IPv6 Access Control Lists

IPv6 Access Control Lists

Last Updated: September 20, 2012

Access lists determine what traffic is blocked and what traffic is forwarded at router interfaces and allow filtering of traffic based on source and destination addresses, and inbound and outbound traffic to a specific interface. Standard IPv6 ACL functionality was extended to support traffic filtering based on IPv6 option headers and optional, upper-layer protocol type information for finer granularity of control. Standard IPv6 ACL functionality was extended to support traffic filtering based on IPv6 option headers and optional, upper-layer protocol type information for finer granularity of control.

This module describes how to configure IPv6 traffic filtering and to control access to virtual terminal lines.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Information About IPv6 Access Control Lists

Access Control Lists for IPv6 Traffic Filtering

The standard ACL functionality in IPv6 is similar to standard ACLs in IPv4. Access lists determine what traffic is blocked and what traffic is forwarded at router interfaces and allow filtering based on source and destination addresses, inbound and outbound to a specific interface. Each access list has an implicit deny statement at the end. IPv6 ACLs are defined and their deny and permit conditions are set using the ipv6 access-listcommand with the deny and permit keywords in global configuration mode.

IPv6 extended ACLs augments standard IPv6 ACL functionality to support traffic filtering based on IPv6 option headers and optional, upper-layer protocol type information for finer granularity of control (functionality similar to extended ACLs in IPv4).

IPv6 Packet Inspection

The following header fields are all used for IPv6 inspection--traffic class, flow label, payload length, next header, hop limit, and source or destination address. For further information on and descriptions of the IPv6 header fields, see RFC 2474.

Access Class Filtering in IPv6

Filtering incoming and outgoing connections to and from the router based on an IPv6 ACL is performed using the ipv6 access-class command in line configuration mode. The ipv6 access-class command is similar to the access-class command, except the IPv6 ACLs are defined by a name. If the IPv6 ACL is applied to inbound traffic, the source address in the ACL is matched against the incoming connection source address and the destination address in the ACL is matched against the local router address on the interface. If the IPv6 ACL is applied to outbound traffic, the source address in the ACL is matched against the local router address on the interface and the destination address in the ACL is matched against the outgoing connection source address. We recommend that identical restrictions are set on all the virtual terminal lines because a user can attempt to connect to any of them.

Tunneling Support

IPv6 packets tunneled in IPv4 are not inspected. If a tunnel terminates on a router, and IPv6 traffic exiting the tunnel is nonterminating, then the traffic is inspected.

Virtual Fragment Reassembly

When VFR is enabled, VFR processing begins after ACL input lists are checked against incoming packets. The incoming packets are tagged with the appropriate VFR information.

How to Configure IPv6 Access Control Lists

Configuring IPv6 Traffic Filtering

Creating and Configuring an IPv6 ACL for Traffic Filtering

This section describes how to configure your networking devices to filter traffic, function as a firewall, or detect potential viruses.

Before You Begin

Note


  • Each IPv6 ACL contains implicit permit rules to enable IPv6 neighbor discovery. These rules can be overridden by the user by placing a deny ipv6 any any statement within an ACL. The IPv6 neighbor discovery process makes use of the IPv6 network layer service; therefore, by default, IPv6 ACLs implicitly allow IPv6 neighbor discovery packets to be sent and received on an interface. In IPv4, the Address Resolution Protocol (ARP), which is equivalent to the IPv6 neighbor discovery process, makes use of a separate data link layer protocol; therefore, by default, IPv4 ACLs implicitly allow ARP packets to be sent and received on an interface.
  • Time-based and reflexive ACLs are not supported for IPv4 or IPv6 on the Cisco 12000 series platform. The reflect, timeout, and time-range keywords of the permit command in IPv6 are excluded on the Cisco 12000 series.
>

SUMMARY STEPS

1.    enable

2.    configure terminal

3.    ipv6 access-list access-list-name

4.   Do one of the following:

  • permit protocol {source-ipv6-prefix / prefix-length | any | host source-ipv6-address | auth} [operator [port-number]] {destination-ipv6-prefix / prefix-length| any | host destination-ipv6-address| auth} [operator [port-number]] [dest-option-type [doh-number| doh-type]] [dscp value] [flow-label value] [fragments] [log] [log-input] [mobility] [mobility-type [mh-number | mh-type]] [reflect name [timeout value]] [routing] [routing-type routing-number] [sequence value] [time-range name]
  • deny protocol {source-ipv6-prefix / prefix-length | any | host source-ipv6-address | auth} [operator port-number]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | auth} [operator [port-number]] [dest-option-type [doh-number | doh-type]] [dscp value] [flow-label value] [fragments] [log] [log-input] [mobility] [mobility-type [mh-number | mh-type]] [routing] [routing-type routing-number] [sequence value] [time-range name] [undetermined-transport]


DETAILED STEPS
 Command or ActionPurpose
Step 1
enable


Example:

Router> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
configure terminal


Example:

Router# configure terminal

 

Enters global configuration mode.

 
Step 3
ipv6 access-list access-list-name


Example:

Router(config)# ipv6 access-list outbound

 

Defines an IPv6 ACL, and enters IPv6 access list configuration mode.

  • The access-list name argument specifies the name of the IPv6 ACL. IPv6 ACL names cannot contain a space or quotation mark, or begin with a numeral.
 
Step 4
Do one of the following:
  • permit protocol {source-ipv6-prefix / prefix-length | any | host source-ipv6-address | auth} [operator [port-number]] {destination-ipv6-prefix / prefix-length| any | host destination-ipv6-address| auth} [operator [port-number]] [dest-option-type [doh-number| doh-type]] [dscp value] [flow-label value] [fragments] [log] [log-input] [mobility] [mobility-type [mh-number | mh-type]] [reflect name [timeout value]] [routing] [routing-type routing-number] [sequence value] [time-range name]
  • deny protocol {source-ipv6-prefix / prefix-length | any | host source-ipv6-address | auth} [operator port-number]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | auth} [operator [port-number]] [dest-option-type [doh-number | doh-type]] [dscp value] [flow-label value] [fragments] [log] [log-input] [mobility] [mobility-type [mh-number | mh-type]] [routing] [routing-type routing-number] [sequence value] [time-range name] [undetermined-transport]


Example:

Router(config-ipv6-acl)# permit tcp 2001:DB8:0300:0201::/32 eq telnet any reflect reflectout



Example:



Example:



Example:

Router(config-ipv6-acl)# deny tcp host 2001:DB8:1::1 any log-input

 

Specifies permit or deny conditions for an IPv6 ACL.

 

Applying the IPv6 ACL to an Interface

SUMMARY STEPS

1.    enable

2.    configure terminal

3.    interface type number

4.    ipv6 traffic-filter access-list-name {in| out}


DETAILED STEPS
 Command or ActionPurpose
Step 1
enable


Example:

Router> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
configure terminal


Example:

Router# configure terminal

 

Enters global configuration mode.

 
Step 3
interface type number


Example:

Router(config)# interface ethernet 0

 

Specifies the interface type and number, and enters interface configuration mode.

 
Step 4
ipv6 traffic-filter access-list-name {in| out}


Example:

Router(config-if)# ipv6 traffic-filter outbound out

 

Applies the specified IPv6 access list to the interface specified in the previous step.

 

Controlling Access to a vty

Creating an IPv6 ACL to Provide Access Class Filtering

SUMMARY STEPS

1.    enable

2.    configure terminal

3.    ipv6 access-list access-list-name

4.   Do one of the following:

  • permit protocol {source-ipv6-prefix/prefix-length | any | host source-ipv6-address} [operator [port-number]] {destination-ipv6-prefix / prefix-length | any | host destination-ipv6-address} [operator [port-number]] [dest-option-type [doh-number | doh-type]] [dscp value] [flow-label value] [fragments] [log] [log-input] [mobility] [mobility-type [mh-number | mh-type]] [routing] [routing-type routing-number] [sequence value] [time-range name
  • deny protocol {source-ipv6-prefix/prefix-length | any | host source-ipv6-address} [operator port-number]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address} [operator [port-number]] [dest-option-type [doh-number | doh-type]] [dscp value] [flow-label value] [fragments] [log] [log-input] [mobility] [mobility-type [mh-number | mh-type]] [routing] [routing-type routing-number] [sequence value] [time-range name] [undetermined-transport


DETAILED STEPS
 Command or ActionPurpose
Step 1
enable


Example:

Router> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
configure terminal


Example:

Router# configure terminal

 

Enters global configuration mode.

 
Step 3
ipv6 access-list access-list-name


Example:

Router(config)# ipv6 access-list cisco

 

Defines an IPv6 ACL, and enters IPv6 access list configuration mode.

 
Step 4
Do one of the following:
  • permit protocol {source-ipv6-prefix/prefix-length | any | host source-ipv6-address} [operator [port-number]] {destination-ipv6-prefix / prefix-length | any | host destination-ipv6-address} [operator [port-number]] [dest-option-type [doh-number | doh-type]] [dscp value] [flow-label value] [fragments] [log] [log-input] [mobility] [mobility-type [mh-number | mh-type]] [routing] [routing-type routing-number] [sequence value] [time-range name
  • deny protocol {source-ipv6-prefix/prefix-length | any | host source-ipv6-address} [operator port-number]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address} [operator [port-number]] [dest-option-type [doh-number | doh-type]] [dscp value] [flow-label value] [fragments] [log] [log-input] [mobility] [mobility-type [mh-number | mh-type]] [routing] [routing-type routing-number] [sequence value] [time-range name] [undetermined-transport


Example:

Router(config-ipv6-acl)# permit ipv6 host 2001:DB8:0:4::32 any eq telnet



Example:



Example:



Example:

Router(config-ipv6-acl)# deny ipv6 host 2001:DB8:0:6::6/32 any

 

Specifies permit or deny conditions for an IPv6 ACL.

 

Applying an IPv6 ACL to the Virtual Terminal Line

SUMMARY STEPS

1.    enable

2.    configure terminal

3.    line [aux| console| tty| vty] line-number[ending-line-number]

4.    ipv6 access-class ipv6-access-list-name {in| out}


DETAILED STEPS
 Command or ActionPurpose
Step 1
enable


Example:

Router> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
configure terminal


Example:

Router# configure terminal

 

Enters global configuration mode.

 
Step 3
line [aux| console| tty| vty] line-number[ending-line-number]


Example:

Router(config)# line vty 0 4

 

Identifies a specific line for configuration and enters line configuration mode.

  • In this example, the vty keyword is used to specify the virtual terminal lines for remote console access.
 
Step 4
ipv6 access-class ipv6-access-list-name {in| out}


Example:

Router(config-line)# ipv6 access-class cisco in

 

Filters incoming and outgoing connections to and from the router based on an IPv6 ACL.

 

Configuration Examples for IPv6 Access Control Lists

Example: Verifying IPv6 ACL Configuration

In this example, the show ipv6 access-list command is used to verify that IPv6 ACLs are configured correctly:

Router> show ipv6 access-list

IPv6 access list inbound
    permit tcp any any eq bgp reflect tcptraffic (8 matches) sequence 10
    permit tcp any any eq telnet reflect tcptraffic (15 matches) sequence 20
    permit udp any any reflect udptraffic sequence 30

IPv6 access list tcptraffic (reflexive) (per-user)
    permit tcp host 2001:DB8:1::32 eq bgp host 2001:DB8:2::32 eq 11000 timeout 300 (time left 243) sequence 1
    permit tcp host 2001:DB8:1::32 eq telnet host 2001:DB8:2::32 eq 11001 timeout 300 (time left 296) sequence 2

IPv6 access list outbound
    evaluate udptraffic
    evaluate tcptraffic

Example: Creating and Applying an IPv6 ACL

This example configures two IPv6 ACLs named OUTBOUND and INBOUND and applies both ACLs to outbound and inbound traffic on Ethernet interface 0. The first and second permit entries in the OUTBOUND list permit all TCP and User Datagram Protocol (UDP) packets from network 2001:DB8:0300:0201::/32 to exit out of Ethernet interface 0. The entries also configure the temporary IPv6 reflexive ACL named REFLECTOUT to filter returning (incoming) TCP and UDP packets on Ethernet interface 0. The first deny entry in the OUTBOUND list keeps all packets from the network fec0:0:0:0201::/64 (packets that have the site-local prefix fec0:0:0:0201 as the first 64 bits of their source IPv6 address) from exiting out of Ethernet interface 0.

The evaluate command in the INBOUND list applies the temporary IPv6 reflexive ACL named REFLECTOUT to inbound TCP and UDP packets on Ethernet interface 0. When outgoing TCP or UDP packets are permitted on Ethernet interface 0 by the OUTBOUND list, the INBOUND list uses the REFLECTOUT list to match (evaluate) the returning (incoming) TCP and UDP packets.

ipv6 access-list OUTBOUND
 permit tcp 2001:DB8:0300:0201::/32 any reflect REFLECTOUT
 permit udp 2001:DB8:0300:0201::/32 any reflect REFLECTOUT
 deny fec0:0:0:0201::/64 any
ipv6 access-list INBOUND
 evaluate REFLECTOUT
interface ethernet 0
 ipv6 traffic-filter OUTBOUND out
 ipv6 traffic-filter INBOUND in

Note


Given that a permit any any statement is not included as the last entry in the OUTBOUND or INBOUND ACL, only TCP and UDP packets matching the configured permit entries in the ACL and ICMP packets matching the implicit permit conditions in the ACL are permitted out of and in to Ethernet interface 0 (the implicit deny all condition at the end of the ACL denies all other packet types on the interface).

The example configures HTTP access to be restricted to certain hours during the day, and to log any activity outside of the permitted hours:

time-range lunchtime
 periodic weekdays 12:00 to 13:00
ipv6 access-list OUTBOUND
 permit tcp any any eq www time-range lunchtime
 deny tcp any any eq www log-input
 permit tcp 2001:DB8::/32 any
 permit udp 2001:DB8::/32 any

Example Controlling Access to a vty

In the following example, incoming connections to the virtual terminal lines 0 to 4 are filtered based on the IPv6 access list named acl1:

ipv6 access-list acl1
 permit ipv6 host 2001:DB8:0:4::2/32 any
!
line vty 0 4
 ipv6 access-class acl1 in

Additional References

Related Documents

Related Topic Document Title

IPv6 addressing and connectivity

IPv6 Configuration Guide

Cisco IOS commands

Cisco IOS Master Commands List, All Releases

IPv6 commands

Cisco IOS IPv6 Command Reference

Cisco IOS IPv6 features

Cisco IOS IPv6 Feature Mapping

Standards and RFCs

Standard/RFC Title

RFCs for IPv6

IPv6 RFCs

MIBs

MIB

MIBs Link

CISCO-UNIFIED-FIREWALL-MIB

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

Technical Assistance

Description Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html

Feature Information for IPv6 Access Control Lists

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Table 1Feature Information for IPv6 Access Control Lists
Feature Name Releases Feature Information

IPv6 Services: Standard Access Control Lists

12.0(22)S

12.2(14)S

12.2(28)SB

12.2(25)SG

12.2(33)SRA

12.2(17a)SX1

12.2(2)T

12.3

12.3(2)T

12.4

12.4(2)T

15.0(1)S

Access lists determine what traffic is blocked and what traffic is forwarded at router interfaces and allow filtering based on source and destination addresses, inbound and outbound to a specific interface.

IPv6 Services: Extended Access Control Lists

12.0(23)S

12.2(14)S

12.2(28)SB

12.2(25)SG

12.2(33)SRA

12.2(17a)SX1

12.2(13)T

12.3

12.3(2)T

12.4

12.4(2)T

15.0(1)S

Standard IPv6 ACL functionality was extended to support traffic filtering based on IPv6 option headers and optional, upper-layer protocol type information for finer granularity of control.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2012 Cisco Systems, Inc. All rights reserved.