The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
You can filter IP Version 6 (IPv6) traffic by creating IPv6 access control lists (ACLs) and applying them to interfaces similarly to the way that you create and apply IP Version 4 (IPv4) named ACLs. You can also create and apply input router ACLs to filter Layer 3 management traffic when the switch is running the Network Essentials license.
With IPv4, you can configure standard and extended numbered IP ACLs, named IP ACLs, and MAC ACLs. IPv6 supports only named ACLs.
The device does not support matching on these keywords: flowlabel, routing header, and undetermined-transport.
The device does not support reflexive ACLs (the reflect keyword).
The device does not apply MAC-based ACLs on IPv6 frames.
When configuring an ACL, there is no restriction on keywords entered in the ACL, regardless of whether or not they are supported on the platform. When you apply the ACL to an interface that requires hardware forwarding (physical ports or SVIs), the device checks to determine whether or not the ACL can be supported on the interface. If not, attaching the ACL is rejected.
If an ACL is applied to an interface and you attempt to add an access control entry (ACE) with an unsupported keyword, the device does not allow the ACE to be added to the ACL that is currently attached to the interface
An access control list (ACL) is a set of rules used to limit access to a particular interface (for example, if you want to restrict a wireless client from pinging the management interface of the controller). ACLs are configured on the devicend applied to the management interface, the AP-manager interface, any of the dynamic interfaces, or a WLAN to control data traffic to and from wireless clients or to the controller central processing unit (CPU) to control all traffic destined for the CPU.
An access control list (ACL) is a set of rules used to limit access to a particular interface. ACLs are configured on the device and applied to the management interface and to any of the dynamic interfaces.
You can also create a preauthentication ACL for web authentication. Such an ACL is used to allow certain types of traffic before authentication is complete.
IPv6 ACLs support the same options as IPv4 ACLs including source, destination, source and destination ports.
 Note |
You can enable only IPv4 traffic in your network by blocking IPv6 traffic. That is, you can configure an IPv6 ACL to deny all IPv6 traffic and apply it on specific or all WLANs. |
IPv6 router ACLs are supported on outbound or inbound traffic on Layer 3 interfaces, which can be routed ports, switch virtual interfaces (SVIs), or Layer 3 EtherChannels. IPv6 router ACLs apply only to IPv6 packets that are routed.
IPv6 port ACLs are supported on inbound traffic on Layer 2 interfaces only. IPv6 port ACLs are applied to all IPv6 packets entering the interface.
The switch supports VLAN ACLs (VLAN maps) for IPv6 traffic.
When an input router ACL and input port ACL exist in an SVI, packets received on ports to which a port ACL is applied are filtered by the port ACL. Routed IP packets received on other ports are filtered by the router ACL. Other packets are not filtered.
When an output router ACL and input port ACL exist in an SVI, packets received on the ports to
which a port ACL is applied are filtered by the port ACL. Outgoing routed IPv6 packets are filtered by the router ACL. Other packets are not filtered.
Note |
If any port ACL (IPv4, IPv6, or MAC) is applied to an interface, that port ACL is used to filter packets, and any router ACLs attached to the SVI of the port VLAN are ignored. |
Types of ACL
For the per-user ACL, the full access control entries (ACE) as the text strings are configured on the ACS.
The ACE is not configured on the
Controller. The ACE is sent to the
device
in the
ACCESS-Accept
attribute and applies it directly for the client. When a
wireless client roams into an foreign
device,
the ACEs are sent to the foreign
device
as an AAA attribute in the mobility Handoff message. Output direction, using
per-user ACL is not supported.
For the filter-Id ACL,
the full ACEs and the
acl
name(filter-id) is configured on the
device
and only the
filter-id is configured on the
ACS.
The
filter-id
is sent to the
device
in the ACCESS-Accept attribute, and the
device
looks up the filter-id for the ACEs, and then applies the ACEs to the client.
When the client L2 roams to the foreign
device,
only the filter-id is sent to the foreign
device
in the mobility Handoff message. Output filtered ACL, using per-user ACL is not
supported. The foreign
device
has to configure the filter-id and ACEs beforehand.
The stack master supports IPv6 ACLs in hardware and distributes the IPv6 ACLs to the stack members.
If a new switch takes over as stack master, it distributes the ACL configuration to all stack members. The member switches sync up the configuration distributed by the new stack master and flush out entries that member switches sync up the configuration distributed by the new stack master and flush out entries that are not required.
When an ACL is modified, attached to, or detached from an interface, the stack master distributes the change to all stack members.
To filter IPv6 traffic, you perform these steps:
Before configuring IPv6 ACLs, you must select one of the IPv6 SDM templates.
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
Create an IPv6 ACL, and enter IPv6 access list configuration mode. |
|
| Step 2 |
Configure the IPv6 ACL to block (deny) or pass (permit) traffic. |
|
| Step 3 |
Apply the IPv6 ACL to the interface where the traffic needs to be filtered. |
|
| Step 4 |
Apply the IPv6 ACL to an interface. For router ACLs, you must also configure an IPv6 address on the Layer 3 interface to which the ACL is applied. |
There are no IPv6 ACLs configured or applied.
If an IPv6 router ACL is configured to deny a packet, the packet is not routed. A copy of the packet is sent to the Internet Control Message Protocol (ICMP) queue to generate an ICMP unreachable message for the frame.
If a bridged frame is to be dropped due to a port ACL, the frame is not bridged.
You can create both IPv4 and IPv6 ACLs on a switch or switch stack, and you can apply both IPv4 and IPv6 ACLs to the same interface. Each ACL must have a unique name; an error message appears if you try to use a name that is already configured.
You use different commands to create IPv4 and IPv6 ACLs and to attach IPv4 or IPv6 ACLs to the same Layer 2 or Layer 3 interface. If you use the wrong command to attach an ACL (for example, an IPv4 command to attach an IPv6 ACL), you receive an error message.
If the hardware memory is full, for any additional configured ACLs, packets are dropped to the CPU, and the ACLs are applied in software. When the hardware is full a message is printed to the console indicating the ACL has been unloaded and the packets will be dropped on the interface.
How To Configure an IPv6 ACL
To create an IPv6 ACL, perform this procedure:
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
enable Example: |
Enables privileged EXEC mode. Enter your password if prompted. |
| Step 2 |
configure terminal Example: |
Enters global configuration mode. |
| Step 3 |
ipv6 access-list acl_name Example: |
Use a name to define an IPv6 access list and enter IPv6 access-list configuration mode. |
| Step 4 |
{deny|permit} protocol Example: |
If the operator follows the source-ipv6-prefix/prefix-length argument, it must match the source port. If the operator follows the destination-ipv6- prefix/prefix-length argument, it must match the destination port.
|
| Step 5 |
{deny|permit} tcp Example: |
(Optional) Define a TCP access list and the access conditions.
|
| Step 6 |
{deny|permit} udp Example: |
(Optional) Define a UDP access list and the access conditions. Enter udp for the User Datagram Protocol. The UDP parameters are the same as those described for TCP, except that the operator [port]] port number or name must be a UDP port number or name, and the established parameter is not valid for UDP. |
| Step 7 |
{deny|permit} icmp Example: |
(Optional) Define an ICMP access list and the access conditions.
|
| Step 8 |
end Example: |
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode. |
| Step 9 |
show ipv6 access-list Example: |
Verify the access list configuration. |
| Step 10 |
copy running-config startup-config Example: |
(Optional) Save your entries in the configuration file. |
This section describes how to apply IPv6 ACLs to network interfaces. You can apply an IPv6 ACL to outbound or inbound traffic on layer 2 and Layer 3 interfaces. You can apply IPv6 ACLs only to inbound management traffic on Layer 3 interfaces.
To control access to an interface, perform this procedure:
| Command or Action | Purpose | |||
|---|---|---|---|---|
| Step 1 |
enable Example: |
Enables privileged EXEC mode. Enter your password if prompted. |
||
| Step 2 |
configure terminal Example: |
Enters global configuration mode. |
||
| Step 3 |
interface interface_id Example: |
Identifies a Layer 2 interface (for port ACLs) or Layer 3 Switch Virtual interface (for router ACLs) on which to apply an access list, and enters interface configuration mode. |
||
| Step 4 |
no switchport Example: |
Changes the interface from Layer 2 mode (the default) to Layer 3 mode (only if applying a router ACL). |
||
| Step 5 |
ipv6 address ipv6_address Example: |
|
||
| Step 6 |
ipv6 traffic-filter acl_name Example: |
Applies the access list to incoming or outgoing traffic on the interface. |
||
| Step 7 |
end Example: |
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode. |
||
| Step 8 |
show running-config interface tenGigabitEthernet 1/0/3 Example: |
Shows the configuration summary. |
||
| Step 9 |
copy running-config startup-config Example: |
(Optional) Saves your entries in the configuration file. |
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
ipv6 traffic-filter acl acl_name Example: |
Creates a named WLAN ACL. |
| Step 2 |
ipv6 traffic-filter acl web Example: |
Creates a pre-authentication for WLAN ACL. |
Device(config-wlan)# ipv6 traffic-filter acl <acl_name>
Device(config-wlan)#ipv6 traffic-filter acl web <acl_name-preauth>To displayIPv6 ACLs, perform this procedure:
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
enable Example: |
Enables privileged EXEC mode. Enter your password if prompted. |
| Step 2 |
configure terminal Example: |
Enters global configuration mode. |
| Step 3 |
show access-list Example: |
Displays all access lists configured on the device |
| Step 4 |
show ipv6 access-list acl_name Example: |
Displays all configured IPv6 access list or the access list specified by name. |
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
enable Example: |
Enables privileged EXEC mode. Enter your password if prompted. |
| Step 2 |
configure terminal Example: |
Enters global configuration mode. |
| Step 3 |
ipv6 nd raguard policy policy name Example: |
|
| Step 4 |
trusted-port Example: |
Configures the trusted port for the policy created above. |
| Step 5 |
device-role router Example: |
Defines the trusted device that can send RAs to the trusted port created above. |
| Step 6 |
interface interface-id Example: |
Configures the interface to the trusted device. |
| Step 7 |
ipv6 nd raguard attach-policy policy name Example: |
Configures and attaches the policy to trust the RA's received from the port. |
| Step 8 |
vlan vlan-id Example: |
Configures the wireless client vlans. |
| Step 9 |
ipv6 nd suppress Example: |
Suppresses the ND messages over wireless. |
| Step 10 |
ipv6 snooping Example: |
Captures IPv6 traffic. |
| Step 11 |
ipv6 nd raguard attach-policy policy name Example: |
Attaches the RA Guard policy to the wireless client vlans. |
| Step 12 |
ipv6 nd ra-throttler attach-policy policy name Example: |
Attaches the RA throttling policy to the wireless client vlans. |
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
enable Example: |
Enables privileged EXEC mode. Enter your password if prompted. |
| Step 2 |
configure terminal Example: |
Enters global configuration mode. |
| Step 3 |
ipv6 neighbor binding [vlan] 19 2001:db8::25:4 interface tenGigabitEthernet 1/0/3 aaa.bbb.ccc Example: |
Sets and validates the neighbor 2001:db8::25: 4 only valid when transmitting on VLAN 19 through interface te1/0/3 with the source mac-address as aaa.bbb.ccc. |
Configuration Examples for IPv6 ACL
Note |
Logging is supported only on Layer 3 interfaces. |
Device(config)# ipv6 access-list CISCO
Device(config-ipv6-acl)# deny tcp any any gt 5000
Device (config-ipv6-acl)# deny ::/0 lt 5000 ::/0 log
Device(config-ipv6-acl)# permit icmp any any
Device(config-ipv6-acl)# permit any any
Device(config-if)# no switchport
Device(config-if)# ipv6 address 2001::/64 eui-64
Device(config-if)# ipv6 traffic-filter CISCO outDevice #show access-lists
Extended IP access list hello
10 permit ip any any
IPv6 access list ipv6
permit ipv6 any any sequence 10Device# show ipv6 access-list
IPv6 access list inbound
permit tcp any any eq bgp (8 matches) sequence 10
permit tcp any any eq telnet (15 matches) sequence 20
permit udp any any sequence 30
IPv6 access list outbound
deny udp any any sequence 10
deny tcp any any eq telnet sequence 20This task describes how to create an RA throttle policy in order to help the power-saving wireless clients from being disturbed by frequent unsolicited periodic RA's. The unsolicited multicast RA is throttled by the controller.
Enable IPv6 on the client machine.
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
configure terminal Example: |
Enters global configuration mode. |
| Step 2 |
ipv6 nd ra-throttler policy Mythrottle Example: |
Creates a RA throttler policy called Mythrottle. |
| Step 3 |
throttle-period 20 Example: |
Determines the time interval segment during which throttling applies. |
| Step 4 |
max-through 5 Example: |
Determines how many initial RA's are allowed. |
| Step 5 |
allow at-least 3 at-most 5 Example: |
Determines how many RA's are allowed after the initial RAs have been transmitted, until the end of the interval segment. |
| Step 6 |
switch (config)# vlan configuration 100 Example: |
Creates a per vlan configuration. |
| Step 7 |
ipv6 nd suppress Example: |
Disables the neighbor discovery on the Vlan. |
| Step 8 |
ipv6 nd ra-th attach-policy attach-policy_name Example: |
Enables the router advertisement throttling. |
| Step 9 |
end Example: |
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode. |
| Related Topic | Document Title |
|---|---|
|
Cisco IOS commands |
| MIB | MIBs Link |
|---|---|
| All the supported MIBs for this release. |
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: |
| Description | Link |
|---|---|
|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
|
Feature |
Release |
Modification |
|---|---|---|
|
IPv6 ACL Functionality |
Cisco IOS XE Fuji 16.9.2 |
This feature was introduced. |
Feedback