IPv6 ACL

IPv6 ACL

An access control list (ACL) is a set of rules used to control or restrict access to a network interface that

  • are configured on the device and can be applied to various interfaces such as the management interface, AP-manager interface, dynamic interfaces, or on WLANs, and

  • regulate data traffic to and from wireless clients or to protect the controller’s central processing unit (CPU).

You can also create a preauthentication ACL for web authentication. Such an ACL is used to allow certain types of traffic before authentication is complete.

IPv6 ACLs support the same options as IPv4 ACLs including source, destination, source and destination ports.


Note

To enable only IPv4 traffic in your network, block all IPv6 traffic. Configure an IPv6 ACL to deny all IPv6 traffic, and apply it to specific WLANs or to all WLANs.

Understand IPv6 ACLs

Types of ACL

Per user IPv6 ACL

  • For the per-user ACL, the complete access control entries (ACEs) are configured as text strings on the RADIUS server.

  • The ACCESS-Accept attribute contains the ACE, which is then sent to the device and applied directly to the client. When a wireless client roams to a foreign device, the foreign device receives the ACEs as an AAA attribute in the mobility handoff message. Output direction using per-user ACL is not supported.

Filter ID IPv6 ACL

  • For the filter-Id ACL, the complete ACEs and the ACL name filter-id are configured on the Cisco 9800 controller. Only the filter-id is configured on the RADIUS server.

  • The filter-id is sent to the device in the ACCESS-Accept attribute. The device looks up the filter-id to find the ACEs, and then applies the ACEs to the client. When the client roams at Layer 2 to the foreign device, only the filter-id is sent to the foreign device in the mobility handoff message. Using output filtered ACLs with per-user ACLs is not supported.

Prerequisites for configuring IPv6 ACL

  • To filter IP Version 6 (IPv6) traffic, create IPv6 access control lists (ACLs) and apply them to interfaces, using the same process as for IP Version 4 (IPv4) named ACLs.

  • You can also create and apply input router ACLs to filter Layer 3 management traffic when the switch is running the Network Essentials license.

Restrictions for configuring IPv6 ACL

With IPv4, you can configure standard and extended numbered IP ACLs, named IP ACLs, and MAC ACLs. IPv6 supports only named ACLs. The IPv6 ACL does not support FlexConnect mode.
The device supports most of the Cisco IOS-supported IPv6 ACLs, with some exceptions:

  • The controller does not support routing, and only inbound ACLs are supported for wireless clients.

  • The device does not support matching on these keywords: flowlabel, routing header, and undetermined-transport.

  • The device does not support reflexive ACLs (the reflect keyword).

  • The device does not apply MAC-based ACLs on IPv6 frames.

  • There is no restriction on the keywords entered in the ACL, even if they are not supported on the platform. When you apply the ACL to an interface that requires hardware forwarding (physical ports or SVIs), the device checks if the ACL is supported on the interface. If not, attaching the ACL is rejected.

  • If not, the device rejects attaching the ACL. If an ACL is already applied to an interface and you attempt to add an access control entry (ACE) with an unsupported keyword, the device does not allow the ACE to be added to the ACL currently attached to the interface.

Configure IPv6 ACLs

Block or permit IPv6 traffic based on policies using ACLs.

To filter IPv6 traffic, perform these steps:

Procedure

Step 1

Create an IPv6 ACL, and enter the IPv6 access list configuration mode.

Step 2

Configure the IPv6 ACL to block (deny) or pass (permit) traffic.

Step 3

Apply the IPv6 ACL to the interface where traffic will be filtered.

Step 4

For router ACLs, assign an IPv6 address to the Layer 3 interface where the ACL is applied.

Default IPv6 ACL configuration

There are no IPv6 ACLs configured or applied.

Interact with other features and switches

Access control lists (ACLs) on switches interact with other features and platform behaviors in these ways:

  • If a port ACL is configured to drop a bridged frame, the frame is not bridged.

  • You can create IPv4 and IPv6 ACLs, and apply both to the same interface.

  • Each ACL must have a unique name; if not, you receive an error message.

  • Different commands are required to create and attach IPv4 and IPv6 ACLs. Using the incorrect command results in an error.

  • MAC ACLs cannot filter IPv6 frames; MAC ACLs are for non-IP frames.

  • When hardware memory or TCAM is full, additional ACLs are processed in software by the CPU. A console message indicates the ACL has been unloaded and packets will be handled in software.

  • Only packets matching the ACL type (IPv4, IPv6, or MAC) that could not be added will be processed in software.

  • If the TCAM is full, additional configured ACLs result in packets being forwarded to the CPU, and the ACLs are applied in software.

Create an IPv6 ACL (GUI)

Define and apply an IPv6 ACL to control permitted or denied network traffic based on source, destination, protocol, and other parameters using the GUI.

Procedure

Step 1

Choose Configuration > Security > ACL.

Step 2

Click Add.

Step 3

In the Add ACL Setup dialog box, enter these parameters.

  • ACL Name: Enter the name for the ACL

  • ACL Type: IPv6

  • Sequence: The valid range is between 100 and 199 or 2000 and 26991.

  • Action: Select Permit or Deny the packet flow from the drop-down list.

  • Source Type: Choose any, Host or Network from which the packet is sent.

  • Destination Type: Choose any, Host or Network to which the packet is sent.

  • Protocol: Select a protocol from the drop-down list.

  • Log: Enable or disable logging.

  • DSCP: Enter to match packets with the DSCP value.

Step 4

Click Add.

Step 5

Add the rest of the rules and click Apply to Device.

Create an IPv6 ACL (CLI)

Define rules to permit or deny IPv6 packets based on specific criteria, enhancing network security and control using commands.

Procedure

Step 1

Enable the privileged EXEC mode and enter the global configuration mode.

Example:

Device# enable
Device# configure terminal

Enter your password if prompted.

Step 2

Use a name to define an IPv6 access list and enter the IPv6 access-list configuration mode.

Example:

Device# ipv6 access-list acl_name

Step 3

Enter deny or permit to specify whether to deny or permit the packet if conditions are matched.

Example:

{deny | permit} protocol {source-ipv6-prefix/prefix-length | any | host source-ipv6-address}
[operator [port-number]]{destination-ipv6-prefix/prefix-length | any |host destination-ipv6-address}
[operator [port-number]][dscp value] [fragments][log] [log-input] [routing][sequence value]
[time-range name]

These are the conditions:

  • To set the protocol, enter the name or number of an Internet protocol (ahp, esp, icmp, ipv6, pcp, stcp, tcp, or udp), or enter an integer from 0 to 255 to represent an IPv6 protocol number.

  • Specify the source-ipv6-prefix/prefix-length or destination-ipv6-prefix/prefix-length as the source or destination IPv6 network or network class to set deny or permit conditions. Enter values in hexadecimal, using 16-bit segments separated by colons, as described in RFC 2373.

  • Enter any as an abbreviation for the IPv6 prefix ::/0.

  • For host source-ipv6-address or destination-ipv6-address, enter the specific IPv6 host address. Enter values in hexadecimal, using 16-bit segments separated by colons, to set deny or permit conditions.

  • Specify an operator to compare the source or destination ports of the protocol. Valid operators are lt (less than), gt (greater than), eq (equal), neq (not equal), and range.

When the operator is placed after the source-ipv6-prefix/prefix-length argument, it matches the source port. When the operator is placed after the destination-ipv6-prefix/prefix-length argument, it matches the destination port.

  • The port number can be a decimal value from 0 to 65535 or a TCP or UDP port name. Use TCP port names only for TCP filtering, and UDP port names only for UDP filtering.

  • Enter a DSCP value to match a differentiated services code point against the traffic class value in each IPv6 packet header. The valid range is 0 to 63.

  • To check noninitial fragments, enter the keyword fragments. This option is available only when the protocol is IPv6.

  • To send a log message to the console for matching packets, enter log. To include the input interface in the log entry, enter log-input. Logging is supported only for router ACLs.

  • Enter routing to enable IPv6 packet routing.

  • Enter a sequence value to assign a sequence number to the access list statement. Valid values range from 1 to 4,294,967,295.

  • Enter a time-range name to apply a specific time range to the deny or permit statement.

Step 4

Define a TCP access list and the access conditions.

Example:

{deny | permit} tcp {source-ipv6-prefix/prefix-length | any | hostsource-ipv6-address}
[operator [port-number]]{destination-ipv6-prefix/prefix-length | any |hostdestination-ipv6-address}
[operator [port-number]][ack] [dscp value][established] [fin] 
[log][log-input] [neq {port |protocol}] [psh] [range{port | protocol}] [rst][routing] [sequence value]
[syn] [time-range name][urg]

Enter tcp for Transmission Control Protocol. The parameters are the same as those described in Step 3, with these additional optional parameters:

  • ack: Acknowledgment bit set.

  • established: An established connection. A match occurs if the TCP datagram has the ACK or RST bits set.

  • fin: Finished bit set; no more data from sender.

  • neq {port | protocol}: Matches only packets that are not on a given port number.

  • psh: Push function bit set.

  • range {port | protocol}: Matches only packets in the port number range.

  • rst: Reset bit set.

  • syn: Synchronize bit set.

  • urg: Urgent pointer bit set.

Step 5

Define a UDP access list and the access conditions.

Example:

{deny | permit} udp {source-ipv6-prefix/prefix-length | any | hostsource-ipv6-address}
[operator [port-number]]{destination-ipv6-prefix/prefix-length | any | hostdestination-ipv6-address}
[operator [port-number]][dscp value] [log][log-input] 
[neq {port |protocol}] [range {port |protocol}] [routing][sequence value][time-range name]

Enter udp for the User Datagram Protocol. The UDP parameters are similar to those for TCP. However, the operator [port] must specify a UDP port number or name, and the established parameter cannot be used with UDP.

Step 6

Define an ICMP access list and the access conditions.

Example:

{deny | permit} icmp {source-ipv6-prefix/prefix-length | any | hostsource-ipv6-address}
[operator [port-number]] {destination-ipv6-prefix/prefix-length | any | hostdestination-ipv6-address}
[operator [port-number]][icmp-type [icmp-code] |icmp-message] [dscpvalue] [log] [log-input]
[routing] [sequence value][time-range name]

Enter icmp for Internet Control Message Protocol. The ICMP parameters are the same as those for most IP protocols in Step 3a. However, ICMP includes additional parameters for message type and code. These optional keywords have these meanings:

  • icmp-type: Enter to filter by ICMP message type, a number from 0 to 255.

  • icmp-code: Enter to filter ICMP packets by the ICMP message code type, a number from 0 to 255.

  • icmp-message: Enter to filter ICMP packets by the ICMP message type name or the ICMP message type and code name. To view a list of ICMP message type names and code names, use the ? key or consult the command reference for this release.

Step 7

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Example:

Device(config)# end

Step 8

Verify the access list configuration.

Example:

show ipv6 access-list

Step 9

(Optional) Save your entries in the configuration file.

Example:

copy running-config startup-config

Create WLAN IPv6 ACL (GUI)

Create a WLAN IPv6 Access Control List (ACL) using the GUI to apply IPv6 traffic controls to a wireless LAN.

Procedure

Step 1

Choose Configuration > Tags & Profiles > WLANs.

Step 2

Click Add.

Step 3

In the General tab, enter the Profile Name , the SSID and the WLAN ID.

Step 4

Choose Security > Layer3 tab. Click Show Advanced Settings. Under the Preauthenticated ACL settings, select the ACL from the IPv6 drop-down list.

Step 5

Click Apply to Device.

Create WLAN IPv6 ACL (CLI)

Create and apply a WLAN IPv6 Access Control List (ACL) to define traffic rules and enforce security for wireless clients using commands.

Procedure

Step 1

Enter the global configuration mode.

Example:

Device# configure terminal

Step 2

Create policy profile for the WLAN.

Example:

Device(config)# wireless profile policy profile-name

The profile-name is the profile name of the policy profile.

Step 3

Create a named WLAN ACL.

Example:

Device(config-wireless-policy)# ipv6 acl acl_name

Step 4

Create a pre-authentication ACL for web authentication.

Example:

Device(config-wlan)# ipv6 traffic-filter web acl_name-preauth

Verify IPv6 ACL

Display IPv6 ACLs (CLI)

View all IPv6 access lists or a specific access list by name for verification and troubleshooting using commands.

Procedure

Step 1

Enable the privileged EXEC mode.

Example:

Device# enable

Enter your password if prompted.

Step 2

Enter the global configuration mode.

Example:

Device# configure terminal

Step 3

Display all access lists configured on the device

Example:

Device# show access-lists

Step 4

Display all configured IPv6 access list or the access list specified by name.

Example:

Device# show ipv6 access-list acl_name

Example: Create an IPv6 ACL

This example configures the IPv6 access list named CISCO. The first deny entry denies all packets with a destination TCP port number greater than 5000. The second deny entry denies packets with a source UDP port number less than 5000. The second deny entry also logs all matches to the console. The first permit entry permits all ICMP packets. The second permit entry permits all other traffic. The second permit entry is necessary because each IPv6 access list ends with an implicit deny all condition.

Note
Logging is supported only on Layer 3 interfaces. 

Device(config)# ipv6 access-list CISCO
Device(config-ipv6-acl)# deny tcp any any gt 5000
Device(config-ipv6-acl)# deny ::/0 lt 5000 ::/0 log
Device(config-ipv6-acl)# permit icmp any any
Device(config-ipv6-acl)# permit any any

Example: Apply an IPv6 ACL to a policy profile in a wireless environment

These example shows how to apply an IPv6 ACL to a policy profile in a wireless environment.

Note

All IPv6 ACLs must be associated to a policy profile.

  1. Create an IPv6 ACL.

    
Device
                            (config)# ipv6 access-list <acl-name>                       
Device
                            (config-ipv6-acl)# permit tcp 2001:DB8::/32 any                        
Device
                            (config-ipv6-acl)# permit udp 2001:DB8::/32 any

  2. Apply the IPv6 ACL to a policy profile.

    
Device
                            (config)# wireless profile policy <policy-profile-name>                        
Device
                            (config-wireless-policy)# shutdown                       
Device
                            (config-wireless-policy)# ipv6 acl <acl-name>                        
Device
                        (config-wireless-policy)# no shutdown

Display IPv6 ACLs (CLI)

This topic shows you how to display all configured IPv6 access control lists (ACLs) or a specific ACL by using commands on your device.

To display IPv6 ACLs, perform this procedure:

Procedure

Step 1

Display all access lists configured on the device.

Example:

Device# show access-lists

Step 2

Display all configured IPv6 access list or the access list specified by name.

Example:

Device# show ipv6 access-list acl_name

Example: Display IPv6 ACLs

This is an example of the output from the show access-lists privileged EXEC command. The output shows all access lists that are configured on the switch or switch stack . 

Device# show access-lists
Extended IP access list hello
10 permit ip any any
IPv6 access list ipv6
permit ipv6 any any sequence 10
This is an example of the output from the show ipv6 access-lists privileged EXEC command. The output shows only IPv6 access lists configured on the switch or switch stack. 

Device# show ipv6 access-list
IPv6 access list inbound
permit tcp any any eq bgp (8 matches) sequence 10
permit tcp any any eq telnet (15 matches) sequence 20
permit udp any any sequence 30
IPv6 access list outbound
deny udp any any sequence 10
deny tcp any any eq telnet sequence 20

Example: Configure RA throttling

Configure router advertisement (RA) throttling and neighbor solicitation (NS) suppression to prevent power-saving wireless clients from being disturbed by frequent unsolicited RA messages using commands.

This task describes how to create an RA throttle policy in order to help the power-saving wireless clients from being disturbed by frequent unsolicited periodic RA's. The unsolicited multicast RA is throttled by the controller .

Before you begin

Enable IPv6 on the client machine.

Procedure

Step 1

Enter the global configuration mode.

Example:

Device# configure terminal

Step 2

Create a RA throttler policy called Mythrottle.

Example:

Device(config)# ipv6 nd ra-throttler policy Mythrottle

Step 3

Determine the time interval segment during which throttling applies.

Example:

Device(config-nd-ra-throttle)# throttle-period 20

Step 4

Determine how many initial RA's are allowed.

Example:

Device(config-nd-ra-throttle)# max-through 5

Step 5

Determine how many RA's are allowed after the initial RAs have been transmitted, until the end of the interval segment.

Example:

Device(config-nd-ra-throttle)# allow at-least 3 at-most 5

Step 6

Create a per VLAN configuration.

Example:

Device(config)# vlan configuration 100

Step 7

Enable the router advertisement throttling.

Example:

Device(config)# ipv6 nd ra-throttle attach-policy attach-policy_name

Step 8

Return to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Example:

Device(config)# end