You can filter IP Version 6 (IPv6) traffic by creating IPv6 access control lists (ACLs) and applying them to interfaces similarly to the way that you create and apply IP Version 4 (IPv4) named ACLs. You can also create and apply input router ACLs to filter Layer 3 management traffic when the switch is running the IP base feature set.
With IPv4, you can configure standard and extended numbered IP ACLs, named IP ACLs, and MAC ACLs. IPv6 supports only named ACLs.
The controller supports most of the Cisco IOS-supported IPv6 ACLs with some exceptions:
The controller does not support routing and only inbound ACLs are supported for wireless clients.
The controller does not support matching on these keywords: flowlabel, routingheader, and undetermined-transport.
The controller does not support reflexive ACLs (the reflect keyword).
The controller does not apply MAC-based ACLs on IPv6 frames.
When configuring an ACL, there is no restriction on keywords entered in the ACL, regardless of whether or not they are supported on the platform. When you apply the ACL to an interface that requires hardware forwarding (physical ports or SVIs), the controller checks to determine whether or not the ACL can be supported on the interface. If not, attaching the ACL is rejected.
If an ACL is applied to an interface and you attempt to add an access control entry (ACE) with an unsupported keyword, the controller does not allow the ACE to be added to the ACL that is currently attached to the interface
Information About IPv6 ACL
An access control list (ACL) is a set of rules used to limit access to a particular interface (for example, if you want to restrict a wireless client from pinging the management interface of the controller). ACLs are configured on the controllernd applied to the management interface, the AP-manager interface, any of the dynamic interfaces, or a WLAN to control data traffic to and from wireless clients or to the controller central processing unit (CPU) to control all traffic destined for the CPU.
You can also create a preauthentication ACL for web authentication. Such an ACL is used to allow certain types of traffic before authentication is complete.
IPv6 ACLs support the same options as IPv4 ACLs including source, destination, source and destination ports.
You can enable only IPv4 traffic in your network by blocking IPv6 traffic. That is, you can configure an IPv6 ACL to deny all IPv6 traffic and apply it on specific or all WLANs.
For the per-user ACL,
the full access control entries (ACE) as the text strings are configured on the
The ACE is not
configured on the Controller. The ACE is sent to the
controller in the
attribute and applies it directly for the client. When a
wireless client roams into an foreign
controller, the ACEs are sent to the foreign
controller as an AAA attribute in the mobility
Handoff message. Output direction, using per-user ACL is not supported.
Filter ID IPv6
For the filter-Id ACL,
the full ACEs and the
name(filter-id) is configured on the
controller and only the
filter-id is configured on the
is sent to the
controller in the ACCESS-Accept attribute, and
controller looks up the filter-id for the ACEs,
and then applies the ACEs to the client. When the client L2 roams to the
controller, only the filter-id is sent to the
controller in the mobility Handoff message.
Output filtered ACL, using per-user ACL is not supported. The foreign
controller has to configure the filter-id and
Downloadable IPv6 ACL
For the downloadable ACL(dACL), the full ACEs and the dacl name are all configured on the ACS only.
The controller does not configure any ACL.
The ACS sends the dacl name to the controller in its ACCESS-Accept attribute, which takes the dacl name and sends the dACL name back to the ACS, for the ACEs, using the access-request attribute.
The ACS responds to the corresponding ACEs of the controller in the access-accept attribute. When the wireless client roams to an foreign controller, only the dacl name is sent to the foreign controller in the mobility Handoff message. The foreign controller contacts the ACS server with the dacl name to retrieve the ACEs.
Configuring IPv6 ACLs
To filter IPv6 traffic, you perform these steps:
1.Create an IPv6 ACL, and enter IPv6 access list configuration mode.
2.Configure the IPv6 ACL to block (deny) or pass (permit) traffic.
3. Apply the IPv6 ACL to the interface where the traffic needs to be filtered.
Command or Action
Create an IPv6 ACL, and enter IPv6 access list configuration mode.
Configure the IPv6 ACL to block (deny) or pass (permit) traffic.
Apply the IPv6 ACL to the interface where the traffic needs to be filtered.
Default IPv6 ACL Configuration
There are no IPv6 ACLs configured or applied.
Other Features and Switches
If an IPv6 router
ACL is configured to deny a packet, the packet is not routed. A copy of the
packet is sent to the Internet Control Message Protocol (ICMP) queue to
generate an ICMP unreachable message for the frame.
If a bridged frame
is to be dropped due to a port ACL, the frame is not bridged.
You can create
both IPv4 and IPv6 ACLs on a switch or switch stack, and you can apply both
IPv4 and IPv6 ACLs to the same interface. Each ACL must have a unique name; an
error message appears if you try to use a name that is already configured.
You use different
commands to create IPv4 and IPv6 ACLs and to attach IPv4 or IPv6 ACLs to the
same Layer 2 or Layer 3 interface. If you use the wrong command to attach an
ACL (for example, an IPv4 command to attach an IPv6 ACL), you receive an error
You cannot use MAC ACLs to
filter IPv6 frames. MAC ACLs can only filter non-IP frames.
If the hardware
memory is full, for any additional configured ACLs, packets are dropped to the
CPU, and the ACLs are applied in software. When the hardware is full a message
is printed to the console indicating the ACL has been unloaded and the packets
will be dropped on the interface.
How To Configure an IPv6 ACL
privileged EXEC mode, follow these steps to create an IPv6 ACL:
Command or Action
Controller# configure terminal
Enters global configuration mode.
ipv6 access-list access-list-name
Use a name to
define an IPv6 access list and enter IPv6 access-list configuration mode.
Enter deny or
permit to specify whether to deny or permit the packet if conditions are
matched. These are the conditions:
protocol, enter the name or number of an Internet protocol: ahp, esp, icmp,
ipv6, pcp, stcp, tcp, or udp, or an integer in the range 0 to 255 representing
an IPv6 protocol number.
source-ipv6-prefix/prefix-length or destination-ipv6-prefix/ prefix-length is
the source or destination IPv6 network or class of networks for which to set
deny or permit conditions, specified in hexadecimal and using 16-bit values
between colons (see RFC 2373).
Enter any as
an abbreviation for the IPv6 prefix ::/0.
source-ipv6-address or destination-ipv6-address, enter the source or
destination IPv6 host address for which to set deny or permit conditions,
specified in hexadecimal using 16-bit values between colons.
For operator, specify an operand that compares the source or destination ports
of the specified protocol. Operands are lt (less than), gt (greater than), eq
(equal), neq (not equal), and range.
If the operator
follows the source-ipv6-prefix/prefix-length argument, it must match the source
port. If the operator follows the destination-ipv6- prefix/prefix-length
argument, it must match the destination port.
The port-number is a decimal number from 0 to 65535 or the name of a TCP or UDP
port. You can use TCP port names only when filtering TCP. You can use UDP port
names only when filtering UDP.
Enter dscp value to match a differentiated services code point value against
the traffic class value in the Traffic Class field of each IPv6 packet header.
The acceptable range is from 0 to 63.
Enter fragments to check noninitial fragments. This keyword is visible only if
the protocol is ipv6.
Enter log to cause an logging message to be sent to the console about the
packet that matches the entry. Enter log-input to include the input interface
in the log entry. Logging is supported only for router ACLs.
Enter routing to specify that IPv6 packets be routed.
Enter sequence value to specify the sequence number for the access list
statement. The acceptable range is from 1 to 4294967295
Enter time-range name to specify the time range that applies to the deny or
Define a UDP access list and the access conditions.
Enter udp for
the User Datagram Protocol. The UDP parameters are the same as those described
for TCP, except that the operator [port]] port number or name must be a UDP
port number or name, and the established parameter is not valid for UDP.
Define an ICMP access list and the access conditions.
Enter icmp for
Internet Control Message Protocol. The ICMP parameters are the same as those
described for most IP protocols in Step 3a, with the addition of the ICMP
message type and code parameters. These optional keywords have these meanings:
icmp-type—Enter to filter by ICMP message type, a number from 0
icmp-code—Enter to filter ICMP packets that are filtered by the
ICMP message code type, a number from 0 to 255.
icmp-message—Enter to filter ICMP packets by the ICMP message
type name or the ICMP message type and code name. To see a list of ICMP message
type names and code names, use the ? key or see command reference for this
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
show ipv6 access-list
access list configuration.
copy running-config startup-config
your entries in the configuration file.
describes how to apply IPv6 ACLs to network interfaces. You can apply an IPv6
ACL to outbound or inbound traffic on layer 2 and Layer 3 interfaces. You can
apply IPv6 ACLs only to inbound management traffic on Layer 3 interfaces.
privileged EXEC mode, follow these steps to control access to an interface:
This example configures the
IPv6 access list named CISCO. The first deny entry in the list denies all
packets that have a destination TCP port number greater than 5000. The second
deny entry denies packets that have a source UDP port number less than 5000.
The second deny also logs all matches to the console. The first permit entry in
the list permits all ICMP packets. The second permit entry in the list permits
all other traffic. The second permit entry is necessary because an implicit
deny -all condition is at the end of each IPv6 access list.
Logging is supported only on Layer 3 interfaces.
Controller(config)# ipv6 access-list CISCO
Controller(config-ipv6-acl)# deny tcp any any gt 5000
Controller (config-ipv6-acl)# deny ::/0 lt 5000 ::/0 log
Controller(config-ipv6-acl)# permit icmp any any
Controller(config-ipv6-acl)# permit any any
This example shows how to
apply the access list Cisco to outbound traffic on a Layer 3 interface.
Controller(config-if)# no switchport
Controller(config-if)# ipv6 address 2001::/64 eui-64
Controller(config-if)# ipv6 traffic-filter CISCO out
Example: Displaying IPv6 ACLs
This is an example of the output from the show access-lists privileged EXEC command. The output shows all access lists that are configured on the switch or switch stack.
Controller #show access-lists
Extended IP access list hello
10 permit ip any any
IPv6 access list ipv6
permit ipv6 any any sequence 10
This is an example of the output from the show ipv6 access-lists privileged EXEC command. The output shows only IPv6 access lists configured on the switch or switch stack.
Controller# show ipv6 access-list
IPv6 access list inbound
permit tcp any any eq bgp (8 matches) sequence 10
permit tcp any any eq telnet (15 matches) sequence 20
permit udp any any sequence 30
IPv6 access list outbound
deny udp any any sequence 10
deny tcp any any eq telnet sequence 20
Example: Configuring RA Throttling and NS Suppression
This task describes how to create an RA throttle policy in order to help the power-saving wireless clients from being disturbed by frequent unsolicited periodic RA's. The unsolicited multicast RA is throttled by the controller.
Support website provides extensive online resources, including documentation
and tools for troubleshooting and resolving technical issues with Cisco
products and technologies.
security and technical information about your products, you can subscribe to
various services, such as the Product Alert Tool (accessed from Field Notices),
the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS)
most tools on the Cisco Support website requires a Cisco.com user ID and