Managing IPv 6 Traffic using Access Control Lists
- Slides: 17
Managing IPv 6 Traffic using Access Control Lists Serges Nanfack Technical Marketing Team August 2013
Type of IPv 6 ACLs Comparing IPv 4 and IPv 6 ACLs Configuring IPv 6 ACLs Verifying IPv 6 ACLs Summary © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
• Named Only • Similar in functionality to IPv 4 Extended ACL © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Features IPv 4 IPv 6 Applying ACL Ip access group Ipv 6 traffic-filter Wild Card masks Use of Wildcard Masks Use of Prefix length Additional statements Deny ipv 6 any Use of Deny any or deny any • permit icmp any nd-na • permit icmp any nd-ns © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
• Permit icmp any nd-na • Permit icmp any nd-ns © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Ip access-list standard Deny_Subnet_A_Ipv 4 Router(config)# ipv 6 access list ? Deny 192. 168. 12. 0 0. 0. 255 WORD Permit any ! User selected string identifying this access list Log-update Control access list log updates Interface Fast. Ethernet 0/1 Ip access-group Deny_Subnet_A_Ipv 4 out ipv 6 access-list Deny_Subnet_A_IPv 6 deny ipv 6 2001: DB 8: 0: 12: : /64 any permit ipv 6 any ! interface Fast. Ethernet 0/1 ipv 6 traffic-filter Deny_Subnet_A_IPv 6 out © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
ip access-list extended Deny_Host_A_to_B_IPv 4 deny ip host 192. 168. 12. 77 host 192. 168. 23. 203 permit ip any ! ipv 6 access-list Deny_Host_A_to_B_IPv 6 deny ipv 6 host 2001: DB 8: 0: 12: : 4 D host 2001: DB 8: 0: 23: : CB permit ipv 6 any ! Interface Fast. Ethernet 0/0 Ip access-group Deny_Subnet_A_Ipv 4 in © 2013 Cisco and/or its affiliates. All rights reserved. interface Fast. Ethernet 0/0 ipv 6 traffic-filter Deny_Subnet_A_IPv 6 in Cisco Public 10
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
ipv 6 access-list Deny_TCP_80_IPv 6 ip access-list extended Deny_TCP_80_IPv 4 deny tcp any any eq www permit ipv 6 any permit ip any ! ! interface Fast. Ethernet 0/0 Interface Fast. Ethernet 0/0 ipv 6 traffic-filter Deny_Subnet_A_IPv 6 in Ip access-group Deny_Subnet_A_Ipv 4 in © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
line vty 0 15 access-class Authorized_IPv 4_Hosts in ipv 6 access-class Authorized_IPv 6_Hosts in © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
• IPv 6 ACLs support only named, extended access lists • IPv 6 ACLs addresses CIDR notation instead of wildcard masks • IPv 6 ACLs are applied to interface using the command ipv 6 traffic-filter • IPv 6 ACLs are applied to lines using the command ipv 6 access- class • An IPv 4 ACL and an IPv 6 ACL cannot share the same name • IPv 6 ACLs do no support re-sequencing on IOS • IPv 6 ACLs cannot start with a numeral l © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Thank you.