IPv6 ACL

Information About IPv6 ACL

An access control list (ACL) is a set of rules used to limit access to a particular interface (for example, if you want to restrict a wireless client from pinging the management interface of the controller ). ACLs are configured on the device and applied to the management interface, the AP-manager interface, any of the dynamic interfaces, or a WLAN to control data traffic to and from wireless clients or to the controller central processing unit (CPU) to control all traffic destined for the CPU.

You can also create a preauthentication ACL for web authentication. Such an ACL is used to allow certain types of traffic before authentication is complete.

IPv6 ACLs support the same options as IPv4 ACLs including source, destination, source and destination ports.


Note
You can enable only IPv4 traffic in your network by blocking IPv6 traffic. That is, you can configure an IPv6 ACL to deny all IPv6 traffic and apply it on specific or all WLANs.

Understanding IPv6 ACLs

Types of ACL

Per User IPv6 ACL

For the per-user ACL, the full access control entries (ACE) as the text strings are configured on the RADIUS server.

The ACE is not configured on the Cisco 9800 controller. The ACE is sent to the device in the ACCESS-Accept attribute and applies it directly for the client. When a wireless client roams into an foreign device, the ACEs are sent to the foreign device as an AAA attribute in the mobility Handoff message. Output direction, using per-user ACL is not supported.

Filter ID IPv6 ACL

For the filter-Id ACL, the full ACEs and the acl name(filter-id) is configured on the Cisco 9800 controller and only the filter-id is configured on the RADIUS Server.

The filter-id is sent to the device in the ACCESS-Accept attribute, and the device looks up the filter-id for the ACEs, and then applies the ACEs to the client. When the client L2 roams to the foreign device, only the filter-id is sent to the foreign device in the mobility Handoff message. Output filtered ACL, using per-user ACL is not supported. The foreign device has to configure the filter-id and ACEs beforehand.

Prerequisites for Configuring IPv6 ACL

You can filter IP Version 6 (IPv6) traffic by creating IPv6 access control lists (ACLs) and applying them to interfaces similarly to the way that you create and apply IP Version 4 (IPv4) named ACLs. You can also create and apply input router ACLs to filter Layer 3 management traffic when the switch is running the Network Essentials license.

Restrictions for Configuring IPv6 ACL

With IPv4, you can configure standard and extended numbered IP ACLs, named IP ACLs, and MAC ACLs. IPv6 supports only named ACLs. The IPv6 ACL does not support Flex connect mode.

The device supports most of the Cisco IOS-supported IPv6 ACLs with some exceptions:

  • The device does not support matching on these keywords: flowlabel, routing header, and undetermined-transport.

  • The device does not support reflexive ACLs (the reflect keyword).

  • The device does not apply MAC-based ACLs on IPv6 frames.

  • When configuring an ACL, there is no restriction on keywords entered in the ACL, regardless of whether or not they are supported on the platform. When you apply the ACL to an interface that requires hardware forwarding (physical ports or SVIs), the device checks to determine whether or not the ACL can be supported on the interface. If not, attaching the ACL is rejected.

  • If an ACL is applied to an interface and you attempt to add an access control entry (ACE) with an unsupported keyword, the device does not allow the ACE to be added to the ACL that is currently attached to the interface

Configuring IPv6 ACLs

Follow the procedure given below to filter IPv6 traffic:

  1. Create an IPv6 ACL, and enter IPv6 access list configuration mode.

  2. Configure the IPv6 ACL to block (deny) or pass (permit) traffic.

  3. Apply the IPv6 ACL to the interface where the traffic needs to be filtered.

  4. Apply the IPv6 ACL to an interface. For router ACLs, you must also configure an IPv6 address on the Layer 3 interface to which the ACL is applied.

Default IPv6 ACL Configuration

There are no IPv6 ACLs configured or applied.

Interaction with Other Features and Switches

  • If a bridged frame is to be dropped due to a port ACL, the frame is not bridged.

  • You can create both IPv4 and IPv6 ACLs on a switch or switch stack, and you can apply both IPv4 and IPv6 ACLs to the same interface. Each ACL must have a unique name; an error message appears if you try to use a name that is already configured.

    You use different commands to create IPv4 and IPv6 ACLs and to attach IPv4 or IPv6 ACLs to the same Layer 2 or Layer 3 interface. If you use the wrong command to attach an ACL (for example, an IPv4 command to attach an IPv6 ACL), you receive an error message.

  • You cannot use MAC ACLs to filter IPv6 frames. MAC ACLs can only filter non-IP frames.

  • If the hardware memory is full, for any additional configured ACLs, packets are processed to the CPU, and the ACLs are applied in software. When the hardware is full a message is printed to the console indicating the ACL has been unloaded and the packets will be processed in software.


    Note
    Only packets of the same type as the ACL that could not be added (ipv4, ipv6, MAC) will be processed in software.

  • If the TCAM is full, for any additional configured ACLs, packets are forwarded to the CPU, and the ACLs are applied in software.

How To Configure an IPv6 ACL

Creating an IPv6 ACL (GUI)

Procedure

Step 1

Choose Configuration > Security > ACL.

Step 2

Click Add.

Step 3

In the Add ACL Setup dialog box, enter the following parameters.

  • ACL Name: Enter the name for the ACL

  • ACL Type: IPv6

  • Sequence: The valid range is between 100 and 199 or 2000 and 26991

  • Action: Choose Permit or Deny the packet flow from the drop-down list.

  • Source Type: Choose any, Host or Network from which the packet is sent.

  • Destination Type: Choose any, Host or Network to which the packet is sent.

  • Protocol: Choose a protocol from the drop-down list.

  • Log: Enable or disable logging.

  • DSCP: Enter to match packets with the DSCP value

Step 4

Click Add.

Step 5

Add the rest of the rules and click Apply to Device.

Creating an IPv6 ACL

Procedure

  Command or Action Purpose

Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 3

ipv6 access-list acl_name

Example:

Device# ipv6 access-list access-list-name

Use a name to define an IPv6 access list and enter IPv6 access-list configuration mode.

Step 4

{deny|permit} protocol

Example:

{deny | permit} protocol {source-ipv6-prefix/prefix-length | any | host source-ipv6-address}
[operator [port-number]]{destination-ipv6-prefix/prefix-length | any |host destination-ipv6-address}
[operator [port-number]][dscp value] [fragments][log] [log-input] [routing][sequence value]
[time-range name]

Enter deny or permit to specify whether to deny or permit the packet if conditions are matched. These are the conditions:

  • For protocol, enter the name or number of an Internet protocol: ahp, esp, icmp, ipv6, pcp, stcp, tcp, or udp, or an integer in the range 0 to 255 representing an IPv6 protocol number.

  • The source-ipv6-prefix/prefix-length or destination-ipv6-prefix/ prefix-length is the source or destination IPv6 network or class of networks for which to set deny or permit conditions, specified in hexadecimal and using 16-bit values between colons (see RFC 2373).

  • Enter any as an abbreviation for the IPv6 prefix ::/0.

  • For host source-ipv6-address or destination-ipv6-address, enter the source or destination IPv6 host address for which to set deny or permit conditions, specified in hexadecimal using 16-bit values between colons.

  • (Optional) For operator, specify an operand that compares the source or destination ports of the specified protocol. Operands are lt (less than), gt (greater than), eq (equal), neq (not equal), and range.

If the operator follows the source-ipv6-prefix/prefix-length argument, it must match the source port. If the operator follows the destination-ipv6- prefix/prefix-length argument, it must match the destination port.

  • (Optional) The port-number is a decimal number from 0 to 65535 or the name of a TCP or UDP port. You can use TCP port names only when filtering TCP. You can use UDP port names only when filtering UDP.

  • (Optional) Enter dscp value to match a differentiated services code point value against the traffic class value in the Traffic Class field of each IPv6 packet header. The acceptable range is from 0 to 63.

  • (Optional) For packet fragmentation, enter fragments to check noninitial fragments. This keyword is visible only if the protocol is ipv6.

  • (Optional) Enter log to cause an logging message to be sent to the console about the packet that matches the entry. Enter log-input to include the input interface in the log entry. Logging is supported only for router ACLs.

  • (Optional) Enter routing to specify that IPv6 packets be routed.

  • (Optional) Enter sequence value to specify the sequence number for the access list statement. The acceptable range is from 1 to 4294967295

  • (Optional) Enter time-range name to specify the time range that applies to the deny or permit statement.

Step 5

{deny|permit} tcp

Example:

{deny | permit} tcp {source-ipv6-prefix/prefix-length | any | hostsource-ipv6-address}
[operator [port-number]]{destination-ipv6-prefix/prefix-length | any |hostdestination-ipv6-address}
[operator [port-number]][ack] [dscp value][established] [fin] 
[log][log-input] [neq {port |protocol}] [psh] [range{port | protocol}] [rst][routing] [sequence value]
[syn] [time-range name][urg]

(Optional) Define a TCP access list and the access conditions.

Enter tcp for Transmission Control Protocol. The parameters are the same as those described in Step 3, with these additional optional parameters:

  • ack—Acknowledgment bit set.

  • established—An established connection. A match occurs if the TCP datagram has the ACK or RST bits set.

  • fin—Finished bit set; no more data from sender.

  • neq {port | protocol}—Matches only packets that are not on a given port number.

  • psh—Push function bit set.

  • range {port | protocol}—Matches only packets in the port number range.

  • rst—Reset bit set.

  • syn—Synchronize bit set.

  • urg—Urgent pointer bit set.

Step 6

{deny|permit} udp

Example:

{deny | permit} udp {source-ipv6-prefix/prefix-length | any | hostsource-ipv6-address}
[operator [port-number]]{destination-ipv6-prefix/prefix-length | any | hostdestination-ipv6-address}
[operator [port-number]][dscp value] [log][log-input] 
[neq {port |protocol}] [range {port |protocol}] [routing][sequence value][time-range name]

(Optional) Define a UDP access list and the access conditions.

Enter udp for the User Datagram Protocol. The UDP parameters are the same as those described for TCP, except that the operator [port]] port number or name must be a UDP port number or name, and the established parameter is not valid for UDP.

Step 7

{deny|permit} icmp

Example:

{deny | permit} icmp {source-ipv6-prefix/prefix-length | any | hostsource-ipv6-address}
[operator [port-number]] {destination-ipv6-prefix/prefix-length | any | hostdestination-ipv6-address}
[operator [port-number]][icmp-type [icmp-code] |icmp-message] [dscpvalue] [log] [log-input]
[routing] [sequence value][time-range name]

(Optional) Define an ICMP access list and the access conditions.

Enter icmp for Internet Control Message Protocol. The ICMP parameters are the same as those described for most IP protocols in Step 3a, with the addition of the ICMP message type and code parameters. These optional keywords have these meanings:

  • icmp-type—Enter to filter by ICMP message type, a number from 0 to 255.

  • icmp-code—Enter to filter ICMP packets that are filtered by the ICMP message code type, a number from 0 to 255.

  • icmp-message—Enter to filter ICMP packets by the ICMP message type name or the ICMP message type and code name. To see a list of ICMP message type names and code names, use the ? key or see command reference for this release.

Step 8

end

Example:

Device(config)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Step 9

show ipv6 access-list

Example:

show ipv6 access-list

Verify the access list configuration.

Step 10

copy running-config startup-config

Example:

copy running-config startup-config

(Optional) Save your entries in the configuration file.

Creating WLAN IPv6 ACL (GUI)

Procedure

Step 1

Choose Configuration > Tags & Profiles > WLANs.

Step 2

Click Add.

Step 3

In the General tab, enter the Profile Name, the SSID and the WLAN ID.

Step 4

Choose Security > Layer3 tab, click Show Advanced Settings and under the Preauthenticated ACL settings, choose the ACL from the IPv6 drop-down list.

Step 5

Click Apply to Device.

Creating WLAN IPv6 ACL

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

DeviceController # configure terminal

Configures the terminal.

Step 2

wireless profile policy profile-name

Example:

Device(config)# wireless profile policy test1

Creates policy profile for the WLAN.

The profile-name is the profile name of the policy profile.

Step 3

ipv6 acl acl_name

Example:

Device(config-wireless-policy)# ipv6 acl testacl

Creates a named WLAN ACL.

Step 4

ipv6 traffic-filter web acl_name-preauth

Example:

Device(config-wlan)# ipv6 traffic-filter web preauth1

Creates a pre-authentication ACL for web authentication.

Verifying IPv6 ACL

Displaying IPv6 ACLs

To display IPv6 ACLs, perform this procedure:

Procedure

  Command or Action Purpose

Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 3

show access-list

Example:

Device# show access-lists

Displays all access lists configured on the device

Step 4

show ipv6 access-list acl_name

Example:

Device# show ipv6 access-list [access-list-name]

Displays all configured IPv6 access list or the access list specified by name.

Configuration Examples for IPv6 ACL

Example: Creating an IPv6 ACL

This example configures the IPv6 access list named CISCO. The first deny entry in the list denies all packets that have a destination TCP port number greater than 5000. The second deny entry denies packets that have a source UDP port number less than 5000. The second deny also logs all matches to the console. The first permit entry in the list permits all ICMP packets. The second permit entry in the list permits all other traffic. The second permit entry is necessary because an implicit deny -all condition is at the end of each IPv6 access list.

Note
Logging is supported only on Layer 3 interfaces. 
Device(config)# ipv6 access-list CISCO
Device(config-ipv6-acl)# deny tcp any any gt 5000
Device (config-ipv6-acl)# deny ::/0 lt 5000 ::/0 log
Device(config-ipv6-acl)# permit icmp any any
Device(config-ipv6-acl)# permit any any

Example: Applying an IPv6 ACL to a Policy Profile in a Wireless Environment

This example shows how to apply an IPv6 ACL to a Policy Profile in a Wireless environment.

Note

All IPv6 ACLs must be associated to a policy profile.

  1. Creating an IPv6 ACL.

    Device(config)# ipv6 access-list <acl-name>
Device(config-ipv6-acl)# permit tcp 2001:DB8::/32 any
Device(config-ipv6-acl)# permit udp 2001:DB8::/32 any

  2. Applying the IPv6 ACL to a policy profile.

    Device(config)# wireless profile policy <policy-profile-name>
Device(config-wireless-policy)# shutdown
Device(config-wireless-policy)# ipv6 acl <acl-name>
Device(config-wireless-policy)# no shutdown

Displaying IPv6 ACLs

To display IPv6 ACLs, perform this procedure:

Procedure

  Command or Action Purpose

Step 1

show access-list

Example:

Device# show access-lists

Displays all access lists configured on the device

Step 2

show ipv6 access-list acl_name

Example:

Device# show ipv6 access-list [access-list-name]

Displays all configured IPv6 access list or the access list specified by name.

Example: Displaying IPv6 ACLs

This is an example of the output from the show access-lists privileged EXEC command. The output shows all access lists that are configured on the switch or switch stack.
Device #show access-lists
Extended IP access list hello
10 permit ip any any
IPv6 access list ipv6
permit ipv6 any any sequence 10
This is an example of the output from the show ipv6 access-lists privileged EXEC command. The output shows only IPv6 access lists configured on the switch or switch stack.
Device# show ipv6 access-list
IPv6 access list inbound
permit tcp any any eq bgp (8 matches) sequence 10
permit tcp any any eq telnet (15 matches) sequence 20
permit udp any any sequence 30

IPv6 access list outbound
deny udp any any sequence 10
deny tcp any any eq telnet sequence 20

Example: Configuring RA Throttling

This task describes how to create an RA throttle policy in order to help the power-saving wireless clients from being disturbed by frequent unsolicited periodic RA's. The unsolicited multicast RA is throttled by the controller.

Before you begin

Enable IPv6 on the client machine.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

ipv6 nd ra-throttler policy Mythrottle

Example:

Device (config)# ipv6 nd ra-throttler policy Mythrottle

Creates a RA throttler policy called Mythrottle.

Step 3

throttle-period 20

Example:

Device (config-nd-ra-throttle)# throttle-period 20

Determines the time interval segment during which throttling applies.

Step 4

max-through 5

Example:

Device (config-nd-ra-throttle)# max-through 5

Determines how many initial RA's are allowed.

Step 5

allow at-least 3 at-most 5

Example:

Device (config-nd-ra-throttle)# allow at-least 3 at-most 5

Determines how many RA's are allowed after the initial RAs have been transmitted, until the end of the interval segment.

Step 6

switch (config)# vlan configuration 100

Example:

Device (config)# vlan configuration 100

Creates a per vlan configuration.

Step 7

ipv6 nd ra-th attach-policy attach-policy_name

Example:

Device (config)# ipv6 nd ra-throttle attach-policy attach-policy_name

Enables the router advertisement throttling.

Step 8

end

Example:

Device(config)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.