The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
With IPv4, you can configure standard and extended numbered IP ACLs, named IP ACLs, and MAC ACLs. IPv6 supports only named ACLs.
The switch supports most Cisco IOS-supported IPv6 ACLs with some exceptions:
You can filter IP version 6 (IPv6) traffic by creating IPv6 access control lists (ACLs) and applying them to interfaces similarly to the way that you create and apply IP version 4(IPv4) named ACLs. You can also create and apply input router ACLs to filter Layer 3 management traffic.
Note | To use IPv6, you must configure the dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch. You select the template by entering the sdm prefer {default | dual-ipv4-and-ipv6} global configuration command. |
A switch image supports two types of IPv6 ACLs:
Note | If you configure unsupported IPv6 ACLs, an error message appears and the configuration does not take affect. |
The switch does not support VLAN ACLs (VLAN maps) for IPv6 traffic.
You can apply both IPv4 and IPv6 ACLs to an interface.
As with IPv4 ACLs, IPv6 port ACLs take precedence over router ACLs:
Note | If any port ACL (IPv4, IPv6, or MAC) is applied to an interface, that port ACL is used to filter packets, and any router ACLs attached to the SVI of the port VLAN are ignored. |
IPv6 ACLs on the switch have these characteristics:
The stack master supports IPv6 ACLs in hardware and distributes the IPv6 ACLs to the stack members.
Note | For full IPv6 functionality in a switch stack, all stack members must be running the IP services feature set. |
If a new switch takes over as stack master, it distributes the ACL configuration to all stack members. The member switches sync up the configuration distributed by the new stack master and flush out entries that member switches sync up the configuration distributed by the new stack master and flush out entries that are not required.
When an ACL is modified, attached to, or detached from an interface, the stack master distributes the change to all stack members.
There are no IPv6 ACLs configured or applied.
To filter IPv6 traffic, you perform these steps:
Before configuring IPv6 ACLs, you must select one of the dual IPv4 and IPv6 SDM templates.
Command or Action | Purpose |
---|
To filter IPv6 traffic, you perform these steps:
Attach the IPv6 ACL to an Interface
This section describes how to apply IPv6 ACLs to network interfaces. You can apply an ACL to outbound or inbound traffic on Layer 3 interfaces, or to inbound traffic on Layer 2 interfaces.
Beginning in privileged EXEC mode, follow these steps to control access to an interface:
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure terminal Example: Switch# configure terminal
|
Enters global configuration mode. |
Step 2 | interface interface_id Example: Switch# interface interface-id
| Identify a Layer 2 interface (for port ACLs) or Layer 3 interface (for router ACLs) on which to apply an access list, and enter interface configuration mode. |
Step 3 | no switchport Example: Switch# no switchport
| If applying a router ACL, change the interface from Layer 2 mode (the default) to Layer 3 mode. |
Step 4 | ipv6 address ipv6_address Example: Switch# ipv6 address ipv6-address
| Configure an IPv6 address on a Layer 3 interface (for router ACLs). This command is not required on Layer 2 interfaces or if the interface has already been configured with an explicit IPv6 address. |
Step 5 | ipv6 traffic-filter access-list-name
Example: Switch# ipv6 traffic-filter access-list-name {in | out}
| Apply the access list to incoming or outgoing traffic on the interface. The out keyword is not supported for Layer 2 interfaces (port ACLs). |
Step 6 | end Example: Switch(config)# end
| Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode. |
Step 7 | show running-config | Verify the access list configuration. |
Step 8 | copy running-config startup-config Example: copy running-config startup-config | (Optional) Saves your entries in the configuration file. |
Monitoring IPV6 ACLs
You can display information about all configured access lists, all IPv6 access lists, or a specific access list by using one or more of the privileged EXEC commands.
Command or Action | Purpose |
---|
Configuration Examples for IPv6 ACL
This example configures the IPv6 access list named CISCO. The first deny entry in the list denies all packets that have a destination TCP port number greater than 5000. The second deny entry denies packets that have a source UDP port number less than 5000. The second deny also logs all matches to the console. The first permit entry in the list permits all ICMP packets. The second permit entry in the list permits all other traffic. The second permit entry is necessary because an implicit deny -all condition is at the end of each IPv6 access list.
Switch(config)# ipv6 access-list CISCO Switch(config-ipv6-acl)# deny tcp any any gt 5000 Switch config-ipv6-acl)# deny ::/0 lt 5000 ::/0 log Switch(config-ipv6-acl)# permit icmp any any Switch(config-ipv6-acl)# permit any any
Switch(config-if)# no switchport Switch(config-if)# ipv6 address 2001::/64 eui-64 Switch(config-if)# ipv6 traffic-filter CISCO out
Switch #show access-lists
Extended IP access list hello
10 permit ip any any
IPv6 access list ipv6
permit ipv6 any any sequence 10
Switch# show ipv6 access-list
IPv6 access list inbound
permit tcp any any eq bgp (8 matches) sequence 10
permit tcp any any eq telnet (15 matches) sequence 20
permit udp any any sequence 30
IPv6 access list outbound
deny udp any any sequence 10
deny tcp any any eq telnet sequence 20