Configuring IPv6 Access Control Lists in Cisco
Pre-requisite : What is IPv6?, How to Configure IPv6 on CISCO Router?
Access Control Lists decide which type of traffic is blocked and which is to be forwarded to a specific device interface. It allows filtering based on source & destination addresses, inbound & outbound to a specific interface. Standard Access Control List (ACL) functionality in IPv6 is similar to standard ACL in IPv4. Implicit deny statement at the end of each ACL. IPv6 extended ACLs inherit functionality of standard IPv6 ACL as well as support traffic filtering based on:
- IPv6 option headers and optional
- Upper-layer protocol type information (example port number or specific service) for finer granularity of control.
IPv6 Access Control Lists command :
Command |
Purpose |
Example |
---|---|---|
ipv6 access-list <access-list-name> | To define an IPv6 ACL | Router(config)# ipv6 access-list w3wiki |
permit <protocol> <source-ipv6-prefix/prefix-length | any | host source-ipv6-address> <destination-ipv6-prefix / prefix-length | any | host destination-ipv6-address> |
To specify permit condition for an IPv6 ACL. | Router(config-ipv6-acl)#permit ipv6 host 2001:DB8:0:4::32 any |
deny <protocol> <source-ipv6-prefix/prefix-length | any | host source-ipv6-address> <destination-ipv6-prefix/prefix-length|any|hostdestination-ipv6-address> |
To specify deny condition for an IPv6 ACL. | Router(config-ipv6-acl)#deny ipv6 host 2001:DB8:0:6::6 any |
Creating and Configuring an IPv6 ACL for Traffic Filtering :
Step 1: Create the physical topology in GNS3 as show in the image below :
Step 2: Configure IPv6 address on PC1 and PC2 :
PC1> ip 2001:db8:0:4::2 /64
PC2> ip 3001:db8:0:4::2 /64
Step 3: Enable IPv6 unicast-routing on both the routers in global configuration mode :
R1(config)#ipv6 unicast-routing
R2(config)#ipv6 unicast-routing
Step 4: Configure IPv6 address on the physical interfaces of both the routers :
R1(config)#interface FastEthernet0/0 R1(config-if)#ipv6 address FE80::1 link-local R1(config-if)#ipv6 address bbbb:10:1:1::1/64 R1(config-if)#no shutdown R1(config-if)#interface FastEthernet1/0 R1(config-if)#ipv6 address 2001:DB8:0:4::1/64 R1(config-if)#no shutdown
R2(config)#interface FastEthernet0/0 R2(config-if)#ipv6 address FE80::2 link-local R2(config-if)#ipv6 address bbbb:10:1:1::2/64 R2(config-if)#no shutdown R2(config-if)#interface FastEthernet1/0 R2(config-if)#ipv6 address 3001:DB8:0:4::1/64 R2(config-if)#no shutdown
Step 5: Enable telnet on R1 :
R1(config)enable password cisco R1(config)line vty 0 4 R1(config-line)password cisco R1(config-line)login
Step 6: Checking whether R2 is able to telnet R1 or not :
R2#telnet bbbb:10:1:1::1
- R2 is able to telnet R1.
Step 7: Configure an IPv6 ACL named “w3wiki” on R1 to deny telnet access to R2 :
R1(config)#ipv6 access-list w3wiki R1(config-ipv6-acl)#deny tcp host 3001:db8:0:4::2 any eq telnet R1(config)line vty 0 4 R1(config-line)#ipv6 access-class w3wiki in
Step 8: Checking whether R2 is able to telnet R1 or not after configuring ACL :
R2#telnet bbbb:10:1:1::1
- R2 is unable to telnet R1 after configuring ACL.
Step 9: Checking the configured IPv6 ACL :
R1#show ipv6 access-list