-
Cisco IOS XE IPv6 Configuration Guide, Release 2
-
Start Here: Cisco IOS XE Software Release Specifics for IPv6 Features
-
Implementing IPv6 Addressing and Basic Connectivity
-
Implementing ADSL and Deploying Dial Access for IPv6
-
Implementing Bidirectional Forwarding Detection for IPv6
-
Implementing DHCP for IPv6
-
Implementing EIGRP for IPv6
-
Implementing IS-IS for IPv6
-
Implementing IPv6 for Network Management
-
Implementing Multiprotocol BGP for IPv6
-
Implementing IPv6 Multicast
-
Implementing OSPF for IPv6
-
Implementing QoS for IPv6
-
Implementing RIP for IPv6
-
Implementing Traffic Filters and Firewalls for IPv6 Security
-
Implementing Static Routes for IPv6
-
Implementing Tunneling for IPv6
-
Implementing IPsec in IPv6 Security
-
Table Of Contents
Implementing Traffic Filters for IPv6 Security
Prerequisites for Implementing Traffic Filters for IPv6 Security
Restrictions for Implementing Traffic Filters for IPv6 Security
Information About Implementing Traffic Filters for IPv6 Security
Access Control Lists for IPv6 Traffic Filtering
Access Class Filtering in IPv6
How to Implement Traffic Filters for IPv6 Security
Configuring IPv6 Traffic Filtering
Creating and Configuring an IPv6 ACL for Traffic Filtering
Applying the IPv6 ACL to an Interface
Creating an IPv6 ACL to Provide Access Class Filtering
Applying an IPv6 ACL to the Virtual Terminal Line
Troubleshooting IPv6 Security Configuration and Operation
Configuration Examples for Implementing Traffic Filters for IPv6 Security
Configuring an Access List on the Router: Example
Route Processor Forwarding Manager ACL Configuration: Example
Forwarding Processor Forwarding Manager ACL Configuration: Example
Applying an Access List to an Interface: Example
Route Processor Forwarding Manager ACL Application to an Interface: Example
Forwarding Processor Forwarding Manager ACL Application to an Interface: Example
Viewing Access List Statistics: Example
Feature Information for Implementing Traffic Filters for IPv6 Security
Implementing Traffic Filters for IPv6 Security
First Published: June 7, 2001Last Updated: March 2, 2009This module describes how to configure Cisco IOS XE IPv6 traffic filter and firewall features for your Cisco networking devices. These security features can protect your network from degradation or failure and also from data loss or compromised security resulting from intentional attacks and from unintended but damaging mistakes by well-meaning network users.
Finding Feature Information
For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Implementing Traffic Filters for IPv6 Security" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS XE software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
Prerequisites for Implementing Traffic Filters for IPv6 Security
•
•
•
•
•
Prerequisites for Implementing Traffic Filters for IPv6 Security
You should be familiar with IPv6 addressing and basic configuration. Refer to the Implementing IPv6 Addressing and Basic Connectivity module for more information.
Restrictions for Implementing Traffic Filters for IPv6 Security
In Cisco IOS XE software, the standard IPv6 ACL functionality is extended to support traffic filtering based on IPv6 option headers and optional, upper-layer protocol type information for finer granularity of control (functionality similar to extended ACLs in IPv4).
Information About Implementing Traffic Filters for IPv6 Security
To implement security features for IPv6, you need to understand the following concept:
•
Access Control Lists for IPv6 Traffic Filtering
The standard ACL functionality in IPv6 is similar to standard ACLs in IPv4. Access lists determine what traffic is blocked and what traffic is forwarded at router interfaces and allow filtering based on source and destination addresses, inbound and outbound to a specific interface. Each access list has an implicit deny statement at the end. IPv6 ACLs are defined and their deny and permit conditions are set using the ipv6 access-list command with the deny and permit keywords in global configuration mode.
IPv6 Packet Inspection
The following header fields are all used for IPv6 inspection—traffic class, flow label, payload length, next header, hop limit, and source or destination address. For further information on and descriptions of the IPv6 header fields, see RFC 2474.
Tunneling Support
IPv6 packets tunneled in IPv4 are not inspected. If a tunnel terminates on a router, and IPv6 traffic exiting the tunnel is nonterminating, then the traffic is inspected.
Virtual Fragment Reassembly
When VFR is enabled, VFR processing begins after ACL input lists are checked against incoming packets. The incoming packets are tagged with the appropriate VFR information.
Access Class Filtering in IPv6
Filtering incoming and outgoing connections to and from the router based on an IPv6 ACL is performed using the ipv6 access-class command in line configuration mode. The ipv6 access-class command is similar to the access-class command, except the IPv6 ACLs are defined by a name. If the IPv6 ACL is applied to inbound traffic, the source address in the ACL is matched against the incoming connection source address and the destination address in the ACL is matched against the local router address on the interface. If the IPv6 ACL is applied to outbound traffic, the source address in the ACL is matched against the local router address on the interface and the destination address in the ACL is matched against the outgoing connection source address. We recommend that identical restrictions are set on all the virtual terminal lines because a user can attempt to connect to any of them.
How to Implement Traffic Filters for IPv6 Security
The tasks in the following sections explain how to configure security features for IPv6:
•
•
Configuring IPv6 Traffic Filtering
The following sections describe how enable IPv6 traffic filtering:
•
•
Restrictions
IPv6 ACLs are defined by a unique name (IPv6 does not support numbered ACLs). An IPv4 ACL and an IPv6 ACL cannot share the same name.
Creating and Configuring an IPv6 ACL for Traffic Filtering
This section describes how to configure your networking devices to filter traffic or detect potential viruses.
Restrictions
Each IPv6 ACL contains implicit permit rules to enable IPv6 neighbor discovery. These rules can be overridden by the user by placing a deny ipv6 any any statement within an ACL. The IPv6 neighbor discovery process makes use of the IPv6 network layer service; therefore, by default, IPv6 ACLs implicitly allow IPv6 neighbor discovery packets to be sent and received on an interface. In IPv4, the Address Resolution Protocol (ARP), which is equivalent to the IPv6 neighbor discovery process, makes use of a separate data link layer protocol; therefore, by default, IPv4 ACLs implicitly allow ARP packets to be sent and received on an interface.
SUMMARY STEPS
1.
2.
3.
4.
or
deny protocol {source-ipv6-prefix/prefix-length | any | host source-ipv6-address} [operator [port-number]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address} [operator [port-number]] [dest-option-type [doh-number | doh-type]] [dscp value] [flow-label value] [fragments] [log] [log-input] [mobility] [mobility-type [mh-number | mh-type]] [routing] [routing-type routing-number] [sequence value] [time-range name] [undetermined-transport]DETAILED STEPS
Applying the IPv6 ACL to an Interface
This task describes how to apply the IPv6 ACL to an interface.
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Controlling Access to a vty
The following tasks explain how to restrict access to a vty on a router:
•
•
Creating an IPv6 ACL to Provide Access Class Filtering
The following task explains how to control access to a vty on a router by creating an IPv6 ACL to provide access class filtering.
SUMMARY STEPS
1.
2.
3.
4.
or
deny protocol {source-ipv6-prefix/prefix-length | any | host source-ipv6-address} [operator [port-number]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address} [operator [port-number]] [dest-option-type [doh-number | doh-type]] [dscp value] [flow-label value] [fragments] [log] [log-input] [mobility] [mobility-type [mh-number | mh-type]] [routing] [routing-type routing-number] [sequence value] [time-range name] [undetermined-transport]DETAILED STEPS
Applying an IPv6 ACL to the Virtual Terminal Line
After you have created the IPv6 ACL for access class filtering, you must apply it to a specified virtual terminal line. The following task describes how to apply the ACL to the virtual terminal line.
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Troubleshooting IPv6 Security Configuration and Operation
This optional task explains how to display information to troubleshoot the configuration and operation of IPv6 security options. Use the following commands only as needed to verify configuration and operation.
Note
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
DETAILED STEPS
Configuration Examples for Implementing Traffic Filters for IPv6 Security
This section provides the following configuration examples:
•
•
•
Configuring an Access List on the Router: Example
This section provides the following configuration examples:
•
•
Route Processor Forwarding Manager ACL Configuration: Example
The following examples verify Route Processor Forwarding Manager access list configuration:
Router# show running-config interface port-channel 3.2Building configuration...Current configuration : 328 bytes!interface Port-channel3.2encapsulation dot1Q 2 primary GigabitEthernet0/0/4 secondary GigabitEthernet1/2/4ip address 10.1.1.1 255.255.255.0ipv6 address 2001:0DB8:1111:1111::1/64ipv6 traffic-filter OutFilter_IPv6 outipv6 nd reachable-time 180000ipv6 nd ra suppressipv6 ospf 100 area 0snmp trap link-statusendRouter# show ipv6 access-list OutFilter_IPv6IPv6 access list OutFilter_IPv6permit icmp any any mld-query sequence 30permit icmp any any router-advertisement sequence 40deny 103 any any sequence 50permit icmp any any packet-too-big sequence 60deny icmp any any sequence 70deny ipv6 2404:1A8:1100:9::/64 any sequence 74deny ipv6 2404:1A8:1100:10::/64 any sequence 75permit ipv6 any 2050::/16 log-input sequence 80deny ipv6 2404:1A8:1100:13::/64 any sequence 90deny ipv6 2404:1A8:1100:14::/64 any sequence 100deny ipv6 2408:40:2000::/35 2408:40:2000::/35 dscp default sequence 110permit ipv6 any any (3974749339 matches) sequence 120Router# show platform software access-list R0 statisticsForwarding Manager Access-list Messaging StatisticsSet Log Threshold: 0, Interval: 0IPv4 Access-list Entry Add: 1, Delete: 0IPv4 Access-list Bind: 0, Unbind: 0IPv4 Access-list Resequence: 0, Delete: 1IPv6 Access-list Entry Add: 82, Delete: 0IPv6 Access-list Bind: 3003, Unbind: 0IPv6 Access-list Resequence: 0, Delete: 0Access-list Sync Start: 0, End: 0CPP Match Add: 0, Replace: 0, ACK Success: 0, ACK Error: 0CPP Match Delete: 0, ACK Success: 0, ACK Error: 0CPP Action Edit: 0, ACK Success: 0, ACK Error: 0CPP Action Replace: 0, ACK Success: 0, ACK Error: 0CPP Bind: 0, ACK Success: 0, ACK Error: 0CPP Unbind: 0, ACK Success: 0, ACK Error: 0Router# show platform software access-list R1 name OutFilter_IPv6 ace 100Access-list: OutFilter_IPv6Access-list Entry Sequence: 100Type: Permanent, Operation: AddAction: DenyDestination Address: ::, Length: 00Source Address: 2404:1a8:1100:14::, Length: 0x24Forwarding Processor Forwarding Manager ACL Configuration: Example
The following examples verify Forwarding Processor Forwarding Manager access list configuration:
Router# show platform software access-list F0 statisticsForwarding Manager Access-list Messaging StatisticsSet Log Threshold: 0, Interval: 0IPv4 Access-list Entry Add: 0, Delete: 0IPv4 Access-list Bind: 0, Unbind: 0IPv4 Access-list Resequence: 0, Delete: 1IPv6 Access-list Entry Add: 82, Delete: 0IPv6 Access-list Bind: 3003, Unbind: 0IPv6 Access-list Resequence: 0, Delete: 0Access-list Sync Start: 0, End: 0CPP Match Add: 86, Replace: 0, ACK Success: 86, ACK Error: 0CPP Match Delete: 4, ACK Success: 4, ACK Error: 0CPP Action Edit: 83, ACK Success: 83, ACK Error: 0CPP Action Replace: 0, ACK Success: 0, ACK Error: 0CPP Bind: 3003, ACK Success: 3003, ACK Error: 0CPP Unbind: 0, ACK Success: 0, ACK Error: 0The following example shows the download statistics for each access control list entry:
Router# show platform software access-list F0 name OutFilter_IPv6 ace 100Access-list: OutFilter_IPv6Access-list Entry Sequence: 100Match Class Index: 11Epoch: 0State: DownloadedRequested Operation: No-opIssued Operation: No-opType: PermanentAction: DenyRouter# access-list F0 name OutFilter_IPv6 ace 100 max-records 20Access-list: OutFilter_IPv6Access-list Index: 2, Protocol: IPv6, Type: IPv6Security References: 2001, Classifier References: 0, Shared target: 2001Pending Download Access-list Entry: 0Pending Acknowledgements Matches: 0, Actions: 0Downloaded Access-list Entry: 12Total Access-list Entry after pending updates are processed: 12AOM object identifier: 141State: NormalNumber of Access-list Entry Shown: 3ACE Number Class Index State-------------------------------------------------------------------100 11 Downloaded110 12 Downloaded120 13 DownloadedThe following command summarizes the number of entries and references in the access list:
Router# show platform software access-list F0 summaryAccess-list Index Num Ref Num ACEs--------------------------------------------------------------------------icmp2 1 1 2OutFilter_IPv6 2 2001 12p11 3 1000 3Applying an Access List to an Interface: Example
This section provides the following configuration examples:
•
•
Route Processor Forwarding Manager ACL Application to an Interface: Example
The following examples configure and verify the Route Processor Forwarding Manager access list application to GigabitEthernet 1/0/1:
Router(config)# interface GigabitEthernet 1/0/1Router(config-if)# ip access-group test inRouter# show platform software access-list R0 statisticsForwarding Manager Access-list Messaging StatisticsSet Log Threshold: 0, Interval: 0IPv4 Access-list Entry Add: 1, Delete: 0IPv4 Access-list Bind: 0, Unbind: 0IPv4 Access-list Resequence: 0, Delete: 1IPv6 Access-list Entry Add: 82, Delete: 0IPv6 Access-list Bind: 3003, Unbind: 0IPv6 Access-list Resequence: 0, Delete: 0Access-list Sync Start: 0, End: 0CPP Match Add: 0, Replace: 0, ACK Success: 0, ACK Error: 0CPP Match Delete: 0, ACK Success: 0, ACK Error: 0CPP Action Edit: 0, ACK Success: 0, ACK Error: 0CPP Action Replace: 0, ACK Success: 0, ACK Error: 0CPP Bind: 0, ACK Success: 0, ACK Error: 0CPP Unbind: 0, ACK Success: 0, ACK Error: 0Router# show platform software access-list R0 bind interface Port-channel1.2Interface: Port-channel1.2, Index: 35, Protocol: IPv6, Direction: OutputAccess-list: OutFilter_IPv6Operation: AddForwarding Processor Forwarding Manager ACL Application to an Interface: Example
The following examples configure and verify the Forwarding Processor Forwarding Manager access list application to Gigabit Ethernet 1/0/1:
Router(config)# interface GigabitEthernet 1/0/1Router(config-if)# ip access-group test inRouter# show platform software access-list F0 statisticsForwarding Manager Access-list Messaging StatisticsSet Log Threshold: 0, Interval: 0IPv4 Access-list Entry Add: 0, Delete: 0IPv4 Access-list Bind: 0, Unbind: 0IPv4 Access-list Resequence: 0, Delete: 1IPv6 Access-list Entry Add: 82, Delete: 0IPv6 Access-list Bind: 3003, Unbind: 0IPv6 Access-list Resequence: 0, Delete: 0Access-list Sync Start: 0, End: 0CPP Match Add: 86, Replace: 0, ACK Success: 86, ACK Error: 0CPP Match Delete: 4, ACK Success: 4, ACK Error: 0CPP Action Edit: 83, ACK Success: 83, ACK Error: 0CPP Action Replace: 0, ACK Success: 0, ACK Error: 0CPP Bind: 3003, ACK Success: 3003, ACK Error: 0CPP Unbind: 0, ACK Success: 0, ACK Error: 0The following example provides a summary of the access list with number of entries and number of references:
Router# show platform software access-list F0 summaryAccess-list Index Num Ref Num ACEs--------------------------------------------------------------------------icmp2 1 1 2OutFilter_IPv6 2 2001 12p11 3 1000 3m1 4 1 2p1 5 0 3Viewing Access List Statistics: Example
The following example output for ACL statistics provides information about the counter aggregation and poll timer:
Router# show ipv6 access-list OutFilter_IPv6IPv6 access list OutFilter_IPv6permit icmp any any mld-query sequence 30permit icmp any any router-advertisement sequence 40deny 103 any any sequence 50permit icmp any any packet-too-big sequence 60deny icmp any any sequence 70deny ipv6 2001:0DB8:1100:9::/64 any sequence 74deny ipv6 2001:0DB8:1100:10::/64 any sequence 75permit ipv6 any 2050::/16 log-input sequence 80deny ipv6 2001:0DB8:1100:13::/64 any sequence 90deny ipv6 2001:0DB8:1100:14::/64 any sequence 100deny ipv6 2001:0DB8:2000::/35 2408:40:2000::/35 dscp default sequence 110permit ipv6 any any (175392444 matches) sequence 120Additional References
The following sections provide references related to the Implementing Traffic Filters for IPv6 Security feature.
Related Documents
Basic IPv6 configuration
"Implementing IPv6 Addressing and Basic Connectivity," Cisco IOS XE IPv6 Configuration Guide
IPv6 supported feature list
"Start Here: Cisco IOS XE Software Release Specifics for IPv6 Features," Cisco IOS XE IPv6 Configuration Guide
IPv6 commands: complete command syntax, command mode, defaults, usage guidelines, and examples
Cisco IOS master command list, all releases
Standards
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.
—
MIBs
RFCs
Technical Assistance
Feature Information for Implementing Traffic Filters for IPv6 Security
Table 1 lists the features in this module and provides links to specific configuration information.
For information about a feature in this technology that is not documented here, see the Start Here: Cisco IOS XE Software Release Specifics for IPv6 Features.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS XE software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note
Table 1 Feature Information for Implementing Traffic Filters for IPv6 Security
IPv6 services: standard access control lists
Cisco IOS XE Release 2.1
Access lists determine what traffic is blocked and what traffic is forwarded at router interfaces and allow filtering based on source and destination addresses, inbound and outbound to a specific interface.
The following sections provide information about this feature:
•
•
•
•
The following commands were modified by this feature: clear ipv6 access-list, clear ipv6 inspect, clear ipv6 prefix-list, deny, ipv6 access-class, ipv6 access-list, ipv6 traffic-filter, line, permit, show ipv6 access-list
IPv6 services: extended access control lists
Cisco IOS XE Release 2.1
Standard IPv6 ACL functionality was extended to support traffic filtering based on IPv6 option headers and optional, upper-layer protocol type information for finer granularity of control.
The following sections provide information about this feature:
•
•
•
•
The following commands were modified by this feature: clear ipv6 access-list, clear ipv6 inspect, clear ipv6 prefix-list, deny, ipv6 access-class, ipv6 access-list, ipv6 traffic-filter, line, permit, show ipv6 access-list
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco Ironport, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Stackpower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flip Video, Flip Video (Design), Flipshare (Design), Flip Ultra, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Store, and Flip Gift Card are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0907R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2001-2009 Cisco Systems, Inc. All rights reserved.
