IPv6 ACL Extensions for IPsec Authentication Headers

The IPv6 ACL Extensions for IPsec Authentication Headers feature allows TCP or UDP parsing when an IPv6 IPsec authentication header is present.

This module describes how to configure TCP or UDP matching regardless of whether an authentication header (AH) is present or absent.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Information About IPv6 ACL Extensions for IPsec Authentication Header

IPv6 ACL Extensions for IPsec Authentication Header

This feature provides the ability to match on the upper layer protocol (ULP) (for example, TCP, User Datagram Protocol [UDP], ICMP, SCTP) regardless of whether an authentication header (AH) is present or absent.

TCP or UDP traffic can be matched to the upper-layer protocol (ULP) (for example, TCP, UDP, ICMP, SCTP) if an AH is present or absent. Before this feature was introduced, this function was only available if an AH was absent.

This feature introduces the keyword auth to the permitand denycommands. The auth keyword allows matching traffic against the presence of the authentication header in combination with the specified protocol; that is, TCP or UDP.

IPv6 traffic can be matched to a ULP when an AH header is present. To perform this function, enter the ahp option for the protocol argument when using the permit or deny command.

How to Configure IPv6 ACL Extensions for IPsec Authentication Header

Configuring TCP or UDP Matching

TCP or UDP traffic can be matched to the ULP (for example, TCP, UDP, ICMP, SCTP) if an AH is present or absent. Before this feature was introduced, this function was only available if an AH was absent.

Use of the keyword auth with the permit icmp and deny icmp commands allows TCP or UDP traffic to be matched to the ULP if an AH is present. TCP or UDP traffic without an AH will not be matched.

IPv6 traffic can be matched to a ULP when an AH header is present. To perform this function, enter the ahp option for the protocol argument when using the permit or deny command.

Perform this task to allow TCP or UDP traffic to be matched to the ULP if an AH is present.

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    ipv6 access-list access-list-name

    4.    permit icmp auth


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example:
    Router# enable
     

    Enables privileged EXEC mode.

    • Enter your password if prompted.

     
    Step 2 configure terminal


    Example:
    Router# configure terminal
     

    Enters global configuration mode.

     
    Step 3 ipv6 access-list access-list-name


    Example:
    Router(config)# ipv6 access-list list1
     

    Defines an IPv6 access list and places the router in IPv6 access list configuration mode.

     
    Step 4 permit icmp auth


    Example:
    

        
    
 

    Example:
    
          
    or 
    

        
    
 

    Example:
    
          
                
              deny icmp auth 
    

        
    
 

    Example:
    
          
    Router(config-ipv6-acl)# permit icmp auth 
    

        
    
 
          		 
          
    
Specifies permit or deny conditions for an IPv6 ACL using the auth keyword, which is used to match against the presence of the AH.
    

         
      
    

    

    

    

    

    Configuration Examples for IPv6 ACL Extensions for IPsec Authentication Header
    

    Example: Configuring TCP or UDP Matching
    

     
		
     The following example allows any TCP traffic regardless of whether or not an AH is present:
		
    
 
		
    IPv6 access list example1 
    permit tcp any any 

    
 
		
     The following example allows TCP or UDP parsing only when an AH header is present. TCP or UDP traffic without an AH will not be matched: 
		
    
 
		
    IPv6 access list example2
    deny tcp host 2001::1 any log sequence 5
    permit tcp any any auth sequence 10
    permit udp any any auth sequence 20 

    
 
		
     The following example allows any IPv6 traffic containing an authentication header:
		
    
 
		
    IPv6 access list example3 
    permit ahp any any 
    
 
	 
    

    

    

    

    Additional References
    

    Related Documents
     
		 
		

    Related Topic 
				  
    
    		

    Document Title 
				  
    
    		

    
    

     
					 
     IPv6 addressing and connectivity 
					 
    
 
				      		
 
					 
     IPv6 Configuration Guide
    
 
				      		

    

     
					 
    Cisco IOS commands 
					 
    
 
				      		
 
					 
    Cisco IOS Master Commands List, All Releases
    
 
				      		

    

     
					 
    IPv6 commands 
					 
    
 
				      		
 
					 
    Cisco IOS IPv6 Command Reference
    
 
				      		

    

     
					 
    Cisco IOS IPv6 features 
					 
    
 
				      		

     
					 Cisco IOS IPv6 Feature Mapping 
				  
    
    		

    
    

    

    
 
	 
    

    Standards and RFCs
     
		 
		

    Standard/RFC 
				  
    
    		

    Title 
				  
    
    		

    
    

     
					 
    RFCs for IPv6 
					 
    
 
				      		

					 
    IPv6 RFCs
    

				      		

    
    

    

    
 
	 
    

    MIBs
     
		 
		

     
					 
     MIB 
					 
    
 
				      		
 
					 
     MIBs Link 
					 
    
 
				      		

    
    

     
					 
     
					 
    
 
				      		
 
					 
     To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
    
 
					 
     
						http:/​/​www.cisco.com/​go/​mibs
    
 
				      		

    
    

    

    
 
	 
    

    Technical Assistance
     
		 
		

    Description 
				  
    
    		

    Link 
				  
    
    		

    
    

     
					 
    The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. 
					 
    
 
				      		
 
					 
     
						http:/​/​www.cisco.com/​cisco/​web/​support/​index.html
    
 
				      		

    
    

    

    
 
	 
    

    

    

    Feature Information for IPv6 ACL Extensions for IPsec Authentication Header
    

    
			
    The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature. 
    
 Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required. 
    


    Table 1 Feature Information for IPv6 ACL Extensions for IPsec Authentication Header
    Feature Name 
			 
    
    		

    Releases 
			 
    
    		

    Feature Information 
			 
    
    		

    
    

     
				
    IPv6 ACL Extensions for IPsec Authentication Header 
				
    
 
			     		
 
				
    12.4(20)T 
				
    
 
			     		
 
				
     The IPv6 ACL extensions for IPsec authentication headers feature allows TCP or UDP parsing when an IPv6 IPsec authentication header is present. 
				
    
 
				
    The following commands were introduced or modified: 
				  deny, 
				  ipv6 access-list, 
				  permit.