IPv6 PACL (Port ACL)

The IPv6 PACL (Port Access Control List) is basically a regular IPv6 access-list that is applied to a switchport (L2 interface). They only work inbound.

Configuration

Let’s look at quick example. Here’s the topology we’ll use:

R1 R2 Sw1 Ipv6 Addressing Pacl Lab

We will use R1 and R2 to generate some IPv6 traffic and on SW1 we’ll configure the PACL.

The IPv6 PACL (Port Access Control List) is basically a regular IPv6 access-list that is applied to a switchport (L2 interface). They only work inbound. Configuration Let's look at quick example. Here's the topology we'll use: We will use R1 and R2 to generate some IPv6 traffic and on SW1 we'll conf



Let’s configure some IPv6 addresses on R1 and R2:

R1(config)#interface FastEthernet f0/0
R1(config-if)#ipv6 address 2001:DB8:0:12::1/64
R2(config)#interface FastEthernet 0/0
R2(config-if)#ipv6 address 2001:DB8:0:12::2/64

Let’s enable HTTP server so that we have something to connect to:

R2(config)#ip http server

Without an ACL, I can connect to the telnet server (enabled by default) and the HTTP server:

R1#telnet 2001:DB8:0:12::2
Trying 2001:DB8:0:12::2 ... Open
R1#telnet 2001:DB8:0:12::2 80
Trying 2001:DB8:0:12::2, 80 ... Open

Let’s create an access-list that denies telnet traffic and permits everything else:

SW1(config)#ipv6 access-list NO_TELNET
SW1(config-ipv6-acl)#deny tcp any host 2001:DB8:0:12::2 eq 23
SW1(config-ipv6-acl)#permit ipv6 any any

We can see the access-list we created with the show ipv6 access-list command:

SW1#show ipv6 access-list
IPv6 access list NO_TELNET
    deny tcp any host 2001:DB8:0:12::2  eq telnet sequence 10
    permit ipv6 any any sequence 20
You can also use show access-list without “ipv6” and it will show up.

Let’s activate the access-list on the GigabitEthernet 0/1 interface that connects to R1:

SW1(config)#interface GigabitEthernet 0/1
SW1(config-if)#ipv6 traffic-filter NO_TELNET in

Now, from R1 I’ll try to connect to the telnet and HTTP server on R2:

R1#telnet 2001:DB8:0:12::2
Trying 2001:DB8:0:12::2 ... 
% Connection timed out; remote host not responding
R1#telnet 2001:DB8:0:12::2 80
Trying 2001:DB8:0:12::2, 80 ... Open

As you can see, telnet traffic is no longer permitted.

Unfortunately, hits don’t show in the access-list:

SW1#show ipv6 access-list
IPv6 access list NO_TELNET
    deny tcp any host 2001:DB8:0:12::2  eq telnet sequence 10
    permit ipv6 any any sequence 20

There is the debug ipv6 access-list command but it doesn’t seem to work for PACLs, it only works when you apply an access-list to a routed (L3) interface.

Configurations

Want to take a look for yourself? Here you will find the configuration of each device.

R1

hostname R1
!
ip cef
!
interface FastEthernet0/0
 ipv6 address 2001:DB8:0:12::1/64
!
end

R2

hostname R2
!
ip cef
!
interface FastEthernet0/0
 ipv6 address 2001:DB8:0:12::2/64
!
ip http server
!
end

SW1

hostname SW1
!
interface GigabitEthernet0/1
 ipv6 traffic-filter NO_TELNET in
!
interface GigabitEthernet0/2
!
ipv6 access-list NO_TELNET
 deny tcp any host 2001:DB8:0:12::2  eq telnet
 permit ipv6 any any
!
end

Conclusion

You have now learned how to configure the IPv6 PACL (Port ACL) on a Cisco switch. I hope you enjoyed this lesson. If you have any questions feel free to leave a comment!

Tags: ,


Ask a question or start a discussion by visiting our Community Forum