IPv6 Access-list on Cisco IOS

As explained in my first tutorial that introduces access-lists, we can use access-lists for filtering (blocking packets) or selecting traffic (for VPNs, NAT, etc).

This also applies to IPv6 access-lists which are very similar to IPv4 access-lists. There are two important differences however:

  • IPv4 access-lists can be standard or extended, numbered or named. IPv6 only has named extended access-lists.
  • IPv4 access-lists have an invisible implicit deny any at the bottom of every access-list. IPv6 access-lists have three invisible statements at the bottom:
    • permit icmp any any nd-na
    • permit icmp any any nd-ns
    • deny ipv6 any any

The two permit statements are required for neighbor discovery which is an important protocol in IPv6, it’s the replacement for ARP.

When you use a deny ipv6 any any at the bottom of your access-list, make sure you also add the two permit statements for neighbor discovery just before the final statement or this traffic will be dropped.

Having said that, let’s take a look at the configuration.

Configuration

For this demonstration we only need two routers:

R1 R2 2001 DB8 0 12

I’ll use subnet 2001:DB8:0:12::/64 in between R1 and R2. To demonstrate the access-list, I’ll create one inbound on R2 and we will try to filter some packets from R1. Let’s take a look at the access-list:

R2(config)#ipv6 access-list ?
  WORD        User selected string identifying this access list
  log-update  Control access list log updates

As you can see above the only option is the named access-list. There’s also no option for standard or extended access-list. Let’s create that access-list:

R2(config)#ipv6 access-list R1_TRAFFIC

I’ll call it “R1_TRAFFIC”. Here are our options when we create a statement:

R2(config-ipv6-acl)#permit ?
  <0-255>             An IPv6 protocol number
  X:X:X:X::X/<0-128>  IPv6 source prefix x:x::y/<z>
  ahp                 Authentication Header Protocol
  any                 Any source prefix
  esp                 Encapsulation Security Payload
  host                A single source host
  icmp                Internet Control Message Protocol
  ipv6                Any IPv6
  pcp                 Payload Compression Protocol
  sctp                Streams Control Transmission Protocol
  tcp                 Transmission Control Protocol
  udp                 User Datagram Protocol

This is similar to IPv4 access-lists. You can pick any protocol you like. Let’s see if we can permit telnet traffic from R1 and deny everything else:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 707 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

520 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags:


Forum Replies

  1. Hi @hussien.samer,

    It’s working fine here:

    R2(config)#ipv6 access-list R1_TRAFFIC   
    R2(config-ipv6-acl)#deny tcp any any eq telnet
    R2(config-ipv6-acl)#permit any any
    
    R2(config)#interface GigabitEthernet 2
    R2(config-if)#ipv6 traffic-filter R1_TRAFFIC in
    

    This blocks telnet traffic and permits everything else:

    R1#telnet 2001:DB8:0:12::2
    Trying 2001:DB8:0:12::2 ... 
    % Connection timed out; remote host not responding
    
    R1#ping 2001:DB8:0:12::2
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 2001:DB8:0:12::2, timeout is 2 seconds:
    !!!!!
    Success rat
    ... Continue reading in our forum

  2. I tested this on Cisco VIRL. You might also want to try it on some real hardware…could be a IOL quirk :slight_smile:

  3. Rene,

    Having trouble understanding how an IPv6 ACL is used to permit & block EIGRP (88) Traffic…so I have two directly connected routers (IOSv) that have EIGRP Adjacency…when the following line is used:

    !
    ipv6 access-list default
     permit 88 any any
    control-plane host
    !
    

    EIGRP Control-Plane Traffic isn’t allowed but when I change it to:

    !
    ipv6 access-list default
     no seq 10
     seq 10 deny 88 any any
    !
    

    Adjacency comes back up…it has me confused due to the fact that I understand the rule is working vice-versa, whereas deny = permit & permit = deny…have you seen this before?

  4. Laz,

    Sure…I think CoPP is my issue, doing a lab out of a Tshoot WB…I just need to understand why EIGRP Neighborship works when the deny is in place…attaching configs for both routers and the topology.

    //cdn-forum.networklessons.com/uploads/default/original/2X/0/069b46130c594014ee04a11e7983af047fe91fe4.png

    ##################################
    ############R2####################
    ##################################

       !
         hostname R2
         !
         boot-start-marker
         boot-end-marker
         !
         !
         vrf definition CustA
          rd 122.1.1.2:100
          route-target 
    ... Continue reading in our forum

  5. Hello Boris

    The question as it is stated is not very clear. After doing a search, I found that the question you stated is used as a summary. The specific question that is being asked is:

    The enterprise network WAN link has been receiving several denial of service attacks from both IPv4 and IPv6 sources. Which three elements can you use to identify an IPv6 packet via its header, in order to filter future attacks? (Choose three.)

    The question is specifically asking you to show how you would distinguish an IPv6 header from an IPv4 header. The answers are: Tra

    ... Continue reading in our forum

15 more replies! Ask a question or join the discussion by visiting our Community Forum