Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

Cisco cBR Converged Broadband Routers DOCSIS Software Configuration Guide for Cisco IOS XE Everest 16.6.1

Book Contents
Find Matches in This Book
Available Languages
Download Options

Book Title

Cisco cBR Converged Broadband Routers DOCSIS Software Configuration Guide for Cisco IOS XE Everest 16.6.1

Chapter Title

IPv6 Access Control Lists

Results

Updated:
January 4, 2018

Chapter: IPv6 Access Control Lists

IPv6 Access Control Lists

Access lists determine what traffic is blocked and what traffic is forwarded at device interfaces and allow filtering of traffic based on source and destination addresses, and inbound and outbound traffic to a specific interface. Standard IPv6 ACL functionality was extended to support traffic filtering based on IPv6 option headers and optional, upper-layer protocol type information for finer granularity of control. Standard IPv6 ACL functionality was extended to support traffic filtering based on IPv6 option headers and optional, upper-layer protocol type information for finer granularity of control.

Finding Feature Information

Your software release may not support all the features that are documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. The Feature Information Table at the end of this document provides information about the documented features and lists the releases in which each feature is supported.

Contents

Hardware Compatibility Matrix for the Cisco cBR Series Routers


Note
The hardware components that are introduced in a given Cisco IOS-XE Release are supported in all subsequent releases unless otherwise specified.
Table 1. Hardware Compatibility Matrix for the Cisco cBR Series Routers

Cisco CMTS Platform

Processor Engine

Interface Cards

Cisco cBR-8 Converged Broadband Router

Cisco IOS-XE Release 16.5.1 and Later Releases

Cisco cBR-8 Supervisor:

  • PID—CBR-SUP-250G

  • PID—CBR-CCAP-SUP-160G

  • PID—CBR-CCAP-SUP-60G

  • PID—CBR-SUP-8X10G-PIC

Cisco IOS-XE Release 16.5.1 and Later Releases

Cisco cBR-8 CCAP Line Cards:

  • PID—CBR-LC-8D30-16U30

  • PID—CBR-LC-8D31-16U30

  • PID—CBR-RF-PIC

  • PID—CBR-RF-PROT-PIC

  • PID—CBR-CCAP-LC-40G

  • PID—CBR-CCAP-LC-40G-R

Cisco cBR-8 Downstream PHY Modules:

  • PID—CBR-D30-DS-MOD

  • PID—CBR-D31-DS-MOD

Cisco cBR-8 Upstream PHY Modules:

  • PID—CBR-D30-US-MOD

  • PID—CBR-D31-US-MOD

Information About IPv6 Access Control Lists

Access Control Lists for IPv6 Traffic Filtering

The standard ACL functionality in IPv6 is similar to standard ACLs in IPv4. Access lists determine what traffic is blocked and what traffic is forwarded at device interfaces and allow filtering based on source and destination addresses, inbound and outbound to a specific interface. Each access list has an implicit deny statement at the end. IPv6 ACLs are defined and their deny and permit conditions are set using the ipv6 access-list command with the deny and permit keywords in global configuration mode.

IPv6 extended ACLs augments standard IPv6 ACL functionality to support traffic filtering based on IPv6 option headers and optional, upper-layer protocol type information for finer granularity of control (functionality similar to extended ACLs in IPv4).

IPv6 Packet Inspection

The following header fields are used for IPv6 inspection: traffic class, flow label, payload length, next header, hop limit, and source or destination IP address. For further information on and descriptions of the IPv6 header fields, see RFC 2474.

Access Class Filtering in IPv6

Filtering incoming and outgoing connections to and from the device based on an IPv6 ACL is performed using the ipv6 access-class command in line configuration mode. The ipv6 access-class command is similar to the access-class command, except the IPv6 ACLs are defined by a name. If the IPv6 ACL is applied to inbound traffic, the source address in the ACL is matched against the incoming connection source address and the destination address in the ACL is matched against the local device address on the interface. If the IPv6 ACL is applied to outbound traffic, the source address in the ACL is matched against the local device address on the interface and the destination address in the ACL is matched against the outgoing connection source address. We recommend that identical restrictions are set on all the virtual terminal lines because a user can attempt to connect to any of them.

How to Configure IPv6 Access Control Lists

Configuring IPv6 Traffic Filtering

Creating and Configuring an IPv6 ACL for Traffic Filtering


Note

IPv6 ACLs on the Cisco cBR router do not contain implicit permit rules. The IPv6 neighbor discovery process uses the IPv6 network-layer service; therefore, to enable IPv6 neighbor discovery, you must add IPv6 ACLs to allow IPv6 neighbor discovery packets to be sent and received on an interface. In IPv4, the Address Resolution Protocol (ARP), which is equivalent to the IPv6 neighbor discovery process, uses a separate data-link-layer protocol; therefore, by default IPv4 ACLs implicitly allow ARP packets to be sent and received on an interface.

Procedure
  Command or Action Purpose
Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

ipv6 access-list access-list-name

Example:

Device(config)# ipv6 access-list inbound

Defines an IPv6 ACL, and enters IPv6 access list configuration mode.

  • The access-list name argument specifies the name of the IPv6 ACL. IPv6 ACL names cannot contain a space or quotation mark, or begin with a numeral.

Step 4

Do one of the following:

  • permit protocol {source-ipv6-prefix/prefix-length | any | host source-ipv6-address } [operator [port-number ]] {destination-ipv6-prefix / prefix-length | any | host destination-ipv6-address } [operator [port-number ]] [dest-option-type [doh-number | doh-type ]] [dscp value ] [flow-label value ] [fragments ] [log ] [log-input ] [mobility ] [mobility-type [mh-number | mh-type ]] [routing ] [routing-type routing-number ] [sequence value ] [time-range name ]
  • deny protocol {source-ipv6-prefix /prefix-length | any | host source-ipv6-address } [operator port-number ]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address } [operator [port-number ]] [dest-option-type [doh-number | doh-type ] ] [dscp value ] [flow-label value ] [fragments ] [log ] [log-input ] [mobility ] [mobility-type [mh-number | mh-type ]] [routing ] [routing-type routing-number ] [sequence value ] [time-range name ] [undetermined-transport
Example:

Device(config-ipv6-acl)# permit tcp 2001:DB8:0300:0201::/32 eq telnet any
Example:

Device(config-ipv6-acl)# deny tcp host 2001:DB8:1::1 any log-input

Specifies permit or deny conditions for an IPv6 ACL.

Applying the IPv6 ACL to an Interface

Procedure
  Command or Action Purpose
Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

interface type number

Example:

Device(config)# interface TenGigabitEthernet4/1/0

Specifies the interface type and number, and enters interface configuration mode.

Step 4

ipv6 traffic-filter access-list-name {in | out }

Example:

Device(config-if)# ipv6 traffic-filter outbound out

Applies the specified IPv6 access list to the interface specified in the previous step.

Controlling Access to a vty

Creating an IPv6 ACL to Provide Access Class Filtering

Procedure
  Command or Action Purpose
Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

ipv6 access-list access-list-name

Example:

Device(config)# ipv6 access-list cisco

Defines an IPv6 ACL, and enters IPv6 access list configuration mode.

Step 4

Do one of the following:

  • permit protocol {source-ipv6-prefix/prefix-length | any | host source-ipv6-address } [operator [port-number ]] {destination-ipv6-prefix / prefix-length | any | host destination-ipv6-address } [operator [port-number ]] [dest-option-type [doh-number | doh-type ]] [dscp value ] [flow-label value ] [fragments ] [log ] [log-input ] [mobility ] [mobility-type [mh-number | mh-type ]] [routing ] [routing-type routing-number ] [sequence value ] [time-range name
  • deny protocol {source-ipv6-prefix /prefix-length | any | host source-ipv6-address } [operator port-number ]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address } [operator [port-number ]] [dest-option-type [doh-number | doh-type ]] [dscp value ] [flow-label value ] [fragments ] [log ] [log-input ] [mobility ] [mobility-type [mh-number | mh-type ]] [routing ] [routing-type routing-number ] [sequence value ] [time-range name ] [undetermined-transport
Example:

Device(config-ipv6-acl)# permit ipv6 host 2001:DB8:0:4::32 any
Example:

Device(config-ipv6-acl)# deny ipv6 host 2001:DB8:0:6::6 any

Specifies permit or deny conditions for an IPv6 ACL.

Applying an IPv6 ACL to the Virtual Terminal Line

Procedure
  Command or Action Purpose
Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

line [aux | console | tty | vty ] line-number [ending-line-number ]

Example:

Device(config)# line vty 0 4

Identifies a specific line for configuration and enters line configuration mode.

  • In this example, the vty keyword is used to specify the virtual terminal lines for remote console access.

Step 4

ipv6 access-class ipv6-access-list-name {in | out }

Example:

Device(config-line)# ipv6 access-class cisco in

Filters incoming and outgoing connections to and from the device based on an IPv6 ACL.

Configuration Examples for IPv6 Access Control Lists

Example: Verifying IPv6 ACL Configuration

In this example, the show ipv6 access-list command is used to verify that IPv6 ACLs are configured correctly: 

Device> show ipv6 access-list

IPv6 access list inbound
    permit tcp any any eq bgp (8 matches) sequence 10
    permit tcp any any eq telnet  (15 matches) sequence 20
    permit udp any any  sequence 30

IPv6 access list Virtual-Access2.1#427819008151 (per-user)
    permit tcp host 2001:DB8:1::32 eq bgp host 2001:DB8:2::32 eq 11000 sequence 1
    permit tcp host 2001:DB8:1::32 eq telnet host 2001:DB8:2::32 eq 11001 sequence 2

Example: Creating and Applying an IPv6 ACL

The following example shows how to restrict HTTP access to certain hours during the day and log any activity outside of the permitted hours: 


Device# configure terminal
Device(config)# time-range lunchtime
Device(config-time-range)# periodic weekdays 12:00 to 13:00
Device(config-time-range)# exit
Device(config)# ipv6 access-list INBOUND
Device(config-ipv6-acl)# permit tcp any any eq www time-range lunchtime
Device(config-ipv6-acl)# deny tcp any any eq www log-input
Device(config-ipv6-acl)# permit tcp 2001:DB8::/32 any
Device(config-ipv6-acl)# permit udp 2001:DB8::/32 any
Device(config-ipv6-acl)# end

Example: Controlling Access to a vty

In the following example, incoming connections to the virtual terminal lines 0 to 4 are filtered based on the IPv6 access list named acl1: 


ipv6 access-list acl1
 permit ipv6 host 2001:DB8:0:4::2/32 any
!
line vty 0 4
 ipv6 access-class acl1 in

Additional References

Related Documents

Related Topic

Document Title

Cisco IOS commands

Cisco IOS Master Command List, All Releases

IP access list commands

Cisco IOS Security Command Reference

Configuring IP access lists

“Creating an IP Access List and Applying It to an Interface”

Technical Assistance

Description

Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html

Feature Information for IPv6 Access Control Lists

Use Cisco Feature Navigator to find information about the platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to the www.cisco.com/go/cfn link. An account on the Cisco.com page is not required.


Note

The following table lists the software release in which a given feature is introduced. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Table 2. Feature Information for IPv6 Access Control Lists

Feature Name

Releases

Feature Information

IPv6 Access Lists

Cisco IOS XE Fuji 16.7.1

This feature was integrated into Cisco IOS XE Fuji 16.7.1 on the Cisco cBR Series Converged Broadband Routers.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

Related Cisco Community Discussions

About Us
Contact Us
Work with Us