beautypg.com

Ipv6 extended acls, Prerequisites, Restrictions – Cisco 10000 User Manual

Page 480

background image

21-4

Cisco 10000 Series Router Software Configuration Guide

OL-2226-23

Chapter 21 Configuring IP Version 6

IPv6 Extended ACLs

ACL logging

Time-based ACLs

Reflexive ACLs

Receive Path ACLs

MiniACLs

QoS matching is not provided on the following two fields, which are IPv6-specific:

IPv6 src/dst address

IPv6 ACL

IPv6 Extended ACLs

Access lists determine what traffic is blocked and what traffic is forwarded at router interfaces and allow
filtering based on source and destination addresses, inbound and outbound to a specific interface. Each
access list has an implicit deny statement at the end. IPv6 ACLs are defined and their deny and permit
conditions are set using the ipv6 access-list command with the deny and permit keywords in global
configuration mode.

In Cisco IOS Release 12.2(31)SB2 and later releases, the standard IPv6 ACL functionality is extended
to support traffic filtering based on IPv6 option headers and optional, upper-layer protocol type
information for finer granularity of control (functionality similar to extended ACLs in IPv4).

Prerequisites

In Cisco IOS Release 12.2(13)T and 12.0(23)S or later releases, for backward compatibility, the ipv6
access-list
command with the deny and permit keywords in global configuration mode is still
supported; however, an IPv6 ACL defined with deny and permit conditions in global configuration mode
is translated to IPv6 access list configuration mode. See the

“Create and Apply IPv6 ACL: Examples”

section for an example of a translated IPv6 ACL configuration.

Restrictions

IPv6 ACLs are defined by a unique name (IPv6 does not support numbered ACLs). An IPv4 ACL and
an IPv6 ACL cannot share the same name.

Each IPv6 ACL contains implicit permit rules to enable IPv6 neighbor discovery. These rules can
be overridden by the user by placing a deny ipv6 any any statement within an ACL. The IPv6
neighbor discovery process makes use of the IPv6 network layer service; therefore, by default, IPv6
ACLs implicitly allow IPv6 neighbor discovery packets to be sent and received on an interface. In
IPv4, the Address Resolution Protocol (ARP), which is equivalent to the IPv6 neighbor discovery
process, makes use of a separate data link layer protocol; therefore, by default, IPv4 ACLs implicitly
allow ARP packets to be sent and received on an interface.