- Preface
- Software Licensing
- The Cisco IOS command-line interface (CLI)
- Configuring Interfaces
- Switch Alarms
- Initial Switch Configuration (IP address assignments and DHCP autoconfiguration)
- How to Setup and Use the Cisco Configuration Engine
- How to Create and Manage Switch Clusters
- Performing Switch Administration
- Configuring Precision Time Protocol (PTP)
- Configuring PROFINET
- Common Industrial Protocol (CIP)
- Configuring SDM Templates
- Configuring Switch-Based Authentication
- Configuring IEEE 802.1x Port-Based Authentication
- MACsec
- Web-Based Authentication
- Configuring Smartports Macros
- Configuring SGACL Monitor Mode and SGACL Logging
- Configuring SGT Exchange Protocol over TCP (SXP) and Layer 3 Transport
- Configuring VLANs
- VLAN Trunking Protocol (VTP)
- Configuring Voice VLAN
- How to Configure Spanning Tree Protocol (STP)
- Configuring MSTP
- Configuring Optional Spanning-Tree Features
- Configuring Resilient Ethernet Protocol
- Configuring the FlexLinks and the MAC Address-Table Move Update
- Configuring DHCP
- Dynamic Address Resolution Protocol (ARP)
- Configuring IP Source Guard
- How to Configure Internet Group Management Protocol (IGMP) and Multicast VLAN Registration (MVR)
- Configuring Port-Based Traffic Control
- Configuring LLDP, LLDP-MED, and Wired Location Service
- Configuring SPAN and RSPAN
- One-to-one (1:1) Layer 2 Network Address Translation (NAT)
- How to Configure CDP
- Configuring UniDirectional Link Detection (UDLD)
- Configuring RMON
- Configuring System Message Logging
- Configuring Simple Network Management Protocol (SNMP)
- Network Security with ACLs
- Configuring Quality of Service (QoS)
- Configuring Static IP Unicast Routing
- Configuring IPv6 Host Functions
- Configuring Link State Tracking
- Configuring IP multicast routing
- Configuring Multicast Source Discovery Protocol (MSDP)
- Configuring Multicast Listener Discovery (MLD) snooping
- Configuring HSRP and VRRP
- Configuring IPv6 access control lists (ACLs)
- Configuring Embedded Event Manager (EEM)
- IP Unicast Routing
- IPv6 Unicast Routing
- Unicast Routing Overview
- Configuring Cisco IOS IP SLAs Operations
- Configuring Dying-Gasp
- How to Configure Enhanced Object Tracking
- Configuring MODBUS TCP
- Configuring Ethernet CFM
- Working with the Flash File System
- How to Configure EtherChannels
- Troubleshooting
- How to use a Secure Digital (SD) flash memory module (SD card)
Configuring IPv6 ACLs
This chapter provides details about configuring IPv6 access control lists (ACLs) on the Cisco Industrial Ethernet Switches, hereafter referred to as switch.
When the switch is running the IP services image:
■
You can filter IPv6 traffic by creating IPv6 ACLs and applying them to interfaces
■You can create and apply input router ACLs to filter Layer 3 management traffic
This chapter contains the following sections:
Information About IPv6 ACLs
A switch running the IP services image supports two types of IPv6 ACLs:
■IPv6 router ACLs on outbound or inbound traffic on Layer 3 interfaces only, which can be routed ports, switch virtual interfaces (SVIs), or Layer 3 EtherChannels.
IPv6 router ACLs apply only to routed IPv6 packets.
■ IPv6 port ACLs on inbound traffic on Layer 2 interfaces only. The switch applies IPv6 port ACLs to all IPv6 packets entering the interface.
You can apply both IPv4 and IPv6 ACLs to an interface.
As with IPv4 ACLs, IPv6 port ACLs take precedence over router ACLs:
■When an input router ACL and input port ACL exist in an SVI, packets received on ports to which a port ACL is applied are filtered by the port ACL. Routed IP packets received on other ports are filtered by the router ACL. Other packets are not filtered.
■When an output router ACL and input port ACL exist in an SVI, packets received on the ports to which a port ACL is applied are filtered by the port ACL. Outgoing routed IPv6 packets are filtered by the router ACL. Other packets are not filtered.
Note: When you apply any port ACL (IPv4, IPv6, or MAC) to an interface, that port ACL filters packets, and ignores any router ACLs attached to the SVI of the port VLAN.
Supported ACL Features
IPv6 ACLs on the switch have these characteristics:
■Fragmented frames (the fragments keyword as in IPv4) are supported.
■The same statistics supported in IPv4 are supported for IPv6 ACLs.
■If the switch runs out of hardware space, packets associated with the ACL are forwarded to the CPU, and the software applies the ACLs.
■Routed or bridged packets with hop-by-hop options have IPv6 ACLs applied in software.
■Logging is supported for router ACLs, but not for port ACLs.
■The switch supports IPv6 address-matching for a full range of prefix-lengths.
Note: For items not supported for IPv6 ACLS, see Guidelines and Limitations.
Prerequisites
Be sure to review Guidelines and Limitations and the Before You Begin section within each configuration section before configuring a feature.
Guidelines and Limitations
ACLs for IPv6 Traffic Not Supported
■The switch does not support VLAN ACLs (VLAN maps) for IPv6 traffic.
■The switch does not apply MAC-based ACLs on IPv6 frames.
■You cannot apply IPv6 port ACLs to Layer 2 EtherChannels.
■The switch does not support output port ACLs.
Cisco IOS IPv6 ACLs Functions Not Supported
■The switch does not support matching on these keywords: flowlabel, routing header, and undetermined-transport.
■The switch does not support reflexive ACLs (the reflect keyword).
Access Control Entry (ACE) and ACLs
■When you apply an ACL to an interface and you attempt to add an access control entry (ACE) with an unsupported keyword, the switch does not allow the ACE to be added to the attached ACL.
■IPv6 supports only named ACLs.
IPv6 ACLs Interactions With Other Switches or Features
■When you configure an IPv6 router ACL to deny a packet, the software does not route the packet. Instead, the software forwards a copy of the packet to the Internet Control Message Protocol (ICMP) queue to generate an ICMP unreachable message for the frame.
■If a bridged frame is to be dropped due to a port ACL, the frame is not bridged.
■You can create both IPv4 and IPv6 ACLs on a switch, and you can apply both IPv4 and IPv6 ACLs to the same interface.
–Each ACL must have a unique name; and, an error message appears if you try to use a name that already exists on the switch.
–You use different commands to create IPv4 and IPv6 ACLs and to attach IPv4 or IPv6 ACLs to the same Layer 2 or Layer 3 interface.
If you use the wrong command to attach an ACL (for example, an IPv4 command to attach an IPv6 ACL), you receive an error message.
■You cannot use MAC ACLs to filter IPv6 frames. MAC ACLs can only filter non-IP frames.
■If the hardware memory is full, for any additional configured ACLs, the switch forwards the packets to the CPU, and the software applies the ACLs.
Default Settings
|
|
|
|---|---|
There are no default IPv6 ACLs configured or applied on the switch. |
Configuring IPv6 ACLs
This section includes the following topics:
■Applying an IPv6 ACL to an Interface
BEFORE YOU BEGIN
Review the Guidelines and Limitations for this feature.
Creating IPv6 ACLs
Note: When you configure an unsupported IPv6 ACL, an error message appears, and the configuration does not take affect.
Use the no { deny | permit } IPv6 access-list configuration commands with keywords to remove the deny or permit conditions from the specified access list for the commands below.
DETAILED STEPS
EXAMPLE
■Creates an IPv6 ACL named CISCO.
■Defines one deny entry that denies all packets that have a destination TCP port number greater than 5000 and a second deny entry that denies packets that have a source UDP port number less than 5000. The second deny entry also logs all matches to the console.
■Defines a permit entry to permit all ICMP packets and another permit entry that allows all other traffic. The second permit entry is necessary because an implicit deny-all condition is at the end of each IPv6 access list.
Applying an IPv6 ACL to an Interface
BEFORE YOU BEGIN
Review the Guidelines and Limitations for this feature.
DETAILED STEPS
EXAMPLE
This example shows how to apply the access list CISCO to outbound traffic on a Layer 3 interface:
Verifying IPv6 ACLs
You can display information about all configured access lists, all IPv6 access lists, or a specific access list by using one or more of the following privileged EXEC commands.
|
|
|
|---|---|
Display all configured IPv6 access list or the access list specified by name. |
Configuration Example
■Creates an IPv6 ACL named CISCO.
■Defines one deny entry that denies all packets that have a destination TCP port number greater than 5000 and a second deny entry that denies packets that have a source UDP port number less than 5000. The second deny entry also logs all matches to the console.
■Defines a permit entry to permit all ICMP packets and another permit entry that allows all other traffic. The second permit entry is necessary because an implicit deny-all condition is at the end of each IPv6 access list.
■Applies the access list CISCO to outbound traffic on a Layer 3 interface.
Feedback