Information About IPv6 ACL
An access control list (ACL) is a set of rules used to limit access to a particular interface (for example, if you want to restrict a wireless client from pinging the management interface of the controller ). ACLs are configured on the device and applied to the management interface, the AP-manager interface, any of the dynamic interfaces, or a WLAN to control data traffic to and from wireless clients or to the controller central processing unit (CPU) to control all traffic destined for the CPU.
You can also create a preauthentication ACL for web authentication. Such an ACL is used to allow certain types of traffic before authentication is complete.
IPv6 ACLs support the same options as IPv4 ACLs including source, destination, source and destination ports.
![]() Note |
You can enable only IPv4 traffic in your network by blocking IPv6 traffic. That is, you can configure an IPv6 ACL to deny all IPv6 traffic and apply it on specific or all WLANs. |
Understanding IPv6 ACLs
Types of ACL
Per User IPv6 ACL
For the per-user ACL, the full access control entries (ACE) as the text strings are configured on the RADIUS server.
The ACE is not configured on the Cisco 9800 controller. The ACE is sent to the device in the ACCESS-Accept
attribute and applies it directly for the client. When a wireless client roams into an foreign device, the ACEs are sent to the foreign device as an AAA attribute in the mobility Handoff message. Output direction, using per-user ACL is not supported.
Filter ID IPv6 ACL
For the filter-Id ACL, the full ACEs and the acl name(filter-id)
is configured on the Cisco 9800 controller and only the filter-id
is configured on the RADIUS Server.
The filter-id
is sent to the device in the ACCESS-Accept attribute, and the device looks up the filter-id for the ACEs, and then applies the ACEs to the client. When the client L2 roams to the foreign device, only the filter-id is sent to the foreign device in the mobility Handoff message. Output filtered ACL, using per-user ACL is not supported. The foreign device has to configure the filter-id and ACEs beforehand.
Downloadable IPv6 ACL
For the downloadable ACL (dACL), all the full ACEs and the dacl
name are configured only on the Cisco ISE.
The Cisco ISE sends the dacl
name to the device in its ACCESS-Accept
attribute, which takes the dacl
name and sends the dACL
name back to the Cisco ISE for the ACEs, using the ACCESS-request
attribute.
AAA supports two different group of authorization:
-
aaa authorization network default group <AAA server>
-
aaa authorization network <named method list> group <AAA server>
When the default group is enabled in the aaa authorization network, the dACL
will work. When you use the named method list group instead of default method list from ISE, the client will move to the
exclude state.
If you want to use the named method list, you must pass the method list name from the ISE in its Access-Accept
with downloadable ACL.