IPv6 Access List Basics

Posted on March 6, 2014 by

Chances are that if you have worked with IPv4 on the IOS platform for any length of time you are familiar with the access list formats, both standard and extended.  Assuming you know at least the basics of the addressing structure you should have no issue establishing similar ACLs for IPv6.

Creating IPv6 ACLs

The first considerations are that IPv6 ACLs have to be the “extended” format meaning the both the source and destinations have to be defined.  The ACLs also have to be named with a string as numbered ACLs are not acceptable.  The ACL name can contain numbers but may not start with them.  Trying anything to the contrary will give you messages like this:

R1(config)#ipv6 access-list 100
% Invalid access list name.
R1(config)#ipv6 access-list 100_ACL
% Invalid access list name.
R1(config)#ipv6 access-list ACL_100
R1(config-ipv6-acl)#

Another very notable difference is that IPv6 ACLs do not use the wildcard mask like v4, thankfully.  Let’s review the situation via the example network below:

ipv6_acl_example1

 

First, let’s block the network or the right from reaching the networks on the left.  We do want all other traffic to continue to flow through the router.  The ACL configuration would look something like this:

ipv6 access-list v6acl
 deny ipv6 2001:470:1234::/64 2001:470:5678::/64
 deny ipv6 2001:470:1234::/64 2001:470:5678:1::/64
 permit ipv6 any any

As I mentioned above this matches the IPv4 formatting fairly closely.  With the ACL established we have to apply it to an interface.  All of your typical ACL application rules apply of course, such as apply it as close to the source as possible.  We will apply this ACL to GigabitEthernet 0/1 like this:

interface GigabitEthernet 0/1
ipv6 traffic-filter v6acl in

As you can see the keyword has changed from “access-group” to “traffic-filter” in IPv6.

SNMP ACLs

SNMP configuration remains very similar with the exception of an “ipv6” keyword that must be used to callout an IPv6 ACL.  The snmp-server command will only allow a single command to address all of your snmp filtering needs. There are three formats that are acceptable:

!IPv6 Only SNMP
snmp-server community <community string> ipv6 <ipv6 acl>
!IPv4 SNMP
snmp-server community <community string> <ipv4 acl>
!Both IPv4 and V6 SNMP
snmp-server community <community string> ipv6 <ipv6 acl> <ipv4 acl>

Take note that if setting up SNMP for V4 and V6 you must do it in the combined command or the previous will be removed.  “snmp-server” commands that contain differing community strings are not affected.

VTY Line ACLs

To configure an ACL on the VTY lines follow the similar steps as with IPv4.  The difference is the “ipv6” key word ahead of “access-class”.  Lets review this in an example:

line vty 0 15
 access-class v4acl in
 ipv6 access-class v6acl in

I hope everyone getting started with IPv6 found this useful!

 

 

This entry was posted in Networking and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.