Information About IPv6 ACL
An access control list (ACL) is a set of rules used to limit access to a particular interface (for example, if you want to restrict a wireless client from pinging the management interface of the embedded wireless controller). ACLs are configured on the devicend applied to the management interface, the AP-manager interface, any of the dynamic interfaces, or a WLAN to control data traffic to and from wireless clients or to the embedded wireless controller central processing unit (CPU) to control all traffic destined for the CPU.
You can also create a preauthentication ACL for web authentication. Such an ACL is used to allow certain types of traffic before authentication is complete.
IPv6 ACLs support the same options as IPv4 ACLs including source, destination, source and destination ports.
Note |
You can enable only IPv4 traffic in your network by blocking IPv6 traffic. That is, you can configure an IPv6 ACL to deny all IPv6 traffic and apply it on specific or all WLANs. |
Understanding IPv6 ACLs
Types of ACL
Per User IPv6 ACL
For the per-user ACL, the full access control entries (ACE) as the text strings are configured on the Cisco Secure Access Control Server (Cisco Secure ACS).
The ACE is not configured on the Controller
Embedded Wireless Controller. The ACE is sent to the device in the ACCESS-Accept
attribute and applies it directly for the client. When a wireless client roams into an foreign device, the ACEs are sent to the foreign device as an AAA attribute in the mobility Handoff message. Output direction, using per-user ACL is not supported.
Filter ID IPv6 ACL
For the filter-Id ACL, the full ACEs and the acl name(filter-id)
is configured on the device and only the filter-id
is configured on the Cisco Secure ACS.
The
filter-id
is sent to the
device
in the ACCESS-Accept attribute, and the
device
looks up the filter-id for the ACEs, and then applies the ACEs to the client.
When the client L2 roams to the foreign
device,
only the filter-id is sent to the foreign
device
in the mobility Handoff message. Output filtered ACL, using per-user ACL is not
supported. The foreign
device
has to configure the filter-id and ACEs beforehand.
Downloadable IPv6 ACL
For the downloadable ACL (dACL), all the full ACEs and the dacl
name are configured only on the Cisco Secure ACS.
The Cisco Secure ACS sends the dacl
name to the device in its ACCESS-Accept
attribute, which takes the dacl
name and sends the dACL
name back to the Cisco Secure ACS for the ACEs, using the ACCESS-request
attribute.