- Preface
- Using the Command-Line Interface
-
- Managing Switch Stacks
- Security Features Overview
- Preventing Unauthorized Access
- Controlling Switch Access with Passwords and Privilege Levels
- Configuring TACACS+
- Configuring RADIUS
- Configuring Kerberos
- Configuring Local Authentication and Authorization
- Configuring Secure Shell (SSH)
- Configuring Secure Socket Layer HTTP
- Configuring IPv4 ACLs
- Configuring IPv6 ACLs
- Configuring DHCP
- Configuring IP Source Guard
- Configuring Dynamic ARP Inspection
- Configuring IEEE 802.1x Port-Based Authentication
- Configuring Web-Based Authentication
- Configuring Port-Based Traffic Control
- Configuring IPv6 First Hop Security
- Configuring Cisco TrustSec
- Configuring FIPS
- XML Schema for SNMP Endpoint Proxy
- Important Notice
- Index
Configuring IPv6 ACL
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Information About Configuring IPv6 ACLs
You can filter IP version 6 (IPv6) traffic by creating IPv6 access control lists (ACLs) and applying them to interfaces similarly to the way that you create and apply IP version 4(IPv4) named ACLs. You can also create and apply input router ACLs to filter Layer 3 management traffic.
Note | To use IPv6, you must configure the dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch. You select the template by entering the sdm prefer {default | dual-ipv4-and-ipv6} global configuration command. |
Understanding IPv6 ACLs
A switch image supports two types of IPv6 ACLs:
- IPv6 router ACLs - Supported on outbound or inbound traffic on Layer 3 interfaces, which can be routed ports, switch virtual interfaces (SVIs), or Layer 3 EtherChannels. Applied to only IPv6 packets that are routed.
- IPv6 port ACLs - Supported on inbound traffic on Layer 2 interfaces only. Applied to all IPv6 packets entering the interface.
Note | If you configure unsupported IPv6 ACLs, an error message appears and the configuration does not take affect. |
The switch does not support VLAN ACLs (VLAN maps) for IPv6 traffic.
You can apply both IPv4 and IPv6 ACLs to an interface.
As with IPv4 ACLs, IPv6 port ACLs take precedence over router ACLs:
When an input router ACL and input port ACL exist in an SVI, packets received on ports to which a port ACL is applied are filtered by the port ACL. Routed IP packets received on other ports are filtered by the router ACL. Other packets are not filtered.
- When an output router ACL and input port ACL exist in an SVI, packets received on the ports to which a port ACL is applied are filtered by the port ACL. Outgoing routed IPv6 packets are filtered by the router ACL. Other packets are not filtered.
Note | If any port ACL (IPv4, IPv6, or MAC) is applied to an interface, that port ACL is used to filter packets, and any router ACLs attached to the SVI of the port VLAN are ignored. |
Supported ACL Features
IPv6 ACLs on the switch have these characteristics:
-
Fragmented frames (the fragments keyword as in IPv4) are supported.
-
The same statistics supported in IPv4 are supported for IPv6 ACLs.
-
If the switch runs out of TCAM space, packets associated with the ACL label are forwarded to the CPU, and the ACLs are applied in software.
-
Routed or bridged packets with hop-by-hop options have IPv6 ACLs applied in software.
-
Logging is supported for router ACLs, but not for port ACLs.
IPv6 ACL Limitations
With IPv4, you can configure standard and extended numbered IP ACLs, named IP ACLs, and MAC ACLs. IPv6 supports only named ACLs.
The switch supports most Cisco IOS-supported IPv6 ACLs with some exceptions:
-
IPv6 source and destination addresses-ACL matching is supported only on prefixes from /0 to /64 and host addresses (/128) that are in the extended universal identifier (EUI)-64 format. The switch supports only these host addresses with no loss of information:
-aggregatable global unicast addresses
-link local addresses
-
The switch does not support matching on these keywords: flowlabel, routing header, and undetermined-transport.
-
The switch does not support reflexive ACLs (the reflect keyword).
-
This release supports only port ACLs and router ACLs for IPv6; it does not support VLAN ACLs (VLAN maps).
-
The switch does not apply MAC-based ACLs on IPv6 frames.
-
You cannot apply IPv6 port ACLs to Layer 2 EtherChannels.
-
The switch does not support output port ACLs.
-
Output router ACLs and input port ACLs for IPv6 are supported only on . Switches support only control plane (incoming) IPv6 ACLs.
-
When configuring an ACL, there is no restriction on keywords entered in the ACL, regardless of whether or not they are supported on the platform. When you apply the ACL to an interface that requires hardware forwarding (physical ports or SVIs), the switch checks to determine whether or not the ACL can be supported on the interface. If not, attaching the ACL is rejected.
-
If an ACL is applied to an interface and you attempt to add an access control entry (ACE) with an unsupported keyword, the switch does not allow the ACE to be added to the ACL that is currently attached to the interface.
Configuring IPv6 ACLs
To filter IPv6 traffic, you perform these steps:
Before configuring IPv6 ACLs, you must select one of the dual IPv4 and IPv6 SDM templates.
Command or Action | Purpose |
---|
Default IPv6 ACL Configuration
There are no IPv6 ACLs configured or applied.
Interaction with Other Features and Switches
-
If an IPv6 router ACL is configured to deny a packet, the packet is not routed. A copy of the packet is sent to the Internet Control Message Protocol (ICMP) queue to generate an ICMP unreachable message for the frame.
-
If a bridged frame is to be dropped due to a port ACL, the frame is not bridged.
-
You can create both IPv4 and IPv6 ACLs on a switch or switch stack, and you can apply both IPv4 and IPv6 ACLs to the same interface. Each ACL must have a unique name; an error message appears if you try to use a name that is already configured.
You use different commands to create IPv4 and IPv6 ACLs and to attach IPv4 or IPv6 ACLs to the same Layer 2 or Layer 3 interface. If you use the wrong command to attach an ACL (for example, an IPv4 command to attach an IPv6 ACL), you receive an error message.
- You cannot use MAC ACLs to filter IPv6 frames. MAC ACLs can only filter non-IP frames.
-
If the hardware memory is full, for any additional configured ACLs, packets are dropped to the CPU, and the ACLs are applied in software. When the hardware is full a message is printed to the console indicating the ACL has been unloaded and the packets will be dropped on the interface.
Note
Only packets of the same type as the ACL that could not be added (ipv4, ipv6, MAC) will be dropped on the interface.
Creating IPv6 ACL
Follow these steps to create an IPv6 ACL:
Applying an IPv6 ACL to an Interface
This section describes how to apply IPv6 ACLs to network interfaces. You can apply an ACL to outbound or inbound traffic on Layer 3 interfaces, or to inbound traffic on Layer 2 interfaces.
Beginning in privileged EXEC mode, follow these steps to control access to an interface:
Displaying IPv6 ACLs
You can display information about all configured access lists, all IPv6 access lists, or a specific access list by using one or more of the privileged EXEC commands.
Command or Action | Purpose |
---|
Configuration Examples for IPv6 ACL
Example: Creating IPv6 ACL
Note | Logging is supported only on Layer 3 interfaces. |
Switch(config)# ipv6 access-list CISCO Switch(config-ipv6-acl)# deny tcp any any gt 5000 Switch (config-ipv6-acl)# deny ::/0 lt 5000 ::/0 log Switch(config-ipv6-acl)# permit icmp any any Switch(config-ipv6-acl)# permit any any
Example: Applying IPv6 ACLs
Switch(config-if)# no switchport Switch(config-if)# ipv6 address 2001::/64 eui-64 Switch(config-if)# ipv6 traffic-filter CISCO out
Example: Displaying IPv6 ACLs
Switch #show access-lists
Extended IP access list hello
10 permit ip any any
IPv6 access list ipv6
permit ipv6 any any sequence 10
Switch# show ipv6 access-list
IPv6 access list inbound
permit tcp any any eq bgp (8 matches) sequence 10
permit tcp any any eq telnet (15 matches) sequence 20
permit udp any any sequence 30
IPv6 access list outbound
deny udp any any sequence 10
deny tcp any any eq telnet sequence 20