- IP Access List Overview
- Access Control List Overview and Guidelines
- Creating an IP Access List and Applying It to an Interface
- Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports
- ACL Syslog Correlation
- Refining an IP Access List
- IP Access List Entry Sequence Numbering
- Displaying and Clearing IP Access List Data Using ACL Manageability
- Object Groups for ACLs
- Controlling Access to a Virtual Terminal Line
- Access List-Based RBSCP
- ACL IP Options Selective Drop
- ACL Authentication of Incoming rsh and rcp Requests
- Configuring Lock-and-Key Security (Dynamic Access Lists)
- Configuring IP Session Filtering (Reflexive Access Lists)
- IPv6 Access Control Lists
- IPv6 ACL Extensions for Hop by Hop Filtering
- ACL: Hardware and Software Counters Granularity for IPv4 and IPv6 ACL Statistics
- IPv6 PACL Support
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15SY
- Updated:
- January 19, 2018
Chapter: IPv6 Access Control Lists
IPv6 Access Control
Lists
Access lists determine what traffic is blocked and what traffic is forwarded at device interfaces and allow filtering of traffic based on source and destination addresses, and inbound and outbound traffic to a specific interface. Standard IPv6 ACL functionality was extended to support traffic filtering based on IPv6 option headers and optional, upper-layer protocol type information for finer granularity of control. Standard IPv6 ACL functionality was extended to support traffic filtering based on IPv6 option headers and optional, upper-layer protocol type information for finer granularity of control.
This module describes how to configure IPv6 traffic filtering and to control access to virtual terminal lines.
- Finding Feature Information
- Information About IPv6 Access Control Lists
- How to Configure IPv6 Access Control Lists
- Configuration Examples for IPv6 Access Control Lists
- Additional References
- Feature Information for IPv6 Access Control Lists
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Information About IPv6 Access Control Lists
Access Control Lists for IPv6 Traffic Filtering
The standard ACL functionality in IPv6 is similar to standard ACLs in IPv4. Access lists determine what traffic is blocked and what traffic is forwarded at device interfaces and allow filtering based on source and destination addresses, inbound and outbound to a specific interface. Each access list has an implicit deny statement at the end. IPv6 ACLs are defined and their deny and permit conditions are set using the ipv6 access-listcommand with the deny and permit keywords in global configuration mode.
IPv6 extended ACLs augments standard IPv6 ACL functionality to support traffic filtering based on IPv6 option headers and optional, upper-layer protocol type information for finer granularity of control (functionality similar to extended ACLs in IPv4).
How to Configure IPv6 Access Control Lists
Configuring IPv6 Traffic Filtering
Creating and Configuring an IPv6 ACL for Traffic Filtering
This section describes how to configure your networking devices to filter traffic, function as a firewall, or detect potential viruses.
- permit protocol {source-ipv6-prefix / prefix-length | any | host source-ipv6-address | auth} [operator [port-number]] {destination-ipv6-prefix / prefix-length| any | host destination-ipv6-address| auth} [operator [port-number]] [dest-option-type [doh-number| doh-type]] [dscp value] [flow-label value] [fragments] [log] [log-input] [mobility] [mobility-type [mh-number | mh-type]] [reflect name [timeout value]] [routing] [routing-type routing-number] [sequence value] [time-range name]
- deny protocol {source-ipv6-prefix / prefix-length | any | host source-ipv6-address | auth} [operator port-number]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | auth} [operator [port-number]] [dest-option-type [doh-number | doh-type]] [dscp value] [flow-label value] [fragments] [log] [log-input] [mobility] [mobility-type [mh-number | mh-type]] [routing] [routing-type routing-number] [sequence value] [time-range name] [undetermined-transport]
1.
enable
2.
configure
terminal
3.
ipv6
access-list
access-list-name
4.
Do one of the following:
DETAILED STEPS
Applying the IPv6 ACL to an Interface
1.
enable
2.
configure
terminal
3.
interface
type
number
4.
ipv6
traffic-filter
access-list-name
{in|
out}
DETAILED STEPS
Controlling Access to a vty
- Creating an IPv6 ACL to Provide Access Class Filtering
- Applying an IPv6 ACL to the Virtual Terminal Line
Creating an IPv6 ACL to Provide Access Class Filtering
- permit protocol {source-ipv6-prefix/prefix-length | any | host source-ipv6-address} [operator [port-number]] {destination-ipv6-prefix / prefix-length | any | host destination-ipv6-address} [operator [port-number]] [dest-option-type [doh-number | doh-type]] [dscp value] [flow-label value] [fragments] [log] [log-input] [mobility] [mobility-type [mh-number | mh-type]] [routing] [routing-type routing-number] [sequence value] [time-range name
- deny protocol {source-ipv6-prefix/prefix-length | any | host source-ipv6-address} [operator port-number]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address} [operator [port-number]] [dest-option-type [doh-number | doh-type]] [dscp value] [flow-label value] [fragments] [log] [log-input] [mobility] [mobility-type [mh-number | mh-type]] [routing] [routing-type routing-number] [sequence value] [time-range name] [undetermined-transport
1.
enable
2.
configure
terminal
3.
ipv6
access-list
access-list-name
4.
Do one of the
following:
DETAILED STEPS
Applying an IPv6 ACL to the Virtual Terminal Line
1.
enable
2.
configure
terminal
3.
line
[aux|
console|
tty|
vty]
line-number[ending-line-number]
4.
ipv6
access-class
ipv6-access-list-name
{in|
out}
DETAILED STEPS
Configuration Examples for IPv6 Access Control Lists
Example: Verifying IPv6 ACL Configuration
In this example, the show ipv6 access-list command is used to verify that IPv6 ACLs are configured correctly:
Device> show ipv6 access-list
IPv6 access list inbound
permit tcp any any eq bgp (8 matches) sequence 10
permit tcp any any eq telnet (15 matches) sequence 20
permit udp any any sequence 30
IPv6 access list Virtual-Access2.1#427819008151 (per-user)
permit tcp host 2001:DB8:1::32 eq bgp host 2001:DB8:2::32 eq 11000 sequence 1
permit tcp host 2001:DB8:1::32 eq telnet host 2001:DB8:2::32 eq 11001 sequence 2
Example: Creating and Applying an IPv6 ACL
The following example shows how to restrict HTTP access to certain hours during the day and log any activity outside of the permitted hours:
Device# configure terminal Device(config)# time-range lunchtime Device(config-time-range)# periodic weekdays 12:00 to 13:00 Device(config-time-range)# exit Device(config)# ipv6 access-list INBOUND Device(config-ipv6-acl)# permit tcp any any eq www time-range lunchtime Device(config-ipv6-acl)# deny tcp any any eq www log-input Device(config-ipv6-acl)# permit tcp 2001:DB8::/32 any Device(config-ipv6-acl)# permit udp 2001:DB8::/32 any Device(config-ipv6-acl)# end
Example: Controlling Access to a vty
In the following example, incoming connections to the virtual terminal lines 0 to 4 are filtered based on the IPv6 access list named acl1:
ipv6 access-list acl1 permit ipv6 host 2001:DB8:0:4::2/32 any ! line vty 0 4 ipv6 access-class acl1 in
Additional References
Related Documents
Related Topic |
Document Title |
|---|---|
|
IPv6 addressing and connectivity |
IPv6 Configuration Guide |
|
Cisco IOS commands |
|
|
IPv6 commands |
Cisco IOS IPv6 Command Reference |
|
Cisco IOS IPv6 features |
Standards and RFCs
Standard/RFC |
Title |
|---|---|
|
RFCs for IPv6 |
IPv6 RFCs |
MIBs
|
MIB |
MIBs Link |
|---|---|
|
CISCO-UNIFIED-FIREWALL-MIB |
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: |
Technical Assistance
Description |
Link |
|---|---|
|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for IPv6 Access Control Lists
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.|
Feature Name |
Releases |
Feature Information |
|---|---|---|
|
IPv6 Services: Standard Access Control Lists |
12.0(22)S 12.2(14)S 12.2(28)SB 12.2(25)SG 12.2(33)SRA 12.2(17a)SX1 12.2(2)T 12.3 12.3(2)T 12.4 12.4(2)T 15.0(1)S |
Access lists determine what traffic is blocked and what traffic is forwarded at router interfaces and allow filtering based on source and destination addresses, inbound and outbound to a specific interface. |
|
IPv6 Services: Extended Access Control Lists |
12.0(23)S 12.2(14)S 12.2(28)SB 12.2(25)SG 12.2(33)SRA 12.2(17a)SX1 12.2(13)T 12.3 12.3(2)T 12.4 12.4(2)T 15.0(1)S 15.4(3)S |
Standard IPv6 ACL functionality was extended to support traffic filtering based on IPv6 option headers and optional, upper-layer protocol type information for finer granularity of control. |
Feedback