-
This documentation has been moved
-
Implementing IPv6 Addressing and Basic Connectivity
-
Implementing ADSL and Deploying Dial Access for IPv6
-
Implementing Bidirectional Forwarding Detection for IPv6
-
Implementing Multiprotocol BGP for IPv6
-
Implementing DHCP for IPv6
-
Implementing Dynamic Multipoint VPN for IPv6
-
Implementing EIGRP for IPv6
-
Configuring First Hop Redundancy Protocols in IPv6
-
Implementing First Hop Security in IPv6
-
Implementing IPsec in IPv6 Security
-
Implementing IS-IS for IPv6
-
Implementing IPv6 for Network Management
-
Implementing Mobile IPv6
-
Implementing IPv6 Multicast
-
Implementing NAT-PT for IPv6
-
Netflow v9 for IPv6
-
Implementing NTPv4 in IPv6
-
Implementing OSPF for IPv6
-
Implementing IPv6 over MPLS
-
Implementing IPv6 VPN over MPLS
-
Implementing Policy-Based Routing for IPv6
-
Implementing QoS for IPv6
-
Implementing RIP for IPv6
-
Implementing Traffic Filters and Firewalls for IPv6 Security
-
Implementing Static Routes for IPv6
-
Implementing Tunneling for IPv6
-
Implementing VoIP for IPv6
-
Feedback
Table Of Contents
Implementing Traffic Filters and Firewalls for IPv6 Security
Prerequisites for Implementing Traffic Filters and Firewalls for IPv6 Security
Restrictions for Implementing Traffic Filters and Firewalls for IPv6 Security
Information About Implementing Traffic Filters and Firewalls for IPv6 Security
Access Control Lists for IPv6 Traffic Filtering
IPv6 ACL Extensions for IPsec Authentication Header
Access Class Filtering in IPv6
PAM in Cisco IOS Firewall for IPv6
Cisco IOS Firewall Alerts, Audit Trails, and System Logging
Cisco IOS Firewall Restrictions
Cisco IOS Zone-Based Firewall for IPv6
ACL—Hardware and Software Counters Granularity for IPv4 and IPv6 ACL Statistics
How to Implement Traffic Filters and Firewalls for IPv6 Security
Configuring IPv6 Traffic Filtering
Creating and Configuring an IPv6 ACL for Traffic Filtering
Applying the IPv6 ACL to an Interface
Creating an IPv6 ACL to Provide Access Class Filtering
Applying an IPv6 ACL to the Virtual Terminal Line
Configuring TCP or UDP Matching
Creating an IPv6 ACL in Cisco IOS Release 12.2(11)T, 12.0(22)S, or Earlier Releases
Applying the IPv6 ACL to an Interface in Cisco IOS Release 12.2(11)T, 12.0(22)S, or Earlier Releases
Configuring the Cisco IOS Firewall for IPv6
Configuring Zone-Based Firewall in IPv6
Configuring an Inspect-Type Parameter Map
Creating and Using an Inspect-Type Class Map
Creating and Using an Inspect-Type Policy Map
Creating Security Zones and Zone Pairs
Configuring ACL Hardware and Software Counters Granularity for IPv4 and IPv6 ACL Statistics
Verifying IPv6 Security Configuration and Operation
Troubleshooting IPv6 Security Configuration and Operation
Configuration Examples for Implementing Traffic Filters and Firewalls for IPv6 Security
Examples: Creating and Applying IPv6 ACLs
Example: Creating and Applying an IPv6 ACL for Release 12.2(13)T or 12.0(23)S
Example: Creating and Applying an IPv6 ACL for 12.2(11)T, 12.0(22)S, or Earlier Releases
Example: Controlling Access to a vty
Example: Configuring TCP or UDP Matching
Example: Configuring Cisco IOS Firewall for IPv6
Example: Configuring Cisco IOS Zone-Based Firewall for IPv6
Feature Information for Implementing Traffic Filters and Firewalls for IPv6 Security
Implementing Traffic Filters and Firewalls for IPv6 Security
First Published: June 7, 2001Last Updated: July 20, 2011This module describes how to configure Cisco IOS IPv6 traffic filter and firewall features for your Cisco networking devices. These security features can protect your network from degradation or failure and also from data loss or compromised security resulting from intentional attacks and from unintended but damaging mistakes by well-meaning network users.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Implementing Traffic Filters and Firewalls for IPv6 Security" section.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
Prerequisites for Implementing Traffic Filters and Firewalls for IPv6 Security
•
•
•
•
•
Prerequisites for Implementing Traffic Filters and Firewalls for IPv6 Security
You should be familiar with IPv6 addressing and basic configuration. Refer to the Implementing IPv6 Addressing and Basic Connectivity module for more information.
Restrictions for Implementing Traffic Filters and Firewalls for IPv6 Security
Cisco IOS Release 12.2(2)T through Cisco IOS Release 12.2(13)T and Cisco IOS Release 12.0(22)S and later releases support only standard IPv6 access control list (ACL) functionality. In Cisco IOS Release 12.0(23)S and 12.2(13)T or later releases, the standard IPv6 ACL functionality is extended to support traffic filtering based on IPv6 option headers and optional, upper-layer protocol type information for finer granularity of control (functionality similar to extended ACLs in IPv4).
Information About Implementing Traffic Filters and Firewalls for IPv6 Security
•
•
•
Access Control Lists for IPv6 Traffic Filtering
The standard ACL functionality in IPv6 is similar to standard ACLs in IPv4. Access lists determine what traffic is blocked and what traffic is forwarded at router interfaces and allow filtering based on source and destination addresses, inbound and outbound to a specific interface. Each access list has an implicit deny statement at the end. IPv6 ACLs are defined and their deny and permit conditions are set using the ipv6 access-list command with the deny and permit keywords in global configuration mode.
In Cisco IOS Release 12.0(23)S and 12.2(13)T or later releases, the standard IPv6 ACL functionality is extended to support traffic filtering based on IPv6 option headers and optional, upper-layer protocol type information for finer granularity of control (functionality similar to extended ACLs in IPv4).
IPv6 ACL Extensions for IPsec Authentication Header
This feature provides the ability to match on the upper layer protocol (ULP) (for example, TCP, User Datagram Protocol [UDP], ICMP, SCTP) regardless of whether an authentication header (AH) is present or absent.
TCP or UDP traffic can be matched to the upper-layer protocol (ULP) (for example, TCP, UDP, ICMP, SCTP) if an AH is present or absent. Before this feature was introduced, this function was only available if an AH was absent.
This feature introduces the keyword auth to the permit and deny commands. The auth keyword allows matching traffic against the presence of the authentication header in combination with the specified protocol; that is, TCP or UDP.
IPv6 traffic can be matched to a ULP when an AH header is present. To perform this function, enter the ahp option for the protocol argument when using the permit or deny command.
Access Class Filtering in IPv6
Filtering incoming and outgoing connections to and from the router based on an IPv6 ACL is performed using the ipv6 access-class command in line configuration mode. The ipv6 access-class command is similar to the access-class command, except the IPv6 ACLs are defined by a name. If the IPv6 ACL is applied to inbound traffic, the source address in the ACL is matched against the incoming connection source address and the destination address in the ACL is matched against the local router address on the interface. If the IPv6 ACL is applied to outbound traffic, the source address in the ACL is matched against the local router address on the interface and the destination address in the ACL is matched against the outgoing connection source address. We recommend that identical restrictions are set on all the virtual terminal lines because a user can attempt to connect to any of them.
Cisco IOS Firewall for IPv6
The Cisco IOS Firewall feature provides advanced traffic filtering functionality as an integral part of a network's firewall. Cisco IOS Firewall for IPv6 enables you to implement Cisco IOS Firewall in IPv6 networks. Cisco IOS Firewall coexists with Cisco IOS Firewall for IPv4 networks and is supported on all dual-stack routers.
Cisco IOS Firewall for IPv6 features are as follows:
•
•
•
•
•
•
•
PAM in Cisco IOS Firewall for IPv6
PAM allows you to customize TCP or UDP port numbers for network services or applications. PAM uses this information to support network environments that run services using ports that are different from the registered or well-known ports associated with an application.
Using the port information, PAM establishes a table of default port-to-application mapping information at the firewall. The information in the PAM table enables Context-based Access Control (CBAC) supported services to run on nonstandard ports. CBAC is limited to inspecting traffic using only the well-known or registered ports associated with an application, whereas PAM allows network administrators to customize network access control for specific applications and services.
PAM also supports host- or subnet-specific port mapping, which allows you to apply PAM to a single host or subnet using standard ACLs. Host- or subnet-specific port mapping is done using standard ACLs.
Cisco IOS Firewall Alerts, Audit Trails, and System Logging
Cisco IOS Firewall generates real-time alerts and audit trails based on events tracked by the firewall. Enhanced audit trail features use system logging to track all network transactions; to record time stamps, source host, destination host, and ports used; and to record the total number of transmitted bytes for advanced, session-based reporting. Real-time alerts send system logging error messages to central management consoles when the system detects suspicious activity. Using Cisco IOS Firewall inspection rules, you can configure alerts and audit trail information on a per-application protocol basis. For example, if you want to generate audit trail information for TCP traffic, you can specify the generation of this information in the Cisco IOS Firewall rule that defines TCP inspection.
The Cisco IOS Firewall provides audit trail messages to record details about inspected sessions. Audit trail information is configurable on a per-application basis using the CBAC inspection rules. To determine which protocol was inspected, use the port number associated with the responder. The port number appears immediately after the address.
IPv6 Packet Inspection
The following header fields are all used for IPv6 inspection—traffic class, flow label, payload length, next header, hop limit, and source or destination address. For further information on and descriptions of the IPv6 header fields, see RFC 2474.
Tunneling Support
IPv6 packets tunneled in IPv4 are not inspected. If a tunnel terminates on a router, and IPv6 traffic exiting the tunnel is nonterminating, then the traffic is inspected.
Virtual Fragment Reassembly
When VFR is enabled, VFR processing begins after ACL input lists are checked against incoming packets. The incoming packets are tagged with the appropriate VFR information.
Cisco IOS Firewall Restrictions
Cisco IOS Intrusion Detection System (IDS) is not supported for IPv6.
Cisco IOS Zone-Based Firewall for IPv6
Cisco IOS Zone-Based Firewall for IPv6 coexists with Cisco IOS Zone-Based Firewall for IPv4 in order to support IPv6 traffic. The feature provides MIB support for TCP, UDP, ICMPv6, and FTP sessions.
For further information about Zone-Based Firewall, see "Zone-Based Policy Firewall" in Cisco IOS Security Configuration Guide: Securing the Data Plane.
ACL—Hardware and Software Counters Granularity for IPv4 and IPv6 ACL Statistics
Each IPv6 and IPv4 ACL entry maintains a global counter per entry for the number of matches applied to the ACL entry. The counters reflect all matches applied to the ACL, regardless of where the match was applied (such as on the platform or in the software feature path). This feature allows both IPv4 and IPv6 ACLs on the Cisco Catalyst 6500 platform to update the ACL entry statistics with a platform entry count.
How to Implement Traffic Filters and Firewalls for IPv6 Security
•
•
•
•
•
•
•
Configuring IPv6 Traffic Filtering
If you are running Cisco IOS Release 12.2(13)T, 12.0(23)S, or later releases, proceed to the "Creating and Configuring an IPv6 ACL for Traffic Filtering" section. If you are running Cisco IOS Release 12.2(11)T, 12.0(22)S, or earlier releases, proceed to the "Creating an IPv6 ACL for Traffic Filtering in Cisco IOS Release 12.2(11)T, 12.0(22)S, or Earlier Releases" section.
•
•
Creating and Configuring an IPv6 ACL for Traffic Filtering
This section describes how to configure your networking devices to filter traffic, function as a firewall, or detect potential viruses. Perform this task to create an IPv6 ACL and configure the IPv6 ACL to filter traffic in Cisco IOS Release 12.2(13)T and 12.0(23)S or later releases.
Prerequisites
In Cisco IOS Release 12.2(13)T and 12.0(23)S or later releases, for backward compatibility, the ipv6 access-list command with the deny and permit keywords in global configuration mode is still supported; however, an IPv6 ACL defined with deny and permit conditions in global configuration mode is translated to IPv6 access list configuration mode. See the "Examples: Creating and Applying IPv6 ACLs" section for an example of a translated IPv6 ACL configuration.
Restrictions
•
•
SUMMARY STEPS
1.
2.
3.
4.
or
deny protocol {source-ipv6-prefix/prefix-length | any | host source-ipv6-address | auth} [operator [port-number]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | auth} [operator [port-number]] [dest-option-type [doh-number | doh-type]] [dscp value] [flow-label value] [fragments] [log] [log-input] [mobility] [mobility-type [mh-number | mh-type]] [routing] [routing-type routing-number] [sequence value] [time-range name] [undetermined-transport]DETAILED STEPS
Applying the IPv6 ACL to an Interface
Perform this task to apply the IPv6 ACL to an interface in Cisco IOS Release 12.2(13)T and 12.0(23)S or later releases.
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Controlling Access to a vty
•
•
Creating an IPv6 ACL to Provide Access Class Filtering
Perform this task to control access to a vty on a router by creating an IPv6 ACL to provide access class filtering.
SUMMARY STEPS
1.
2.
3.
4.
or
deny protocol {source-ipv6-prefix/prefix-length | any | host source-ipv6-address | auth} [operator [port-number]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | auth} [operator [port-number]] [dest-option-type [doh-number | doh-type]] [dscp value] [flow-label value] [fragments] [log] [log-input] [mobility] [mobility-type [mh-number | mh-type]] [routing] [routing-type routing-number] [sequence value] [time-range name] [undetermined-transport]DETAILED STEPS
Applying an IPv6 ACL to the Virtual Terminal Line
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Configuring TCP or UDP Matching
TCP or UDP traffic can be matched to the ULP (for example, TCP, UDP, ICMP, SCTP) if an AH is present or absent. Before this feature was introduced, this function was only available if an AH was absent.
Use of the keyword auth with the permit icmp and deny icmp commands allows TCP or UDP traffic to be matched to the ULP if an AH is present. TCP or UDP traffic without an AH will not be matched.
IPv6 traffic can be matched to a ULP when an AH header is present. To perform this function, enter the ahp option for the protocol argument when using the permit or deny command.
Perform this task to allow TCP or UDP traffic to be matched to the ULP if an AH is present.
SUMMARY STEPS
1.
2.
3.
4.
or
deny icmp authDETAILED STEPS
Creating an IPv6 ACL for Traffic Filtering in Cisco IOS Release 12.2(11)T, 12.0(22)S, or Earlier Releases
Perform the following tasks to create and apply ACLs in Cisco IOS Release 12.2(11)T, 12.0(22)S, or earlier releases.
•
•
Creating an IPv6 ACL in Cisco IOS Release 12.2(11)T, 12.0(22)S, or Earlier Releases
Perform this task to create an IPv6 ACL and configure the IPv6 ACL to pass or block traffic in Cisco IOS Release 12.2(11)T, 12.0(22)S, or earlier releases.
Restrictions
•
•
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Applying the IPv6 ACL to an Interface in Cisco IOS Release 12.2(11)T, 12.0(22)S, or Earlier Releases
Perform this task to apply the IPv6 ACL to an interface in Cisco IOS Release 12.2(11)T, 12.0(22)S, or earlier releases.
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Configuring the Cisco IOS Firewall for IPv6
This configuration scenario uses both packet inspection and ACLs.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
or
deny protocol {source-ipv6-prefix/prefix-length | any | host source-ipv6-address | auth} [operator [port-number]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | auth} [operator [port-number]] [dest-option-type [doh-number | doh-type]] [dscp value] [flow-label value] [fragments] [log] [log-input] [mobility] [mobility-type [mh-number | mh-type]] [routing] [routing-type routing-number] [sequence value] [time-range name] [undetermined-transport]DETAILED STEPS
Configuring PAM for IPv6
•
•
Creating an IPv6 Access Class Filter for PAM
SUMMARY STEPS
1.
2.
3.
4.
or
deny protocol {source-ipv6-prefix/prefix-length | any | host source-ipv6-address | auth} [operator [port-number]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | auth} [operator [port-number]] [dest-option-type [doh-number | doh-type]] [dscp value] [flow-label value] [fragments] [log] [log-input] [mobility] [mobility-type [mh-number | mh-type]] [routing] [routing-type routing-number] [sequence value] [time-range name] [undetermined-transport]DETAILED STEPS
Applying the IPv6 Access Class Filter to PAM
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Configuring Zone-Based Firewall in IPv6
•
•
•
•
Configuring an Inspect-Type Parameter Map
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Creating and Using an Inspect-Type Class Map
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
DETAILED STEPS
Creating and Using an Inspect-Type Policy Map
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Creating Security Zones and Zone Pairs
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Configuring ACL Hardware and Software Counters Granularity for IPv4 and IPv6 ACL Statistics
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Verifying IPv6 Security Configuration and Operation
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
DETAILED STEPS
Troubleshooting IPv6 Security Configuration and Operation
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
DETAILED STEPS
Examples
•
•
•
•
•
•
•
•
•
Sample Output from the show crypto ipsec sa ipv6 Command
The following is sample output from the show crypto ipsec sa ipv6 command:
Router# show crypto ipsec sa ipv6interface: Tunnel0Crypto map tag: Tunnel0-head-0, local addr 3FFE:2002::A8BB:CCFF:FE01:9002protected vrf: (none)local ident (addr/mask/prot/port): (::/0/0/0)remote ident (addr/mask/prot/port): (::/0/0/0)current_peer 3FFE:2002::A8BB:CCFF:FE01:2C02 port 500PERMIT, flags={origin_is_acl,}#pkts encaps: 133, #pkts encrypt: 133, #pkts digest: 133#pkts decaps: 133, #pkts decrypt: 133, #pkts verify: 133#pkts compressed: 0, #pkts decompressed: 0#pkts not compressed: 0, #pkts compr. failed: 0#pkts not decompressed: 0, #pkts decompress failed: 0#send errors 60, #recv errors 0local crypto endpt.: 3FFE:2002::A8BB:CCFF:FE01:9002,remote crypto endpt.: 3FFE:2002::A8BB:CCFF:FE01:2C02path mtu 1514, ip mtu 1514current outbound spi: 0x28551D9A(676666778)inbound esp sas:spi: 0x2104850C(553944332)transform: esp-des ,in use settings ={Tunnel, }conn id: 93, flow_id: SW:93, crypto map: Tunnel0-head-0sa timing: remaining key lifetime (k/sec): (4397507/148)IV size: 8 bytesreplay detection support: YStatus: ACTIVEinbound ah sas:spi: 0x967698CB(2524354763)transform: ah-sha-hmac ,in use settings ={Tunnel, }conn id: 93, flow_id: SW:93, crypto map: Tunnel0-head-0sa timing: remaining key lifetime (k/sec): (4397507/147)replay detection support: YStatus: ACTIVEinbound pcp sas:outbound esp sas:spi: 0x28551D9A(676666778)transform: esp-des ,in use settings ={Tunnel, }conn id: 94, flow_id: SW:94, crypto map: Tunnel0-head-0sa timing: remaining key lifetime (k/sec): (4397508/147)IV size: 8 bytesreplay detection support: YStatus: ACTIVEoutbound ah sas:spi: 0xA83E05B5(2822636981)transform: ah-sha-hmac ,in use settings ={Tunnel, }conn id: 94, flow_id: SW:94, crypto map: Tunnel0-head-0sa timing: remaining key lifetime (k/sec): (4397508/147)replay detection support: YStatus: ACTIVEoutbound pcp sas:Sample Output from the show crypto isakmp peer Command
The following sample output shows peer descriptions on an IPv6 router:
Router# show crypto isakmp peer detailPeer: 2001:DB8:0:1::1 Port: 500 Local: 2001:DB8:0:2::1Phase1 id: 2001:DB8:0:1::1flags:NAS Port: 0 (Normal)IKE SAs: 1 IPsec SA bundles: 1last_locker: 0x141A188, last_last_locker: 0x0last_unlocker: 0x0, last_last_unlocker: 0x0Sample Output from the show crypto isakmp profile Command
The following sample output shows the ISAKMP profiles that are defined on an IPv6 router:
Router# show crypto isakmp profileISAKMP PROFILE tomIdentities matched are:ipv6-address 2001:DB8:0:1::1/32Certificate maps matched are:Identity presented is: ipv6-address fqdnkeyring(s): <none>trustpoint(s): <all>Sample Output from the show crypto isakmp sa Command
The following sample output shows the SAs of an active IPv6 device. The IPv4 device is inactive:
Router# show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH
Lifetime Cap.
IPv6 Crypto ISAKMP SA
dst: 3FFE:2002::A8BB:CCFF:FE01:2C02
src: 3FFE:2002::A8BB:CCFF:FE01:9002
conn-id: 1001 I-VRF: Status: ACTIVE Encr: des Hash: sha Auth:
psk
DH: 1 Lifetime: 23:45:00 Cap: D Engine-id:Conn-id = SW:1
dst: 3FFE:2002::A8BB:CCFF:FE01:2C02
src: 3FFE:2002::A8BB:CCFF:FE01:9002
conn-id: 1002 I-VRF: Status: ACTIVE Encr: des Hash: sha Auth:
psk
DH: 1 Lifetime: 23:45:01 Cap: D Engine-id:Conn-id = SW:2
Sample Output from the show ipv6 access-list Command
In the following example, the show ipv6 access-list command is used to verify that IPv6 ACLs are configured correctly:
Router> show ipv6 access-listIPv6 access list inboundpermit tcp any any eq bgp reflect tcptraffic (8 matches) sequence 10permit tcp any any eq telnet reflect tcptraffic (15 matches) sequence 20permit udp any any reflect udptraffic sequence 30IPv6 access list tcptraffic (reflexive) (per-user)permit tcp host 2001:DB8:1::32 eq bgp host 2001:DB8:2::32 eq 11000 timeout 300 (time left 243) sequence 1permit tcp host 2001:DB8:1::32 eq telnet host 2001:DB8:2::32 eq 11001 timeout 300 (time left 296) sequence 2IPv6 access list outboundevaluate udptrafficevaluate tcptrafficSample Output from the show ipv6 prefix-list Command
The following example shows the output of the show ipv6 prefix-list command with the detail keyword:
Router# show ipv6 prefix-list detailPrefix-list with the last deletion/insertion: bgp-inipv6 prefix-list 6to4:count: 1, range entries: 0, sequences: 5 - 5, refcount: 2seq 5 permit 2001:DB8::/32 (hit count: 313, refcount: 1)ipv6 prefix-list aggregate:count: 2, range entries: 2, sequences: 5 - 10, refcount: 30seq 5 deny 3FFE:C00::/24 ge 25 (hit count: 568, refcount: 1)seq 10 permit ::/0 le 48 (hit count: 31310, refcount: 1)ipv6 prefix-list bgp-in:count: 6, range entries: 3, sequences: 5 - 30, refcount: 31seq 5 deny 5F00::/8 le 128 (hit count: 0, refcount: 1)seq 10 deny ::/0 (hit count: 0, refcount: 1)seq 15 deny ::/1 (hit count: 0, refcount: 1)seq 20 deny ::/2 (hit count: 0, refcount: 1)seq 25 deny ::/3 ge 4 (hit count: 0, refcount: 1)seq 30 permit ::/0 le 128 (hit count: 240664, refcount: 0)Sample Output from the show ipv6 virtual-reassembly Command
The following example shows the output of the show ipv6 virtual-reassembly command with the interface keyword:
Router# show ipv6 virtual-reassembly interface e1/1Configuration Information:---------------------------------Virtual Fragment Reassembly (VFR) is ENABLED...Maximum number of datagram that can be reassembled at a time: 64Maximum number of fragments per datagram: 8Timeout value of a datagram: 3 secondsStatistical Information:----------------------------Number of datagram being reassembled:12Number of fragments being processed:48Total number of datagram reassembled:6950Total number of datagram failed: 9Sample Output from the show logging Command
In the following example, the show logging command is used to display logging entries that match the first line (sequence 10) of the access list named list1:
Router> show logging00:00:36: %IPV6-6-ACCESSLOGP: list list1/10 permitted tcp 2001:DB8:1::1(11001) (Ethernet0/0) -> 2001:DB8:1::2(179), 1 packetSample Output from the clear ipv6 access-list Command
In the following example, the show ipv6 access-list command is used to display some match counters for the access list named list1. The clear ipv6 access-list command is issued to reset the match counters for the access list named list1. The show ipv6 access-list command is used again to show that the match counters have been reset.
Router> show ipv6 access-list list1IPv6 access list list1permit tcp any any log-input (6 matches) sequence 10permit icmp any any echo-request log-input sequence 20permit icmp any any echo-reply log-input sequence 30Router# clear ipv6 access-list list1Router# show ipv6 access-list list1IPv6 access list list1permit tcp any any log-input sequence 10permit icmp any any echo-request log-input sequence 20permit icmp any any echo-reply log-input sequence 30Configuration Examples for Implementing Traffic Filters and Firewalls for IPv6 Security
•
•
•
•
•
Examples: Creating and Applying IPv6 ACLs
•
•
Example: Creating and Applying an IPv6 ACL for Release 12.2(13)T or 12.0(23)S
The following example is from a router running Cisco IOS Release 12.2(13)T.
The example configures two IPv6 ACLs named OUTBOUND and INBOUND and applies both ACLs to outbound and inbound traffic on Ethernet interface 0. The first and second permit entries in the OUTBOUND list permit all TCP and User Datagram Protocol (UDP) packets from network 2001:DB8:0300:0201::/32 to exit out of Ethernet interface 0. The entries also configure the temporary IPv6 reflexive ACL named REFLECTOUT to filter returning (incoming) TCP and UDP packets on Ethernet interface 0. The first deny entry in the OUTBOUND list keeps all packets from the network fec0:0:0:0201::/64 (packets that have the site-local prefix fec0:0:0:0201 as the first 64 bits of their source IPv6 address) from exiting out of Ethernet interface 0.
The evaluate command in the INBOUND list applies the temporary IPv6 reflexive ACL named REFLECTOUT to inbound TCP and UDP packets on Ethernet interface 0. When outgoing TCP or UDP packets are permitted on Ethernet interface 0 by the OUTBOUND list, the INBOUND list uses the REFLECTOUT list to match (evaluate) the returning (incoming) TCP and UDP packets.
ipv6 access-list OUTBOUNDpermit tcp 2001:DB8:0300:0201::/32 any reflect REFLECTOUTpermit udp 2001:DB8:0300:0201::/32 any reflect REFLECTOUTdeny fec0:0:0:0201::/64 anyipv6 access-list INBOUNDevaluate REFLECTOUTinterface ethernet 0ipv6 traffic-filter OUTBOUND outipv6 traffic-filter INBOUND in
Note
The following example can be run on a router running Cisco IOS Release 12.2(13)T or 12.0(23)S.
The example configures HTTP access to be restricted to certain hours during the day, and to log any activity outside of the permitted hours:
time-range lunchtimeperiodic weekdays 12:00 to 13:00ipv6 access-list OUTBOUNDpermit tcp any any eq www time-range lunchtimedeny tcp any any eq www log-inputpermit tcp 2001:DB8::/32 anypermit udp 2001:DB8::/32 anyExample: Creating and Applying an IPv6 ACL for 12.2(11)T, 12.0(22)S, or Earlier Releases
The following example is from a router running Cisco IOS Release 12.2(11)T, 12.0(22)S, or earlier releases.
The example configures the IPv6 ACL named list2 and applies the ACL to outbound traffic on Ethernet interface 0. Specifically, the first ACL entry keeps all packets from the network fec0:0:0:2::/64 (packets that have the site-local prefix fec0:0:0:2 as the first 64 bits of their source IPv6 address) from exiting out of Ethernet interface 0. The second entry in the ACL permits all other traffic to exit out of Ethernet interface 0. The second entry is necessary because an implicit deny all condition is at the end of each IPv6 ACL.
ipv6 access-list list2 deny fec0:0:0:2::/64 anyipv6 access-list list2 permit any anyinterface ethernet 0ipv6 traffic-filter list2 outIf the same configuration was used on a router running Cisco IOS Release 12.2(13)T, 12.0(23)S, or later releases, the configuration would be translated into IPv6 access list configuration mode as follows:
ipv6 access-list list2deny ipv6 fec0:0:0:2::/64 anypermit ipv6 any anyinterface ethernet 0ipv6 traffic-filter list2 out
Note
Example: Controlling Access to a vty
In the following example, incoming connections to the virtual terminal lines 0 to 4 are filtered based on the IPv6 access list named acl1:
ipv6 access-list acl1permit ipv6 host 2001:DB8:0:4::2/32 any!line vty 0 4ipv6 access-class acl1 inExample: Configuring TCP or UDP Matching
The following example allows any TCP traffic regardless of whether or not an AH is present:
IPv6 access list example1permit tcp any anyThe following example allows TCP or UDP parsing only when an AH header is present. TCP or UDP traffic without an AH will not be matched:
IPv6 access list example2deny tcp host 2001::1 any log sequence 5permit tcp any any auth sequence 10permit udp any any auth sequence 20The following example allows any IPv6 traffic containing an authentication header:
IPv6 access list example3permit ahp any anyExample: Configuring Cisco IOS Firewall for IPv6
This Cisco IOS Firewall configuration example uses inbound and outbound filters for inspection and makes use of access lists to manage the traffic. The inspect mechanism is the method of permitting return traffic based upon a packet being valid for an existing session for which the state is being maintained:
enableconfigure terminalipv6 unicast-routingipv6 inspect name ipv6_test icmp timeout 60ipv6 inspect name ipv6_test tcp timeout 60ipv6 inspect name ipv6_test udp timeout 60interface FastEthernet0/0ipv6 address 3FFE:C000:0:7::/64 eui-64ipv6 enableipv6 traffic-filter INBOUND outipv6 inspect ipv6_test ininterface FastEthernet0/1ipv6 address 3FFE:C000:1:7::/64 eui-64ipv6 enableipv6 traffic-filter OUTBOUND in! This is used for 3745b connection to tftpboot serverinterface FastEthernet4/0ip address 192.168.17.33 255.255.255.0duplex autospeed 100ip default-gateway 192.168.17.8! end of tftpboot server config! Access-lists to deny everything except for Neighbor Discovery ICMP messagesipv6 access-list INBOUNDpermit icmp any any nd-napermit icmp any any nd-nsdeny ipv6 any any logipv6 access-list OUTBOUNDpermit icmp any any nd-napermit icmp any any nd-nsdeny ipv6 any any logExample: Configuring Cisco IOS Zone-Based Firewall for IPv6
The following example shows how to enable the zone-based firewall, enabling inspection of IPv6 traffic flowing through the router.
parameter-map type inspect v6-param-mapsessions maximum 10000ipv6 routing-header-enforcement loose!!class-map type inspect match-any v6-classmatch protocol tcpmatch protocol udpmatch protocol icmpmatch protocol ftp!!policy-map type inspect v6-policyclass type inspect v6-classinspect!zone security z1zone security z2!zone-pair security zp source z1 destination z2service-policy type inspect v6-policyAdditional References
Related Documents
IPv6 IPsec
"Implementing IPsec in IPv6 Security," Cisco IOS IPv6 Configuration Guide
Basic IPv6 configuration
"Implementing IPv6 Addressing and Basic Connectivity," Cisco IOS IPv6 Configuration Guide
Zone-based firewalls
"Zone-Based Policy Firewall," Cisco IOS Security Configuration Guide: Securing the Data Plane
IPv6 supported feature list
"Start Here: Cisco IOS Software Release Specifics for IPv6 Features," Cisco IOS IPv6 Configuration Guide
IPv6 commands: complete command syntax, command mode, defaults, usage guidelines, and examples
Standards
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.
—
MIBs
•
To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL:
RFCs
Technical Assistance
Feature Information for Implementing Traffic Filters and Firewalls for IPv6 Security
Table 1 lists the features in this module and provides links to specific configuration information.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note
Table 1 Feature Information for Implementing Traffic Filters and Firewalls for IPv6 Security
ACL—Hardware and Software Counters Granularity for IPv4 and IPv6 ACL Statistics
12.2(50)SY
This feature allows both IPv4 and IPv6 ACLs on the Cisco Catalyst 6500 platform to update the ACL entry statistics with a platform entry count.
The following sections provide information about this feature:
•
•
IOS Zone-Based Firewall
15.1(2)T
Cisco IOS Zone-Based Firewall for IPv6 coexists with Cisco IOS Zone-Based Firewall for IPv4 in order to support IPv6 traffic.
The following sections provide information about this feature:
•
•
•
IPv6 ACL Extensions for IPsec Authentication Header
12.4(20)T
The IPv6 ACL extensions for IPsec authentication headers feature allows TCP or UDP parsing when an IPv6 IPsec authentication header is present.
The following section provides information about this feature:
IPv6 Services—Extended Access Control Lists1
12.0(23)S 12.2(14)S 12.2(28)SB 12.2(25)SG 12.2(33)SRA
12.2(17a)SX112.2(13)T 12.3
12.3(2)T
12.4
12.4(2)T
15.0(1)SStandard IPv6 ACL functionality was extended to support traffic filtering based on IPv6 option headers and optional, upper-layer protocol type information for finer granularity of control.
The following sections provide information about this feature:
•
•
•
•
IPv6 Services—IPv6 IOS Firewall
12.3(7)T
12.4
12.4(2)TThis feature provides advanced traffic filtering functionality as an integral part of a network's firewall.
The following sections provide information about this feature:
IPv6 Services—IPv6 IOS Firewall FTP Application Support
12.3(11)T
12.4
12.4(2)TIPv6 supports this feature.
The following section provides information about this feature:
IPv6 Services—Standard Access Control Lists
12.0(22)S 12.2(14)S 12.2(28)SB 12.2(25)SG 12.2(33)SRA
12.2(17a)SX1
12.2(2)T
12.3
12.3(2)T
12.4
12.4(2)T
15.0(1)SAccess lists determine what traffic is blocked and what traffic is forwarded at router interfaces and allow filtering based on source and destination addresses, inbound and outbound to a specific interface.
The following sections provide information about this feature:
•
•
•
•
•
1 IPv6 extended access control lists and IPv6 provider edge router over Multiprotocol Label Switching (MPLS) are implemented with hardware acceleration on the Cisco 12000 series Internet router IP service engine (ISE) line cards in Cisco IOS routers in Cisco IOS Release 12.0(25)S and later releases.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2001-2011 Cisco Systems, Inc. All rights reserved.
