The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Note | This chapter is not applicable on the Cisco ASR 900 RSP3 Module. |
IPv6 Access Control Lists (ACLs) determine what traffic is blocked and what traffic is forwarded at device interfaces. ACLs allow filtering based on source and destination addresses, inbound and outbound to a specific interface.
The following restrictions apply when configuring IPv6 ACLs:
ACE-specific counters are not supported.
Layer 3 IPv4 and IPv6 ACLs are not supported on same EVC.
MAC ACLs are not supported on EFP or trunk EFP interfaces to which Layer 3 IPv4 or IPv6 ACLs are applied.
Up to 500 ACEs per ACL or 1500 total ACEs are supported.
Egress v4/v6 ACL on EVC is not supported.
The following ACE parameters are supported:
Other ACE parameters are not supported.
The sections below describe how to configure an IPv6 ACL on the Cisco ASR 903 Series Router:
1.
configure terminal
2.
ipv6 access-list
access-list-name
3.
permit
protocol {source-ipv6-prefix/prefix-length | any | host
source-ipv6-address} [port-number]
{destination-ipv6-prefix/prefix-length | any | host
destination-ipv6-address} [port-number] [dscp
value] [log] [log-input] [sequence
value]
4.
deny
protocol {source-ipv6-prefix/prefix-length | any | host
source-ipv6-address} [port-number]
{destination-ipv6-prefix/prefix-length | any | host
destination-ipv6-address} [port-number] [dscp
value] [log] [log-input] [sequence
value]
5.
end
1.
configure terminal
2.
interface
interface-id
3.
ipv6 traffic-filter
access-list-name [in |
out]
4.
end
Router(config)# ipv6 access-list ipv6_acl Router(config-ipv6-acl)# permit tcp any any Router(config-ipv6-acl)# permit udp any any Router(config-ipv6-acl)# permit any any Router(config-ipv6-acl)# hardware statistics Router(config-ipv6-acl)# exit ! Assign an IP address and add the ACL on the interface. Router(config)# interface GigabitEthernet3/1/0 Router(config-if)# no ip address Router(config-if)# negotiation auto Router(config-if)# ipv6 address 2001:1::1/64 Router(config-if)# ipv6 enable Router(config-if)# ipv6 traffic-filter ipv6_acl in Router(config-if)# exit Router(config)# exit Router# clear counters Clear "show interface" counters on all interfaces [confirm] Router# ! Verify the configurations. Router# show running-config interface GigabitEthernet3/1/0 Building configuration... Current configuration : 114 bytes ! interface GigabitEthernet3/1/0 no ip address negotiation auto ipv6 address 1001::1/64 ipv6 traffic-filter ipv6_acl in end
You can use the following commands to verify your IPv6 ACL configuration on the Cisco ASR 903 Series Router: