Filtering IPv6
Problem
You want to filter IPv6 traffic using access-lists.
Solution
Cisco supports named access-lists for IPv6:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#ipv6 access-list EXAMPLES
Router1(config-ipv6-acl)#permit ipv6 AAAA:5::/64 any
Router1(config-ipv6-acl)#permit ipv6 host AAAA:5::FE:1 any
Router1(config-ipv6-acl)#permit tcp any any eq telnet established
Router1(config-ipv6-acl)#deny tcp any any eq telnet syn
Router1(config-ipv6-acl)#sequence 55 permit udp any any eq snmp
Router1(config-ipv6-acl)#remark this is a comment
Router1(config-ipv6-acl)#sequence 66 remark this comment has a sequence number
Router1(config-ipv6-acl)#permit icmp any any reflect ICMP-REFLECT
Router1(config-ipv6-acl)#deny ipv6 any host AAAA:6::1 log
Router1(config-ipv6-acl)#deny ipv6 any any log-input
Router1(config-ipv6-acl)#exit
Router1(config)#interface FastEthernet0/0
Router1(config-if)#ipv6 traffic-filter EXAMPLES in
Router1(config-if)#exit
Router1(config)#end
Router1#
Discussion
The ACL shown in this example isn't particularly useful, but it does show many of the features available with IPv6 access-lists. There are only named IPv6 access-lists, as numbered lists do not exist. However, as we previously saw in Recipes 19.11 and 19.15, this is not a drawback. Anything you can do with numbered access-lists, you can do with named access-lists, and several features such as reflexive access-lists and the ability to edit individual lines within an access-list are available only with named lists.
The first entry in the access-list shown in the Solution section shows how to filter traffic based on IPv6 addresses:
Router1(config)#ipv6 access-list EXAMPLES
Router1(config-ipv6-acl)#permit ipv6 AAAA:5::/64 any
This command allows any IPv6 packets with a source address in the specified range of IPv6 addresses to communicate with any destination device. IPv6 access-lists work exactly the same way as IPv4 named access-lists, listing the source address first, followed by the destination address. The any and host keywords are also available with IPv6 and work in exactly the same way that we have seen previously in this chapter:
Router1(config-ipv6-acl)#permit ipv6 host AAAA:5::FE:1 any
These access-lists offer the same facilities for filtering on IP protocols as the IPv4 access-lists do, and in a familiar syntax. The number of protocols directly supported with keywords is considerably less than for IPv4 access-lists, however you can specify other protocols by number:
Router1(config-ipv6-acl)#permit ?
<0-255> An IPv6 protocol number
X:X:X:X::X/<0-128> IPv6 source prefix x:x::y/
ahp Authentication Header Protocol
any Any source prefix
esp Encapsulation Security Payload
host A single source host
icmp Internet Control Message Protocol
ipv6 Any IPv6
pcp Payload Compression Protocol
sctp Streams Control Transmission Protocol
tcp Transmission Control Protocol
udp User Datagram Protocol
Router1(config-ipv6-acl)#
For TCP and UDP protocols, you can specify source and destination ports, either by number or keyword, with the same list of keywords available, as we saw in Recipe 19.3 for IPv4 access-lists:
Router1(config-ipv6-acl)#permit tcp any any eq ?
<0-65535> Port number
bgp Border Gateway Protocol (179)
chargen Character generator (19)
cmd Remote commands (rcmd, 514)
daytime Daytime (13)
discard Discard (9)
domain Domain Name Service (53)
echo Echo (7)
exec Exec (rsh, 512)
finger Finger (79)
ftp File Transfer Protocol (21)
ftp-data FTP data connections (20)
gopher Gopher (70)
hostname NIC hostname server (101)
ident Ident Protocol (113)
irc Internet Relay Chat (194)
klogin Kerberos login (543)
kshell Kerberos shell (544)
login Login (rlogin, 513)
lpd Printer service (515)
nntp Network News Transport Protocol (119)
pim-auto-rp PIM Auto-RP (496)
pop2 Post Office Protocol v2 (109)
pop3 Post Office Protocol v3 (110)
smtp Simple Mail Transport Protocol (25)
sunrpc Sun Remote Procedure Call (111)
syslog Syslog (514)
tacacs TAC Access Control System (49)
talk Talk (517)
telnet Telnet (23)
time Time (37)
uucp Unix-to-Unix Copy Program (540)
whois Nicname (43)
www World Wide Web (HTTP, 80)
RouterHome1(config-ipv6-acl)#
As with IPv4 access-lists for TCP and UDP protocols, you specify the source port immediately after the source address and the destination port directly after the destination port.
You can also use the established keyword that we previously discussed in Recipe 19.5:
Router1(config-ipv6-acl)#permit tcp any any eq telnet established
You can also specify the content of the TCP flags, as we previously saw in Recipe 19.4:
Router1(config-ipv6-acl)#deny tcp any any eq telnet syn
All of the TCP flags are available via the keywords, ack, fin, psh, rst, syn, and urg. Please refer to Recipe 19.4 for a description of these flags and their meanings. Unfortunately, the new match-all and match-any keywords that we saw for IPv4 in Recipe 19.4 are not yet available for IPv6, as of Version 12.4T.
The new methods for editing access-lists that we saw in Recipe 19.15 are available for IPv6. So, for example, you can specify a sequence number for any line in an access-list:
Router1(config-ipv6-acl)#sequence 55 permit udp any any eq snmp
You can also specify sequence numbers at the end of the line:
Router1(config-ipv6-acl)#permit udp any any eq snmp sequence 55
These sequence numbers appear in the output of the show ipv6 access-list command:
Router1#show ipv6 access-list EXAMPLES
IPv6 access list EXAMPLES
permit ipv6 AAAA:5::/64 any sequence 10
permit ipv6 host AAAA:5::FE:1 any sequence 20
permit tcp any any eq telnet established sequence 30
deny tcp any any eq telnet syn sequence 40
permit udp any any eq snmp sequence 55
permit icmp any any reflect ICMP-REFLECT sequence 76
permit ipv6 any any log sequence 86
deny ipv6 any host AAAA:6::1 log sequence 106
deny ipv6 any any log-input sequence 116
Router1#
Unlike the IPv4 sequence numbers, which we discussed in Recipe 19.15, this command shows these sequence numbers at the right-hand side of each line.
You can also specify comments to help internally document an access-list using the remark keyword, either with or without a sequence number:
Router1(config-ipv6-acl)#remark this is a comment
Router1(config-ipv6-acl)#sequence 66 remark this comment has a sequence number
Note that neither of these comments appears in the output of the show ipv6 access-list command above.
Unfortunately, there is no command to renumber the sequence numbers for an IPv6 access-list as we previously saw for IPv4 in Recipe 19.15.
The IPv6 access-list feature includes the ability to create reflexive access-lists:
Router1(config-ipv6-acl)#permit icmp any any reflect ICMP-REFLECT
This works exactly the same way as the IPv4 reflexive access-list discussed in Recipe 19.11. You specify a reflection rule with the reflect keyword, defining a name for the rule, generally applied to outbound traffic. Then you create a second access-list for the other direction of traffic looking for the expected returning traffic, which you specify using the evaluate keyword:
Router1(config)#ipv6 access-list RETURN-TRAFFIC
Router1(config-ipv6-acl)#evaluate ICMP-REFLECT
And, finally, you can use the log and log-input keywords that we discussed in Recipe 19.8 with the same results:
Router1(config-ipv6-acl)#deny ipv6 any host AAAA:6::1 log
Router1(config-ipv6-acl)#deny ipv6 any any log
The command to apply an access-list to filter traffic on an interface is ipv6 traffic-filter. Access-lists can be applied either inbound or outbound, as required:
Router1(config)#interface FastEthernet0/0
Router1(config-if)#ipv6 traffic-filter EXAMPLES in