Access Lists and Traffic Filtering
Cisco IOS has the same traffic filtering and related concepts for IPv6 as for IPv4. Access lists serve
the same purposes in IPv6 as in IPv4, including traffic filtering and access control for interface
logins. You should be aware of a few key differences between access-list behavior for the two
network layer protocols, however:
■ Because Neighbor Discovery is such a key protocol in IPv6, access lists implicitly permit ND
traffic. This is necessary to avoid breaking ND’s ARP-like functionality. You can override this
implicit-permit behavior using deny statements in IPv6 access lists.
■ When IPv6 access lists are used for traffic filtering, the command syntax differs from that for
IPv4. To configure an interface to filter traffic using an access list, use the ipv6 traffic-filter
access-list-name {in | out} command.
■ IPv6 access lists are always named; they cannot be numbered (unless you use a number as a
name).
■ IPv6 access lists are configured in named access-list configuration mode, which is like IPv4
named access-list configuration mode. However, you can also enter IPv4-like commands that
specify an entire access-list entry on one line. The router will convert it to the correct
configuration commands for named access-list configuration mode.
With these exceptions, access-list applications, behavior, and configuration are generally similar
for IPv6 and IPv4.
Example 20-6 shows an access list that permits all Telnet traffic to a particular subnet and also
matches on a DSCP setting of CS1. In addition, this entry logs ACL hits (and denies, for the second
entry) for tracking purposes. The show access-list command is also shown to illustrate how
similar IPv6 ACL behavior is to IPv4 ACLs.
Example 20-6 IPv6 Access Lists
cano(config)# ipv6 access-list restrict-telnet
cano(config-ipv6-acl)# permit tcp any 2001:1:2:3::/64 eq telnet dscp cs1 log
cano(config-ipv6-acl)# deny tcp any any log-input
cano(config-ipv6-acl)# line vty 0 4
! Next, the access list is applied inbound on VTY lines 0-4.
cano(config-line)# access-class restrict-telnet in
cano(config-line)# end
cano# show access-lists
IPv6 access list restrict-telnet
permit tcp any 2001:1:2:3::/64 eq telnet dscp cs1 log (1 match) sequence 10
deny ipv6 any any log-input (2 matches) sequence 20
cano#