IPv6 Access Control
Lists
Access lists
determine what traffic is blocked and what traffic is forwarded at device
interfaces and allow filtering of traffic based on source and destination
addresses, and inbound and outbound traffic to a specific interface. Standard
IPv6 ACL functionality was extended to support traffic filtering based on IPv6
option headers and optional, upper-layer protocol type information for finer
granularity of control. Standard IPv6 ACL functionality was extended to support
traffic filtering based on IPv6 option headers and optional, upper-layer
protocol type information for finer granularity of control.
This module describes
how to configure IPv6 traffic filtering and to control access to virtual
terminal lines.
Finding Feature
Information
Your software release
may not support all the features documented in this module. For the latest
caveats and feature information, see
Bug Search Tool and the
release notes for your platform and software release. To find information about
the features documented in this module, and to see a list of the releases in
which each feature is supported, see the feature information table.
Use Cisco Feature
Navigator to find information about platform support and Cisco software image
support. To access Cisco Feature Navigator, go to
www.cisco.com/go/cfn.
An account on Cisco.com is not required.
Information About IPv6 Access Control Lists
Access Control Lists for IPv6
Traffic Filtering
The standard ACL
functionality in IPv6 is similar to standard ACLs in IPv4. Access lists
determine what traffic is blocked and what traffic is forwarded at device
interfaces and allow filtering based on source and destination addresses,
inbound and outbound to a specific interface. Each access list has an implicit
deny statement at the end. IPv6 ACLs are defined and their deny and permit
conditions are set using the
ipv6
access-listcommand with the
deny and
permit keywords
in global configuration mode.
IPv6 extended ACLs
augments standard IPv6 ACL functionality to support traffic filtering based on
IPv6 option headers and optional, upper-layer protocol type information for
finer granularity of control (functionality similar to extended ACLs in IPv4).
How to Configure IPv6 Access Control Lists
Configuring IPv6 Traffic Filtering
Creating and Configuring an IPv6 ACL for Traffic Filtering
This section describes how to configure your networking devices to filter traffic, function as a firewall, or detect potential viruses.
Before You Begin
 Note |
- Each IPv6 ACL contains implicit permit rules to enable IPv6 neighbor discovery. These rules can be overridden by the user by placing a deny ipv6 any any statement within an ACL. The IPv6 neighbor discovery process makes use of the IPv6 network layer service; therefore, by default, IPv6 ACLs implicitly allow IPv6 neighbor discovery packets to be sent and received on an interface. In IPv4, the Address Resolution Protocol (ARP), which is equivalent to the IPv6 neighbor discovery process, makes use of a separate data link layer protocol; therefore, by default, IPv4 ACLs implicitly allow ARP packets to be sent and received on an interface.
- Time-based and reflexive ACLs are not supported for IPv4 or IPv6 on the Cisco 12000 series platform. The
reflect,
timeout, and
time-range keywords of the
permit command in IPv6 are excluded on the Cisco 12000 series.
>
|
SUMMARY STEPS1.
enable
2.
configure
terminal
3.
ipv6
access-list
access-list-name
4.
Do one of the following:
-
permit
protocol
{source-ipv6-prefix
/
prefix-length |
any |
host
source-ipv6-address |
auth} [operator [port-number]] {destination-ipv6-prefix
/
prefix-length|
any |
host
destination-ipv6-address|
auth} [operator [port-number]] [dest-option-type [doh-number|
doh-type]] [dscp
value] [flow-label
value] [fragments] [log] [log-input] [mobility] [mobility-type [mh-number |
mh-type]] [reflect
name [timeout
value]] [routing] [routing-type
routing-number] [sequence
value] [time-range
name]
-
-
-
deny
protocol
{source-ipv6-prefix
/
prefix-length |
any |
host
source-ipv6-address
|
auth} [operator
port-number]] {destination-ipv6-prefix/prefix-length |
any |
host
destination-ipv6-address
|
auth} [operator [port-number]] [dest-option-type [doh-number |
doh-type]] [dscp
value] [flow-label
value] [fragments] [log] [log-input] [mobility] [mobility-type [mh-number |
mh-type]] [routing] [routing-type
routing-number] [sequence
value] [time-range
name] [undetermined-transport]
DETAILED STEPS | Command or Action | Purpose |
---|
Step 1 |
enable
Example:
|
Enables privileged EXEC mode.
|
Step 2 |
configure
terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3 |
ipv6
access-list
access-list-name
Example:
Router(config)# ipv6 access-list outbound
|
Defines an IPv6 ACL, and enters IPv6 access list configuration mode.
|
Step 4 | Do one of the following:
-
permit
protocol
{source-ipv6-prefix
/
prefix-length |
any |
host
source-ipv6-address |
auth} [operator [port-number]] {destination-ipv6-prefix
/
prefix-length|
any |
host
destination-ipv6-address|
auth} [operator [port-number]] [dest-option-type [doh-number|
doh-type]] [dscp
value] [flow-label
value] [fragments] [log] [log-input] [mobility] [mobility-type [mh-number |
mh-type]] [reflect
name [timeout
value]] [routing] [routing-type
routing-number] [sequence
value] [time-range
name]
-
-
-
deny
protocol
{source-ipv6-prefix
/
prefix-length |
any |
host
source-ipv6-address
|
auth} [operator
port-number]] {destination-ipv6-prefix/prefix-length |
any |
host
destination-ipv6-address
|
auth} [operator [port-number]] [dest-option-type [doh-number |
doh-type]] [dscp
value] [flow-label
value] [fragments] [log] [log-input] [mobility] [mobility-type [mh-number |
mh-type]] [routing] [routing-type
routing-number] [sequence
value] [time-range
name] [undetermined-transport]
Example:
Router(config-ipv6-acl)# permit tcp 2001:DB8:0300:0201::/32 eq telnet any reflect reflectout
Example:
Example:
Example:
Router(config-ipv6-acl)# deny tcp host 2001:DB8:1::1 any log-input
|
Specifies permit or deny conditions for an IPv6 ACL.
|
Applying the IPv6 ACL to an Interface
SUMMARY STEPS1.
enable
2.
configure
terminal
3.
interface
type
number
4.
ipv6
traffic-filter
access-list-name
{in|
out}
DETAILED STEPS | Command or Action | Purpose |
---|
Step 1 |
enable
Example:
|
Enables privileged EXEC mode.
|
Step 2 |
configure
terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3 |
interface
type
number
Example:
Router(config)# interface ethernet 0
|
Specifies the interface type and number, and enters interface configuration mode.
|
Step 4 |
ipv6
traffic-filter
access-list-name
{in|
out}
Example:
Router(config-if)# ipv6 traffic-filter outbound out
|
Applies the specified IPv6 access list to the interface specified in the previous step.
|
Controlling Access to a vty
Creating an IPv6 ACL to
Provide Access Class Filtering
SUMMARY STEPS1.
enable
2.
configure
terminal
3.
ipv6
access-list
access-list-name
4.
Do one of the
following:
-
permit
protocol {source-ipv6-prefix/prefix-length |
any |
host
source-ipv6-address} [operator [port-number]] {destination-ipv6-prefix
/
prefix-length |
any |
host
destination-ipv6-address} [operator [port-number]] [dest-option-type [doh-number |
doh-type]]
[dscp
value] [flow-label
value] [fragments] [log] [log-input] [mobility] [mobility-type [mh-number |
mh-type]]
[routing]
[routing-type
routing-number]
[sequence
value] [time-range
name
-
deny
protocol
{source-ipv6-prefix/prefix-length |
any |
host
source-ipv6-address} [operator
port-number]]
{destination-ipv6-prefix/prefix-length |
any |
host
destination-ipv6-address} [operator [port-number]] [dest-option-type [doh-number |
doh-type]]
[dscp
value]
[flow-label
value]
[fragments]
[log] [log-input] [mobility] [mobility-type [mh-number |
mh-type]]
[routing]
[routing-type
routing-number] [sequence
value]
[time-range
name] [undetermined-transport
DETAILED STEPS | Command or Action | Purpose |
---|
Step 1 |
enable
Example:
|
Enables
privileged EXEC mode.
|
Step 2 |
configure
terminal
Example:
Device# configure terminal
|
Enters global
configuration mode.
|
Step 3 |
ipv6
access-list
access-list-name
Example:
Device(config)# ipv6 access-list cisco
|
Defines an IPv6
ACL, and enters IPv6 access list configuration mode.
|
Step 4 | Do one of the
following:
-
permit
protocol {source-ipv6-prefix/prefix-length |
any |
host
source-ipv6-address} [operator [port-number]] {destination-ipv6-prefix
/
prefix-length |
any |
host
destination-ipv6-address} [operator [port-number]] [dest-option-type [doh-number |
doh-type]]
[dscp
value] [flow-label
value] [fragments] [log] [log-input] [mobility] [mobility-type [mh-number |
mh-type]]
[routing]
[routing-type
routing-number]
[sequence
value] [time-range
name
-
deny
protocol
{source-ipv6-prefix/prefix-length |
any |
host
source-ipv6-address} [operator
port-number]]
{destination-ipv6-prefix/prefix-length |
any |
host
destination-ipv6-address} [operator [port-number]] [dest-option-type [doh-number |
doh-type]]
[dscp
value]
[flow-label
value]
[fragments]
[log] [log-input] [mobility] [mobility-type [mh-number |
mh-type]]
[routing]
[routing-type
routing-number] [sequence
value]
[time-range
name] [undetermined-transport
Example:
Device(config-ipv6-acl)# permit ipv6 host 2001:DB8:0:4::32 any
Example:
Device(config-ipv6-acl)# deny ipv6 host 2001:DB8:0:6::6 any
|
Specifies
permit or deny conditions for an IPv6 ACL.
|
Applying an IPv6 ACL to the
Virtual Terminal Line
SUMMARY STEPS1.
enable
2.
configure
terminal
3.
line
[aux|
console|
tty|
vty]
line-number[ending-line-number]
4.
ipv6
access-class
ipv6-access-list-name
{in|
out}
DETAILED STEPS | Command or Action | Purpose |
---|
Step 1 |
enable
Example:
|
Enables
privileged EXEC mode.
|
Step 2 |
configure
terminal
Example:
Device# configure terminal
|
Enters global
configuration mode.
|
Step 3 |
line
[aux|
console|
tty|
vty]
line-number[ending-line-number]
Example:
Device(config)# line vty 0 4
|
Identifies a
specific line for configuration and enters line configuration mode.
|
Step 4 |
ipv6
access-class
ipv6-access-list-name
{in|
out}
Example:
Device(config-line)# ipv6 access-class cisco in
|
Filters
incoming and outgoing connections to and from the device based on an IPv6 ACL.
|
Configuration Examples for IPv6 Access Control Lists
Example: Verifying IPv6 ACL
Configuration
In this example,
the
show ipv6
access-list command is used to verify that IPv6 ACLs are
configured correctly:
Device> show ipv6 access-list
IPv6 access list inbound
permit tcp any any eq bgp (8 matches) sequence 10
permit tcp any any eq telnet (15 matches) sequence 20
permit udp any any sequence 30
IPv6 access list Virtual-Access2.1#427819008151 (per-user)
permit tcp host 2001:DB8:1::32 eq bgp host 2001:DB8:2::32 eq 11000 sequence 1
permit tcp host 2001:DB8:1::32 eq telnet host 2001:DB8:2::32 eq 11001 sequence 2
Example: Creating and
Applying an IPv6 ACL
The following
example shows how to restrict HTTP access to certain hours during the day and
log any activity outside of the permitted hours:
Device# configure terminal
Device(config)# time-range lunchtime
Device(config-time-range)# periodic weekdays 12:00 to 13:00
Device(config-time-range)# exit
Device(config)# ipv6 access-list INBOUND
Device(config-ipv6-acl)# permit tcp any any eq www time-range lunchtime
Device(config-ipv6-acl)# deny tcp any any eq www log-input
Device(config-ipv6-acl)# permit tcp 2001:DB8::/32 any
Device(config-ipv6-acl)# permit udp 2001:DB8::/32 any
Device(config-ipv6-acl)# end
Example: Controlling Access
to a vty
In the following
example, incoming connections to the virtual terminal lines 0 to 4 are filtered
based on the IPv6 access list named acl1:
ipv6 access-list acl1
permit ipv6 host 2001:DB8:0:4::2/32 any
!
line vty 0 4
ipv6 access-class acl1 in
Additional References
Standards and RFCs
Standard/RFC
|
Title
|
RFCs for IPv6
|
IPv6 RFCs
|
MIBs
MIB
|
MIBs Link
|
CISCO-UNIFIED-FIREWALL-MIB
|
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
http://www.cisco.com/go/mibs
|
Technical Assistance
Description
|
Link
|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.
|
http://www.cisco.com/cisco/web/support/index.html
|
Feature Information for IPv6
Access Control Lists
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1 Feature Information for IPv6
Access Control Lists
Feature Name
|
Releases
|
Feature
Information
|
IPv6 Services:
Standard Access Control Lists
|
12.0(22)S
12.2(14)S
12.2(28)SB
12.2(25)SG
12.2(33)SRA
12.2(17a)SX1
12.2(2)T
12.3
12.3(2)T
12.4
12.4(2)T
15.0(1)S
|
Access lists
determine what traffic is blocked and what traffic is forwarded at router
interfaces and allow filtering based on source and destination addresses,
inbound and outbound to a specific interface.
|
IPv6 Services:
Extended Access Control Lists
|
12.0(23)S
12.2(14)S
12.2(28)SB
12.2(25)SG
12.2(33)SRA
12.2(17a)SX1
12.2(13)T
12.3
12.3(2)T
12.4
12.4(2)T
15.0(1)S
15.4(3)S
|
Standard IPv6
ACL functionality was extended to support traffic filtering based on IPv6
option headers and optional, upper-layer protocol type information for finer
granularity of control.
|