagram has the ACK or RST bits set.
    • fin—Finished bit set; no more data from sender.
    • neq {port | protocol}—Matches only packets that are not on a given port number.
    • psh—Push function bit set.
    • range {port | protocol}—Matches only packets in the port number range.
    • rst—Reset bit set.
    • syn—Synchronize bit set.
    • urg—Urgent pointer bit set.
     
    Step 5{deny | permit} udp {source-ipv6-prefix/prefix-length | any | host source-ipv6-address} [operator [port-number]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address} [operator [port-number]] [dscp value] [log] [log-input] [neq {port | protocol}] [range {port | protocol}] [sequence value] [time-range name]]
     

    (Optional) Define a UDP access list and the access conditions.

    Enter udp for the User Datagram Protocol. The UDP parameters are the same as those described for TCP, except that the [operator [port]] port number or name must be a UDP port number or name, and the established parameter is not valid for UDP.

     
    Step 6{deny | permit} icmp {source-ipv6-prefix/prefix-length | any | host source-ipv6-address} [operator [port-number]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address} [operator [port-number]] [icmp-type [icmp-code] | icmp-message] [dscp value] [log] [log-input] [sequence value] [time-range name]
     

    (Optional) Define an ICMP access list and the access conditions.

    Enter icmp for Internet Control Message Protocol. The ICMP parameters are the same as those described for most IP protocols in Step 1, with the addition of the ICMP message type and code parameters. These optional keywords have these meanings:

    • icmp-type—Enter to filter by ICMP message type, a number from 0 to 255.
    • icmp-code—Enter to filter ICMP packets that are filtered by the ICMP message code type, a number from 0 to 255.
    • icmp-message—Enter to filter ICMP packets by the ICMP message type name or the ICMP message type and code name. To see a list of ICMP message type names and code names, use the ? key or see command reference for this release.
     
    Step 7end
     

    Return to privileged EXEC mode.

     
    Step 8show ipv6 access-list
     

    Verify the access list configuration.

     
    What to Do Next

    Attach the IPv6 ACL to an Interface

    Attaching an IPv6 ACL to an Interface

    You can apply an ACL to outbound or inbound traffic on Layer 3 interfaces, or to inbound traffic on Layer 2 interfaces. You can also apply ACLs only to inbound management traffic on Layer 3 interfaces.

    Follow these steps to control access to an interface:

    SUMMARY STEPS

      1.    configure terminal

      2.    interface interface-id

      3.    no switchport

      4.    ipv6 address ipv6-address

      5.    ipv6 traffic-filter access-list-name {in | out}

      6.    end


    DETAILED STEPS
       Command or ActionPurpose
      Step 1configure terminal


      Example:
      
      Switch# configure terminal
      
      
       

      Enters the global configuration mode.

       
      Step 2interface interface-id
       

      Identify a Layer 2 interface (for port ACLs) or Layer 3 interface (for router ACLs) on which to apply an access list, and enter interface configuration mode.

       
      Step 3no switchport
       

      If applying a router ACL, this changes the interface from Layer 2 mode (the default) to Layer 3 mode.

       
      Step 4ipv6 address ipv6-address
       

      Configure an IPv6 address on a Layer 3 interface (for router ACLs).

       
      Step 5ipv6 traffic-filter access-list-name {in | out}
       

      Apply the access list to incoming or outgoing traffic on the interface.

      Note   
       
      Step 6end


      Example:
      
      Switch(config)# end
      
      
       

      Returns to privileged EXEC mode.

       

      Monitoring IPv6 ACLs

      You can display information about all configured access lists, all IPv6 access lists, or a specific access list by using one or more of the privileged EXEC commands shown in the table below:

      Command Purpose
      show access-lists Displays all access lists configured on the switch.
      show ipv6 access-list [access-list-name] Displays all configured IPv6 access lists or the access list specified by name.

      This is an example of the output from the show access-lists privileged EXEC command. The output shows all access lists that are configured on the switch or switch stack.

      Switch # show access-lists 
      Extended IP access list hello
          10 permit ip any any
      IPv6 access list ipv6
          permit ipv6 any any sequence 10

      This is an example of the output from the show ipv6 access-list privileged EXEC command. The output shows only IPv6 access lists configured on the switch or switch stack

      Switch# show ipv6 access-list
      IPv6 access list inbound
          permit tcp any any eq bgp (8 matches) sequence 10
          permit tcp any any eq telnet (15 matches) sequence 20
          permit udp any any sequence 30
      
      IPv6 access list outbound
          deny udp any any sequence 10
          deny tcp any any eq telnet sequence 20

      Additional References

      Related Documents

      Related Topic Document Title

      IPv6 security configuration topics

      IPv6 Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)

      http:/​/​www.cisco.com/​en/​US/​docs/​ios-xml/​ios/​ipv6/​config_library/​xe-3se/​3850/​ipv6-xe-3se-3850-library.html

      IPv6 command reference

      IPv6 Command Reference, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)

      http:/​/​www.cisco.com/​en/​US/​docs/​ios-xml/​ios/​ipv6/​command/​ipv6-xe-3se-3850-cr-book.html

      Error Message Decoder

      Description Link

      To help you research and resolve system error messages in this release, use the Error Message Decoder tool.

      https:/​/​www.cisco.com/​cgi-bin/​Support/​Errordecoder/​index.cgi

      MIBs

      MIB MIBs Link

      All supported MIBs for this release.

      To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

      http:/​/​www.cisco.com/​go/​mibs

      Technical Assistance

      Description Link

      The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

      To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

      Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

      http:/​/​www.cisco.com/​support