IPv6 ACL Extensions for IPsec Authentication Header
Download this chapter
IPv6 ACL Extensions for IPsec Authentication HeaderIPv6 ACL Extensions for IPsec Authentication Header
 Feedback

Contents

IPv6 ACL Extensions for IPsec Authentication Headers

Last Updated: September 20, 2012

The IPv6 ACL Extensions for IPsec Authentication Headers feature allows TCP or UDP parsing when an IPv6 IPsec authentication header is present.

This module describes how to configure TCP or UDP matching regardless of whether an authentication header (AH) is present or absent.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Information About IPv6 ACL Extensions for IPsec Authentication Header

IPv6 ACL Extensions for IPsec Authentication Header

This feature provides the ability to match on the upper layer protocol (ULP) (for example, TCP, User Datagram Protocol [UDP], ICMP, SCTP) regardless of whether an authentication header (AH) is present or absent.

TCP or UDP traffic can be matched to the upper-layer protocol (ULP) (for example, TCP, UDP, ICMP, SCTP) if an AH is present or absent. Before this feature was introduced, this function was only available if an AH was absent.

This feature introduces the keyword auth to the permitand denycommands. The auth keyword allows matching traffic against the presence of the authentication header in combination with the specified protocol; that is, TCP or UDP.

IPv6 traffic can be matched to a ULP when an AH header is present. To perform this function, enter the ahp option for the protocol argument when using the permit or deny command.

How to Configure IPv6 ACL Extensions for IPsec Authentication Header

Configuring TCP or UDP Matching

TCP or UDP traffic can be matched to the ULP (for example, TCP, UDP, ICMP, SCTP) if an AH is present or absent. Before this feature was introduced, this function was only available if an AH was absent.

Use of the keyword auth with the permit icmp and deny icmp commands allows TCP or UDP traffic to be matched to the ULP if an AH is present. TCP or UDP traffic without an AH will not be matched.

IPv6 traffic can be matched to a ULP when an AH header is present. To perform this function, enter the ahp option for the protocol argument when using the permit or deny command.

Perform this task to allow TCP or UDP traffic to be matched to the ULP if an AH is present.

SUMMARY STEPS

1.    enable

2.    configure terminal

3.    ipv6 access-list access-list-name

4.    permit icmp auth


DETAILED STEPS
 Command or ActionPurpose
Step 1
enable


Example:

Router# enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
configure terminal


Example:

Router# configure terminal

 

Enters global configuration mode.

 
Step 3
ipv6 access-list access-list-name


Example:

Router(config)# ipv6 access-list list1

 

Defines an IPv6 access list and places the router in IPv6 access list configuration mode.

 
Step 4
permit icmp auth


Example:



Example:

or



Example:

deny icmp auth



Example:

Router(config-ipv6-acl)# permit icmp auth

 

Specifies permit or deny conditions for an IPv6 ACL using the auth keyword, which is used to match against the presence of the AH.

 

Configuration Examples for IPv6 ACL Extensions for IPsec Authentication Header

Example: Configuring TCP or UDP Matching

The following example allows any TCP traffic regardless of whether or not an AH is present: 

IPv6 access list example1 
    permit tcp any any

The following example allows TCP or UDP parsing only when an AH header is present. TCP or UDP traffic without an AH will not be matched: 

IPv6 access list example2
    deny tcp host 2001::1 any log sequence 5
    permit tcp any any auth sequence 10
    permit udp any any auth sequence 20

The following example allows any IPv6 traffic containing an authentication header: 

IPv6 access list example3 
    permit ahp any any

Additional References

Related Documents

Related Topic Document Title

IPv6 addressing and connectivity

IPv6 Configuration Guide

Cisco IOS commands

Cisco IOS Master Commands List, All Releases

IPv6 commands

Cisco IOS IPv6 Command Reference

Cisco IOS IPv6 features

Cisco IOS IPv6 Feature Mapping

Standards and RFCs

Standard/RFC Title

RFCs for IPv6

IPv6 RFCs

MIBs

MIB

MIBs Link

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

Technical Assistance

Description Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html

Feature Information for IPv6 ACL Extensions for IPsec Authentication Header

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Table 1Feature Information for IPv6 ACL Extensions for IPsec Authentication Header
Feature Name Releases Feature Information

IPv6 ACL Extensions for IPsec Authentication Header

12.4(20)T

The IPv6 ACL extensions for IPsec authentication headers feature allows TCP or UDP parsing when an IPv6 IPsec authentication header is present.

The following commands were introduced or modified: deny, ipv6 access-list, permit.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2012 Cisco Systems, Inc. All rights reserved.