-
null
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
You can filter IP Version 6 (IPv6) traffic by creating IPv6 access control lists (ACLs) and applying them to interfaces as you would create and apply IP Version 4 (IPv4) named ACLs. You can also create and apply input router ACLs to filter Layer 3 management traffic when the switch is running the IP services or IP base feature set. This chapter includes information about configuring IPv6 ACLs on the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
To use IPv6, you must configure the dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch. You select the template by entering the sdm prefer dual-ipv4-and-ipv6 {default | vlan} global configuration command.
For related information, see these chapters:
•For more information about SDM templates, see Chapter 8 "Configuring SDM Templates."
•For information about IPv6 on the switch, see Chapter 40 "Configuring IPv6 Host Functions and Unicast Routing."
•For information about ACLs on the switch, see Chapter 35 "Configuring Network Security with ACLs."
Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release or the Cisco IOS documentation referenced in the procedures.
This chapter contains these sections:
Table 36-1 shows the supported IPv6 ACLs on each switch.
This section has this information:
IPv6 ACLs on a Catalyst Switch Module 3110 or 3012 have these characteristics:
•Fragmented frames (the fragments keyword as in IPv4) are supported.
•The same statistics supported in IPv4 are supported for IPv6 ACLs.
•If the switch runs out of hardware memory, packets associated with the ACL are forwarded to the CPU, and the ACLs are applied in software.
IPv6 ACLs on the Catalyst Switch Module 3110 have these characteristics:
•A switch supports these IPv6 ACLs:
–IPv6 router ACLs are supported on outbound or inbound traffic on Layer 3 interfaces, which can be routed ports, switch virtual interfaces (SVIs), or Layer 3 EtherChannels. IPv6 router ACLs apply only to IPv6 packets that are routed.
–IPv6 port ACLs are supported only on inbound traffic on Layer 2 interfaces. IPv6 port ACLs are applied to all IPv6 packets entering the interface.
•A switch running the IP base feature set supports only input router IPv6 ACLs. It does not support port ACLs or output IPv6 router ACLs.
Note If you configure unsupported IPv6 ACLs, an error message appears, and the configuration does not take affect.
•If you create or apply an output router ACL or an input port ACL on a switch running the IP base or IP services feature set, the ACL is added to the switch configuration but does not take effect; an error message appears. If you want to use the output router ACL or input port ACL, save the switch configuration and enable the IP services feature set, which supports the ACL.
•The switch does not support VLAN ACLs (VLAN maps) for IPv6 traffic.
Note For more information about ACL support on the switch, see Chapter 35 "Configuring Network Security with ACLs."
•You can apply both IPv4 and IPv6 ACLs to an interface.
•As with IPv4 ACLs, IPv6 port ACLs take precedence over router ACLs:
–When an input router ACL and input port ACL are in an SVI, packets received on ports to which a port ACL is applied are filtered by the port ACL. Routed IP packets received on other ports are filtered by the router ACL. Other packets are not filtered.
–When an output router ACL and input port ACL exist in an SVI, packets received on the ports to which a port ACL is applied are filtered by the port ACL. Outgoing routed IPv6 packets are filtered by the router ACL. Other packets are not filtered.
Note If any port ACL (IPv4, IPv6, or MAC) is applied to an interface, that port ACL is used to filter packets, and any router ACLs attached to the SVI of the port VLAN are ignored.
•Routed or bridged packets with hop-by-hop options have IPv6 ACLs applied in software.
•Logging is supported for router ACLs, but not for port ACLs.
•The switch supports IPv6 address-matching for a full range of prefix lengths.
IPv6 ACLs on the Catalyst Switch Module 3012 have these characteristics:
•The switch supports only input router IPv6 ACLs applied to all IPv6 management packets entering the Layer 3 interface.
•The switch does not support IPv6 port ACLs, output IPv6 router ACLs, or VLAN ACLs (VLAN maps) for IPv6 traffic.
With IPv4, you can configure standard and extended numbered IP ACLs, named IP ACLs, and MAC ACLs. IPv6 supports only named ACLs.
The switch supports most Cisco IOS-supported IPv6 ACLs with these exceptions:
•IPv6 source and destination addresses—ACL matching is supported only on prefixes from /0 to /64 and host addresses (/128) that are in the extended unique identifier (EUI)-64 format. The Catalyst Switch Module 3012 supports only these host addresses:
–aggregatable global unicast addresses
–link local addresses
•The switch does not support matching on these keywords: flowlabel, routing header, and undetermined-transport.
•The switch does not support reflexive ACLs (the reflect keyword).
•The switch does not apply MAC-based ACLs on IPv6 frames.
•You cannot apply IPv6 port ACLs to Layer 2 EtherChannels.
•Output router ACLs and input port ACLs for IPv6 are supported only when the Catalyst Switch Module 3110 is running the IP services feature set. A switch running the IP base feature set supports only input router ACLs for IPv6 management traffic.
•When configuring an ACL, there is no restriction on keywords entered in the ACL, whether or not they are supported on the platform. When you apply the ACL to an interface that requires hardware forwarding (physical ports or SVIs), the switch determines whether or not the ACL can be supported on the interface. If not, ACL attachment is rejected.
•If an ACL is applied to an interface and you attempt to add an access control entry (ACE) with an unsupported keyword, the switch rejects the ACE addition to the ACL.
The stack master supports IPv6 ACLs in hardware and distributes the IPv6 ACLs to the stack members.
Note For full IPv6 functionality in a switch stack, all stack members must be running the IP services feature set. Switches running the IP services or IP base feature set support only input router IPv6 ACLs for IPv6 management traffic.
If a new switch takes over as stack master, it distributes the ACL configuration to all stack members. The member switches sync up the configuration distributed by the new stack master and flush out entries that are not required.
When an ACL is modified, attached to, or detached from an interface, the stack master distributes the change to all stack members.
Before configuring IPv6 ACLs, you must select one of the dual IPv4 and IPv6 SDM templates.
To filter IPv6 traffic, you perform these steps:
Step 1 Create an IPv6 ACL, and enter IPv6 access list configuration mode.
Step 2 Configure the IPv6 ACL to block (deny) or pass (permit) traffic.
Step 3 Apply the IPv6 ACL to an interface. For router ACLs, you must also configure an IPv6 address on the Layer 3 interface to which the ACL is applied.
These sections describe how to configure and apply IPv6 ACLs:
•Default IPv6 ACL Configuration
•Interaction with Other Features and Switches
•Applying an IPv6 ACL to an Interface
No IPv6 ACLs are configured or applied.
Configuring IPv6 ACLs causes these interactions with other features or switch characteristics:
•If an IPv6 router ACL is configured to deny a packet, the packet is not routed. A copy of the packet is sent to the Internet Control Message Protocol (ICMP) queue to generate an ICMP unreachable message for the frame.
•If a bridged frame is to be dropped due to a port ACL, the frame is not bridged.
•You can create both IPv4 and IPv6 ACLs on a switch or switch stack, and you can apply both IPv4 and IPv6 ACLs to the same interface. Each ACL must have a unique name; an error message appears if you try to use a name that is already configured.
You use different commands to create IPv4 and IPv6 ACLs and to attach them to the same Layer 2 or Layer 3 interface. If you use the wrong command to attach an ACL (for example, an IPv4 command to attach an IPv6 ACL), you receive an error message.
•You cannot use MAC ACLs to filter IPv6 frames. MAC ACLs can filter only non-IP frames.
•If the hardware memory is full, any additional configured ACLs packets are forwarded to the CPU, and the ACLs are applied in software.
Beginning in privileged EXEC mode, follow these steps to create an IPv6 ACL:
Use the no {deny | permit} IPv6 access-list configuration commands with keywords to remove the deny or permit conditions from the specified access list.
This example configures the IPv6 access list named CISCO. The first deny entry in the list denies all packets that have a destination TCP port number greater than 5000. The second deny entry denies packets that have a source UDP port number less than 5000. The second deny also logs all matches to the console. The first permit entry in the list permits all ICMP packets. The second permit entry in the list permits all other traffic. The second permit entry is necessary because an implicit deny-all condition is at the end of each IPv6 access list.
Switch(config)# ipv6 access-list CISCO
Switch(config-ipv6-acl)# deny tcp any any gt 5000
Switch config-ipv6-acl)# deny ::/0 lt 5000 ::/0 log
Switch(config-ipv6-acl)# permit icmp any any
Switch(config-ipv6-acl)# permit any any
This section describes how to apply IPv6 ACLs to network interfaces. If the switch is running the IP services feature set, you can apply an ACL to outbound or inbound traffic on Layer 3 interfaces or to inbound traffic on Layer 2 interfaces. If the switch is running the IP services or IP base feature set, you can apply ACLs only to inbound management traffic on Layer 3 interfaces.
Beginning in privileged EXEC mode, follow these steps to control access to an interface:
Use the no ipv6 traffic-filter access-list-name interface configuration command to remove an access list from an interface.
This example shows how to apply the access list Cisco to outbound traffic on a Layer 3 interface:
Switch(config)# interface gigabitethernet 1/0/3
Switch(config-if)# no switchport
Switch(config-if)# ipv6 address 2001::/64 eui-64
Switch(config-if)# ipv6 traffic-filter CISCO out
You can display information about all configured access lists, all IPv6 access lists, or a specific access list by using either or both of the privileged EXEC commands in Table 36-2.
This is an example of the output from the show access-lists privileged EXEC command. The output shows all access lists that are configured on the switch or switch stack.
Switch# show access-lists
Extended IP access list hello
10 permit ip any any
IPv6 access list ipv6
permit ipv6 any any sequence 10
This is an example of the output from the show ipv6 access-lists privileged EXEC command. The output shows only IPv6 input and output access lists configured on the switch or switch stack.
Switch# show ipv6 access-list
IPv6 access list inbound
permit tcp any any eq bgp (8 matches) sequence 10
permit tcp any any eq telnet (15 matches) sequence 20
permit udp any any sequence 30
IPv6 access list outbound
deny udp any any sequence 10
deny tcp any any eq telnet sequence 20