Access lists determine what traffic is blocked and what traffic is forwarded at device interfaces and allow filtering of traffic
based on source and destination addresses, and inbound and outbound traffic to a specific interface. Standard IPv6 ACL functionality
was extended to support traffic filtering based on IPv6 option headers and optional, upper-layer protocol type information
for finer granularity of control. Standard IPv6 ACL functionality was extended to support traffic filtering based on IPv6
option headers and optional, upper-layer protocol type information for finer granularity of control.
Finding Feature Information
Your software release may not support all the features that are documented in this module. For the latest feature information
and caveats, see the release notes for your platform and software release. The Feature Information Table at the end of this
document provides information about the documented features and lists the releases in which each feature is supported.
Contents
Hardware Compatibility Matrix for the Cisco cBR Series Routers
Note
The hardware components that are introduced in a given Cisco IOS-XE Release are supported in all subsequent releases unless
otherwise specified.
Information About IPv6 Access Control Lists
Access Control Lists for IPv6
Traffic Filtering
The standard ACL
functionality in IPv6 is similar to standard ACLs in IPv4. Access lists
determine what traffic is blocked and what traffic is forwarded at device
interfaces and allow filtering based on source and destination addresses,
inbound and outbound to a specific interface. Each access list has an implicit
deny statement at the end. IPv6 ACLs are defined and their deny and permit
conditions are set using the
ipv6access-listcommand with the
deny and
permit keywords
in global configuration mode.
IPv6 extended ACLs
augments standard IPv6 ACL functionality to support traffic filtering based on
IPv6 option headers and optional, upper-layer protocol type information for
finer granularity of control (functionality similar to extended ACLs in IPv4).
IPv6 Packet Inspection
The following header fields are used for IPv6 inspection: traffic class, flow label, payload length, next header, hop limit,
and source or destination IP address. For further information on and descriptions of the IPv6 header fields, see RFC 2474.
Access Class Filtering in
IPv6
Filtering incoming
and outgoing connections to and from the device based on an IPv6 ACL is
performed using the
ipv6access-class command in line configuration mode.
The
ipv6access-class command is similar to the
access-class
command, except the IPv6 ACLs are defined by a name. If the IPv6 ACL is applied
to inbound traffic, the source address in the ACL is matched against the
incoming connection source address and the destination address in the ACL is
matched against the local device address on the interface. If the IPv6 ACL is
applied to outbound traffic, the source address in the ACL is matched against
the local device address on the interface and the destination address in the
ACL is matched against the outgoing connection source address. We recommend
that identical restrictions are set on all the virtual terminal lines because a
user can attempt to connect to any of them.
How to Configure IPv6 Access Control Lists
Configuring IPv6 Traffic Filtering
Creating and
Configuring an IPv6 ACL for Traffic Filtering
Note
IPv6 ACLs on the
Cisco cBR
router do not contain implicit permit rules. The IPv6 neighbor discovery
process uses the IPv6 network-layer service; therefore, to enable IPv6 neighbor
discovery, you must add IPv6 ACLs to allow IPv6 neighbor discovery packets to
be sent and received on an interface. In IPv4, the Address Resolution Protocol
(ARP), which is equivalent to the IPv6 neighbor discovery process, uses a
separate data-link-layer protocol; therefore, by default IPv4 ACLs implicitly
allow ARP packets to be sent and received on an interface.
Procedure
Command or Action
Purpose
Step 1
enable
Example:
Device> enable
Enables
privileged EXEC mode.
Enter your
password if prompted.
Step 2
configureterminal
Example:
Device# configure terminal
Enters global
configuration mode.
Step 3
ipv6access-listaccess-list-name
Example:
Device(config)# ipv6 access-list inbound
Defines an IPv6
ACL, and enters IPv6 access list configuration mode.
The
access-listnameargument specifies the name of the IPv6 ACL.
IPv6 ACL names cannot contain a space or quotation mark, or begin with a
numeral.
“Creating an IP Access List and Applying It to an Interface”
Technical Assistance
Description
Link
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use
these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products
and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.
Use Cisco Feature Navigator to find information about the platform support and software image support. Cisco Feature Navigator
enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature
Navigator, go to the www.cisco.com/go/cfn link. An account on the Cisco.com page is not required.
Note
The following table lists the software release in which a given feature is introduced. Unless noted otherwise, subsequent
releases of that software release train also support that feature.
Table 1. Feature Information for IPv6 Access Control Lists
Feature Name
Releases
Feature Information
IPv6 Access Lists
Cisco IOS XE Fuji 16.7.1
This feature was integrated into Cisco IOS XE Fuji 16.7.1 on the Cisco cBR Series Converged Broadband Routers.