- Preface
- Using the Command-Line Interface
-
- Managing Switch Stacks
- Security Features Overview
- Preventing Unauthorized Access
- Controlling Switch Access with Passwords and Privilege Levels
- Configuring TACACS+
- Configuring RADIUS
- Configuring Kerberos
- Configuring Local Authentication and Authorization
- Configuring Secure Shell (SSH)
- Configuring Secure Socket Layer HTTP
- Configuring IPv4 ACLs
- Configuring IPv6 ACLs
- Configuring DHCP
- Configuring IP Source Guard
- Configuring Dynamic ARP Inspection
- Configuring IEEE 802.1x Port-Based Authentication
- Configuring Web-Based Authentication
- Configuring Port-Based Traffic Control
- Configuring IPv6 First Hop Security
- Configuring Cisco TrustSec
- Configuring FIPS
- XML Schema for SNMP Endpoint Proxy
- Important Notice
- Index
Configuring IPv6 ACLs
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
IPv6 ACLs Overview
You can filter IP Version 6 (IPv6) traffic by creating IPv6 access control lists (ACLs) and applying them to interfaces similar to how you create and apply IP Version 4 (IPv4) named ACLs. You can also create and apply input router ACLs to filter Layer 3 management traffic when the switch is running IP base and LAN base feature sets.
A switch supports three types of IPv6 ACLs:
-
IPv6 router ACLs are supported on outbound or inbound traffic on Layer 3 interfaces, which can be routed ports, switch virtual interfaces (SVIs), or Layer 3 EtherChannels. IPv6 router ACLs apply only to IPv6 packets that are routed.
-
IPv6 port ACLs are supported on inbound Layer 2 interfaces. IPv6 port ACLs are applied to all IPv6 packets entering the interface.
-
VLAN ACLs or VLAN maps access-control all packets in a VLAN. You can use VLAN maps to filter traffic between devices in the same VLAN. ACL VLAN maps are applied on L2 VLANs. VLAN maps are configured to provide access control based on Layer 3 addresses for IPv6. Unsupported protocols are access-controlled through MAC addresses using Ethernet ACEs. After a VLAN map is applied to a VLAN, all packets entering the VLAN are checked against the VLAN map.
The switch does not support VLAN ACLs (VLAN maps) for IPv6 traffic.
You can apply both IPv4 and IPv6 ACLs to an interface. As with IPv4 ACLs, IPv6 port ACLs take precedence over router ACLs.
Switch Stacks and IPv6 ACLs
The active switch supports IPv6 ACLs in hardware and distributes the IPv6 ACLs to the stack members.
If a standby switch takes over as the active switch, it distributes the ACL configuration to all stack members. The member switches sync up the configuration distributed by the new active switch and flush out entries that are not required.
When an ACL is modified, attached to, or detached from an interface, the active switch distributes the change to all stack members.
Interactions with Other Features and Switches
If an IPv6 router ACL is configured to deny a packet, the packet is not routed. A copy of the packet is sent to the Internet Control Message Protocol (ICMP) queue to generate an ICMP unreachable message for the frame.
If a bridged frame is to be dropped due to a port ACL, the frame is not bridged.
You can create both IPv4 and IPv6 ACLs on a switch or switch stack, and you can apply both IPv4 and IPv6 ACLs to the same interface. Each ACL must have a unique name; an error message appears if you try to use a name that is already configured.
You use different commands to create IPv4 and IPv6 ACLs and to attach IPv4 or IPv6 ACLs to the same Layer 2 or Layer 3 interface. If you use the wrong command to attach an ACL (for example, an IPv4 command to attach an IPv6 ACL), you receive an error message.
You cannot use MAC ACLs to filter IPv6 frames. MAC ACLs can only filter non-IP frames.
If the hardware memory is full, packets are dropped on the interface and an unload error message is logged.
Restrictions for IPv6 ACLs
With IPv4, you can configure standard and extended numbered IP ACLs, named IP ACLs, and MAC ACLs. IPv6 supports only named ACLs.
The switch supports most Cisco IOS-supported IPv6 ACLs with some exceptions:
-
The switch does not support matching on these keywords: flowlabel, routing header, and undetermined-transport.
-
The switch does not support reflexive ACLs (the reflect keyword).
-
This release supports only port ACLs and router ACLs for IPv6; it does not support VLAN ACLs (VLAN maps).
- Output router ACLs and input port ACLs for IPv6 are supported only on switch stacks. Switches support only control plane (incoming) IPv6 ACLs.
-
The switch does not apply MAC-based ACLs on IPv6 frames.
-
You cannot apply IPv6 port ACLs to Layer 2 EtherChannels.
-
When configuring an ACL, there is no restriction on keywords entered in the ACL, regardless of whether or not they are supported on the platform. When you apply the ACL to an interface that requires hardware forwarding (physical ports or SVIs), the switch checks to determine whether or not the ACL can be supported on the interface. If not, attaching the ACL is rejected.
-
If an ACL is applied to an interface and you attempt to add an access control entry (ACE) with an unsupported keyword, the switch does not allow the ACE to be added to the ACL that is currently attached to the interface.
IPv6 ACLs on the switch have these characteristics:
-
Fragmented frames (the fragments keyword as in IPv4) are supported
-
The same statistics supported in IPv4 are supported for IPv6 ACLs.
-
If the switch runs out of hardware space, the packets associated with the ACL are dropped on the interface.
- Routed or bridged packets with hop-by-hop options have IPv6 ACLs applied in software.
-
Logging is supported for router ACLs, but not for port ACLs.
-
The switch supports IPv6 address-matching for a full range of prefix-lengths.
Default Configuration for IPv6 ACLs
The default IPv6 ACL configuration is as follows:
Switch# show access-lists preauth_ipv6_acl IPv6 access list preauth_ipv6_acl (per-user) permit udp any any eq domain sequence 10 permit tcp any any eq domain sequence 20 permit icmp any any nd-ns sequence 30 permit icmp any any nd-na sequence 40 permit icmp any any router-solicitation sequence 50 permit icmp any any router-advertisement sequence 60 permit icmp any any redirect sequence 70 permit udp any eq 547 any eq 546 sequence 80 permit udp any eq 546 any eq 547 sequence 90 deny ipv6 any any sequence 100
Configuring IPv6 ACLs
To filter IPv6 traffic, you perform these steps:
1.
enable
3.
{ipv6 access-list
list-name
4.
{deny | permit} protocol {source-ipv6-prefix/|prefix-length|any| host
source-ipv6-address} [ operator [
port-number ]] {
destination-ipv6-prefix/ prefix-length |
any |
host
destination-ipv6-address} [operator [port-number]][dscp
value]
[fragments] [log] [log-input] [routing]
[sequence
value]
[time-range
name]
5.
{deny |
permit}
tcp
{source-ipv6-prefix/prefix-length |
any
|
host
source-ipv6-address} [operator [port-number]] {destination-ipv6-
prefix/prefix-length |
any
|
host
destination-ipv6-address} [operator [port-number]] [ack] [dscp
value] [established] [fin] [log] [log-input] [neq {port | protocol}]
[psh] [range {port | protocol}]
[rst]
[routing]
[sequence
value] [syn] [time-range
name] [urg]
6.
{deny |
permit}
udp
{source-ipv6-prefix/prefix-length |
any
|
host
source-ipv6-address} [operator [port-number]] {destination-ipv6-prefix/prefix-length |
any
|
host
destination-ipv6-address} [operator [port-number]] [dscp
value] [log] [log-input] [neq {port |
protocol}] [range {port |
protocol}]
[routing]
[sequence
value] [time-range
name]]
7.
{deny |
permit}
icmp
{source-ipv6-prefix/prefix-length |
any
|
host
source-ipv6-address} [operator [port-number]] {destination-ipv6-prefix/prefix-length |
any
|
host
destination-ipv6-address} [operator [port-number]] [icmp-type [icmp-code] |
icmp-message] [dscp
value] [log] [log-input]
[routing]
[sequence
value] [time-range
name]
8.
end
9.
show ipv6 access-list
11.
copy running-config
startup-config
DETAILED STEPS
Attach the IPv6 ACL to an Interface
Attaching an IPv6 ACL to an Interface
You can apply an ACL to outbound or inbound traffic on Layer 3 interfaces, or to inbound traffic on Layer 2 interfaces. You can also apply ACLs only to inbound management traffic on Layer 3 interfaces.
Follow these steps to control access to an interface:
1.
enable
3.
interface
interface-id
4.
no switchport
5.
ipv6 address
ipv6-address
6.
ipv6
traffic-filter
access-list-name {in |
out}
9.
copy running-config
startup-config
DETAILED STEPS
Monitoring IPv6 ACLs
You can display information about all configured access lists, all IPv6 access lists, or a specific access list by using one or more of the privileged EXEC commands shown in the table below:
Command | Purpose |
---|---|
show access-lists |
Displays all access lists configured on the switch. |
show ipv6 access-list [access-list-name] |
Displays all configured IPv6 access lists or the access list specified by name. |
show vlan access-map[map-name] |
Displays VLAN access map configuration. |
show vlan filter[access-mapaccess-map| vlanvlan-id] |
Displays the mapping between VACLs and VLANs. |
This is an example of the output from the show access-lists privileged EXEC command. The output shows all access lists that are configured on the switch or switch stack.
Switch # show access-lists Extended IP access list hello 10 permit ip any any IPv6 access list ipv6 permit ipv6 any any sequence 10
This is an example of the output from the show ipv6 access-list privileged EXEC command. The output shows only IPv6 access lists configured on the switch or switch stack
Switch# show ipv6 access-list IPv6 access list inbound permit tcp any any eq bgp (8 matches) sequence 10 permit tcp any any eq telnet (15 matches) sequence 20 permit udp any any sequence 30 IPv6 access list outbound deny udp any any sequence 10 deny tcp any any eq telnet sequence 20
This is an example of the output from the show vlan access-map privileged EXEC command. The output shows VLAN access map information.
Switch# show vlan access-map Vlan access-map "m1" 10 Match clauses: ipv6 address: ip2 Action: drop
Additional References
Related Documents
Related Topic | Document Title |
---|---|
IPv6 security configuration topics |
IPv6 Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches) |
IPv6 command reference |
IPv6 Command Reference, Cisco IOS XE Release 3SE (Catalyst 3850 Switches) http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6/command/ipv6-xe-3se-3850-cr-book.html |
Error Message Decoder
Description | Link |
---|---|
To help you research and resolve system error messages in this release, use the Error Message Decoder tool. |
https://www.cisco.com/cgi-bin/Support/Errordecoder/index.cgi |
MIBs
MIB | MIBs Link |
---|---|
All supported MIBs for this release. |
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: |
Technical Assistance
Description | Link |
---|---|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |