-
- Downstream Interface Configuration
- Upstream Interface Configuration
- DOCSIS Interface and Fiber Node Configuration
- DOCSIS Load Balancing Groups
- DOCSIS Load Balancing Movements
- DOCSIS 3.0 Downstream Bonding
- DOCSIS 2.0 A-TDMA Modulation Profiles
- Downstream Resiliency Bonding Group
- Downstream Channel ID Assignment
- Upstream Channel Bonding
- Spectrum Management and Advanced Spectrum Management
- Upstream Scheduler Mode
- Generic Routing Encapsulation
- Transparent LAN Service over Cable
- Downgrading Channel Bonding in Battery Backup Mode
- Energy Management Mode
-
- IP Access Control Lists
- Creating an IP Access List and Applying It to an Interface
- Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports
- Refining an IP Access List
- IP Named Access Control Lists
- IPv4 ACL Chaining Support
- IPv6 ACL Chaining with a Common ACL
- Commented IP Access List Entries
- Standard IP Access List Logging
- IP Access List Entry Sequence Numbering
- ACL IP Options Selective Drop
- ACL Syslog Correlation
- IPv6 Access Control Lists
- IPv6 Template ACL
- IPv6 ACL Extensions for Hop by Hop Filtering
-
- Call Home
- SNMP Support over VPNs—Context-Based Access Control
- SNMP Cache Engine Enhancement
- Onboard Failure Logging
- Control Point Discovery
- IPDR Streaming Protocol
- Usage-Based Billing (SAMIS)
- Frequency Allocation Information for the Cisco CMTS Routers
- Flap List Troubleshooting
- Maximum CPE and Host Parameters
- SNMP Background Synchronization
- Online Offline Diagnostics
- Index
- Hardware Compatibility Matrix for Cisco cBR Series Routers
- Information About IPv6 ACL Chaining with a Common ACL
- How to Configure IPv6 ACL Chaining with a Common ACL
- Configuration Examples for IPv6 ACL Chaining with a Common ACL
- Additional References for IPv6 ACL Chaining with a Common ACL
- Feature Information for IPv6 ACL Chaining with a Common ACL
IPv6 ACL Chaining with a Common ACL
ACL Chaining, also known as Multi-Access Control List (ACL), allows you to split ACLs. This document describes how with the IPv6 ACL Chaining Support feature, you can explicitly split ACLs into common and user-specific ACLs and bind both ACLs to a target for traffic filtering on a device. In this way, the common ACLs in Ternary Content Addressable Memory (TCAM) are shared by multiple targets, thereby reducing the resource usage.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/. An account on http://www.cisco.com/ is not required.
Contents
- Hardware Compatibility Matrix for Cisco cBR Series Routers
- Information About IPv6 ACL Chaining with a Common ACL
- How to Configure IPv6 ACL Chaining with a Common ACL
- Configuration Examples for IPv6 ACL Chaining with a Common ACL
- Additional References for IPv6 ACL Chaining with a Common ACL
- Feature Information for IPv6 ACL Chaining with a Common ACL
Hardware Compatibility Matrix for Cisco cBR Series Routers
Note | The hardware components introduced in a given Cisco IOS-XE Release are supported in all subsequent releases unless otherwise specified. |
Cisco CMTS Platform |
Processor Engine |
Interface Cards |
---|---|---|
Cisco cBR-8 Converged Broadband Router |
Cisco IOS-XE Release 3.15.0S and Later Releases Cisco cBR-8 Supervisor:
|
Cisco IOS-XE Release 3.15.0S and Later Releases Cisco cBR-8 CCAP Line Cards: Cisco cBR-8 Downstream PHY Modules: Cisco cBR-8 Upstream PHY Modules: |
Information About IPv6 ACL Chaining with a Common ACL
ACL Chaining Overview
The packet filter process supports only a single Access control list (ACL) to be applied per direction and per protocol on an interface. This leads to manageability and scalability issues if there are common ACL entries needed on many interfaces. Duplicate Access control entries (ACEs) are configured for all those interfaces, and any modification to the common ACEs needs to be performed for all ACLs.
The purpose of these address blocks is to deny access to ISP's protected infrastructure networks and anti-spoofing protection by allowing only customer source address blocks. This results in configuring unique ACL per interface and most of the ACEs being common across all ACLs on a device. ACL provisioning and modification is very cumbersome, hence, any changes to the ACE impacts every target.
IPv6 ACL Chaining with a Common ACL
With IPv6 ACL Chaining, you can configure a traffic filter with the following:
Each Access control list (ACL) is matched in a sequence. For example, if you have specified both the ACLs - a common and a specific ACL, the packet is first matched against the common ACL; if a match is not found, it is then matched against the specific ACL.
Note | Any IPv6 ACL may be configured on a traffic filter as a common or specific ACL. However, the same ACL cannot be specified on the same traffic filter as both common and specific. |
How to Configure IPv6 ACL Chaining with a Common ACL
Note | You may choose to configure either of the following: |
The ipv6 traffic-filter command is not additive. When you use the command, it replaces earlier instances of the command. For example, the command sequence: ipv6 traffic-filter [common common-acl] [specific-acl] in ipv6 traffic-filter [specific-acl] in binds a common ACL to the traffic filter, removes the common ACL and then binds a specific ACL.
Configuring IPv6 ACL to an Interface
Perform this task to configure the interface to accept a common access control list (ACL) along with an interface-specific ACL:
Configuration Examples for IPv6 ACL Chaining with a Common ACL
You may configure the following combinations in no particular order:
Example: Configuring an Interface to Accept a Common ACL
This example shows how to replace an access control list (ACL) configured on the interface without explicitly deleting the ACL:
interface TenGigabitEthernet4/1/0 ipv6 access-group common C_acl ACL1 in end replace interface acl ACL1 by ACL2 interface TenGigabitEthernet4/1/0 ipv6 access-group common C_acl ACL2 in end
This example shows how to delete a common ACL from an interface. A common ACL cannot be replaced on interfaces without deleting it explicitly from the interface.
interface TenGigabitEthernet4/1/0 ipv6 access-group common C_acl1 ACL1 in end change the common acl to C_acl2 interface TenGigabitEthernet4/1/0 no ipv6 access-group common C_acl1 ACL1 in end interface TenGigabitEthernet4/1/0 ipv6 access-group common C_acl2 ACL1 in end
Note | When reconfiguring a common ACL, you must ensure that no other interface on the line card is attached to the common ACL. |
Note | If both common ACL and interface ACL are attached to an interface and only one of the above is reconfigured on the interface, then the other is removed automatically. |
This example shows how to remove the interface ACL:
interface TenGigabitEthernet4/1/0 ipv6 access-group common C_acl1 ACL1 in end
Additional References for IPv6 ACL Chaining with a Common ACL
Related Documents
Related Topic | Document Title |
---|---|
IPv4 ACL Chaining Support |
Security Configuration Guide: Access Control Lists, Cisco IOS XE Release 3S |
Cisco IOS commands |
|
Security commands |
Technical Assistance
Description | Link |
---|---|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
Feature Information for IPv6 ACL Chaining with a Common ACL
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/. An account on http://www.cisco.com/ is not required.
Note | The below table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature. |
Feature Name |
Releases |
Feature Information |
---|---|---|
IPv6 Access Lists |
Cisco IOS-XE Release 3.15.0S |
This feature was introduced on the Cisco cBR Series Converged Broadband Routers. |