Guest

Cisco ASR 900 Series Aggregation Services Routers

Configuring an IPv6 Access Control List on the Cisco ASR 903 Router

  • Viewing Options

  • PDF (98.3 KB)
  • Feedback
Configuring an IPv6 Access Control List on the Cisco ASR 903 Router

Table Of Contents

Configuring an IPv6 Access Control List on the Cisco ASR 903 Router

Restrictions

Configuring IPv6 Access Control List

Creating an IPv6 Access List

Applying an IPv6 Access Control List to a Physical Interface

Verifying the Configuration

Configuration Example


Configuring an IPv6 Access Control List on the Cisco ASR 903 Router


IPv6 Access Control Lists (ACLs) determine what traffic is blocked and what traffic is forwarded at device interfaces. ACLs allow filtering based on source and destination addresses, inbound and outbound to a specific interface.

The following sections describe how to configure IPv6 ACLs on the Cisco ASR 903 Series Router:

Restrictions

Configuring IPv6 Access Control List

Verifying the Configuration

Configuration Example

Restrictions

The following restrictions apply when configuring IPv6 ACLs on the Cisco ASR 903 Series Router.

ACE-specific counters are not supported

Layer 3 IPv4 and IPv6 ACLs are not supported on the same interface.

MAC ACLs are not supported on EFP or trunk EFP interfaces to which Layer 3 IPv4 or IPv6 ACLs are applied.

Up to 1500 unique ACLs are supported per interface or EFP.

Up to 500 ACEs per ACL or 1500 total ACEs are supported.

IPv6 ACLs are supported on physical interfaces, bridge-domain interfaces, and port-channel interfaces. IPv6 ACLs are not currently supported on EFP interfaces.

The following ACE parameters are supported

Source address

Destination address

TCP ports

UDP ports

DCSP value

Other ACE parameters are not supported.

Configuring IPv6 Access Control List

The following sections describe how to configure an IPv6 ACL on the Cisco ASR 903 Series Router:

Creating an IPv6 Access List

Applying an IPv6 Access Control List to a Physical Interface

Creating an IPv6 Access List

Follow these steps to create a new IPv6 ACL.

Summary Steps

1. configure terminal

2. ipv6 access-list access-list-name

3. permit protocol {source-ipv6-prefix/prefix-length | any | host source-ipv6-address} [port-number] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address} [port-number] [dscp value] [log] [log-input] [sequence value]

4. deny protocol {source-ipv6-prefix/prefix-length | any | host source-ipv6-address} [port-number] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address} [port-number] [dscp value] [log] [log-input] [sequence value]

5. end

Detailed Steps

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

ipv6 access-list access-list-name

Example:

Device(config)# ipv6 access-list ipv6-acl

Defines an IPv6 ACL, and enters IPv6 access list configuration mode.

Step 3 

permit protocol {source-ipv6-prefix/prefix-length | any | host source-ipv6-address} [port-number] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address} [port-number] [dscp value] [log] [log-input] [sequence value]

Example:

Device(config-ipv6-acl)# permit icmp any any

Sets permit conditions for the IPv6 ACL.

Step 4 

deny protocol {source-ipv6-prefix/prefix-length | any | host source-ipv6-address} [port-number] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address} [port-number] [dscp value] [log] [log-input] [sequence value]

Example:

Device(config-ipv6-acl)# deny icmp any any

Sets deny conditions for the IPv6 ACL.

Step 5 

end

Return to privileged EXEC mode.

Applying an IPv6 Access Control List to a Physical Interface

Follow these steps to apply an IPv6 ACL to a physical interface.

Summary Steps

1. configure terminal

2. interface interface-id

3. ipv6 traffic-filter access-list-name [in | out]

4. end

Detailed Steps

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

interface interface-id

Specify the port to attach to the policy map, and enter interface configuration mode. Valid interfaces are physical ports.

Step 3 

ipv6 traffic-filter access-list-name [in | out]

Example:

Device(config)# ipv6 traffic-filter ipv6-acl

Defines an IPv6 ACL, and enters IPv6 access list configuration mode.

Step 4 

end

Return to privileged EXEC mode.

Verifying the Configuration

You can use the following commands to verify your IPv6 ACL configuration on the Cisco ASR 903 Series Router:

show platform hardware pp active acl label label-number—Displays ACL information for a given label.

show platform hardware pp active acl name acl-name—Displays ACL information for a given ACL name.

show platform hardware pp active acl acl-name stats—Displays statistics for a given IPv6 ACL.

show platform hardware pp active tcam utilization acl detail id—Displays TCAM usage for a given IPv6 ACL.

Configuration Example

The following is a sample configuration for IPv6 ACL on the Cisco ASR 903 Series Router.

Router(config)# ipv6 access-list ipv6_acl
Router(config-ipv6-acl)# permit tcp any any
Router(config-ipv6-acl)# permit udp any any
Router(config-ipv6-acl)# permit any any
Router(config-ipv6-acl)# hardware statistics
Router(config-ipv6-acl)# exit
 
   
! Assign an IP address and add the ACL on the interface.
 
   
Router(config)# interface GigabitEthernet3/1/0
Router(config-if)# no ip address
Router(config-if)# negotiation auto
Router(config-if)# ipv6 address 2001:1::1/64
Router(config-if)# ipv6 enable
Router(config-if)# ipv6 traffic-filter ipv6_acl in
Router(config-if)# exit
Router(config)# exit
Router# clear counters
Clear "show interface" counters on all interfaces [confirm]
Router# 
 
   
! Verify the configurations.
 
   
Router# show running-config interface GigabitEthernet3/1/0
 
   
Building configuration...
 
   
Current configuration : 114 bytes
!
interface GigabitEthernet3/1/0
 no ip address
 negotiation auto
 ipv6 address 1001::1/64
 ipv6 traffic-filter ipv6_acl in
end