How to Configure IPv6 ACLs

IPv6 ACLs are similar to IPv4 ACLs. If you can understand IPv4 access lists, IPv6 ACLs are not difficult for you to understand and configure. IPv4 has two types of ACLs: standard and extended. Both can either be numbered or named ACLs, but IPv6 ACLs are only one type, similar to IPv4 extended-named ACLs in function and configuration. IPv6 has no numbered ACLs. IPv6 ACLs cannot share the same name as IPv4 ACLs.

Comparing IPv4 and IPv6 ACLs

There are three major differences between IPv4 and IPv6 ACLs.

Applying an IPv6 ACL

IPv4 uses the command ip access-group command to link and apply an ACL to an IPv4 interface but IPv6 uses the ipv6 traffic-filter command to perform the same task for IPv6 interfaces.

Wildcard Masks and IPv6 Prefix length

IPv6 ACLs do not use wildcard masks. It uses the prefix length to indicate how much of an IPv6 source or destination address should be matched.

Additional Default Statements

The major difference between IPv4 and IPv6 ACL is an implicit permit statement.  Each IPv6 ACL required two implicit permit statements at the end. At the end of every IPv4 standard or extended ACL, the implicit permit statement is deny any or deny ip any any.

The IPv6 also has the similar deny ipv6 any any statement at the end of each IPv6 ACL, but it also includes two other implicit statements, which is “permit icmp any any nd-na” and “permit icmp any any nd-ns”

The “permit icmp any any nd-na” and “permit icmp any any nd-ns” allow the IPv6 equivalent of ARP for IPv4. We have already discussed ARP in previous articles. ARP resolves the Layer2 MAC addresses while the IPv6 uses ICMP Neighbor Discovery (ND) messages to accomplish the same task.

ND has two types of messages: Neighbor Solicitation (NS) and Neighbor Advertisement (NA) messages, which are encapsulated in IPv6 packets and use IPv6 network layer services, but ARP uses layer2 services.

So, IPv6 ACLs need to implicitly permit ND packets for both directions on an interface. Therefore, both Neighbor Discovery – Neighbor Advertisement (nd-na) and Neighbor Discovery – Neighbor Solicitation (nd-ns) messages are permitted. The figure below illustrates the ND process.

Configuring IPv6 ACLs

We use a topology similar to the previous IPv4, except for the IPv6 addressing scheme.  The addressing scheme is shown in topology in the figure below. There are seven subnets with the/64 prefix. You can verify the IPv6 interface configuration using the show ipv6 interface brief command in the interface configuration mode.

Recall that we can set the IPv6 address on the router interface using the “IPv6 address <Ipv6 address/ prefix> “ for example, If I want to set the IP address on router0 interface fa0/0, the command should be:  R0(config-if)# IPv6 address 2001:DACA:1::1/64

The command syntax for IPv6 is similar to the syntax used for an IPv4 extended ACL. The difference between both command syntax is using the IPv6 prefix-length instead of an IPv4 wildcard mask. The command syntax for IPv6 ACLs is the following:

R1(config)# ipv6 access-list <access-list-name>

R1 (config-ipv6-acl)# deny | permit protocol {source-ipv6-prefix/prefix-length any | host source-ipv6-address} [operator <port-number>] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address} [operator [port-number] ]

You can see that the parameter is similar to IPv4 syntax parameter except for the prefix/prefix-length. The steps for IPv6 ACL configuration are the following:-

1. Use theipv6 access-list <name> command to create an IPv6 ACL. The name can be alphanumeric, case sensitive, and must be unique and there is no need for a standard or extended option.
2. From the IPv6 named ACL configuration mode, use the permit or deny statements to specify one or more conditions to decide if a packet is forwarded or dropped.
3. Apply the ACL to Interface using ipv6 traffic-filter

The figure below illustrates the steps to create an IPv6 ACL with a simple example. The first statement names the IPv6 access list NO- ACCESS-SERVER. Similar to IPv4 named ACLs. The second statement denies all IPv6 packets from the 2001:DACA:4::/64 to server0. The third statement allows all other IPv6 packets.

Applying an IPv6 ACL to an Interface

When configuring the access control list, you must link to an interface using the ipv6 traffic-filter command. The syntax linking ACL to an interface is following:

R2(config-if)# ipv6 traffic-filter <access-list-name> { in | out }

The figure below illustrates the NO-ACCESS-SERVER configured previously and the commands used to apply the IPv6 ACL outbound to the fa0/0 interface. To remove an ACL from an interface, first, enter the no ipv6 traffic-filter command on the interface, and then enter the global no ipv6 access-list command to remove the ACL. Like IPv4 ACL IPv6 ACL also uses an access-class command to apply an access list to VTY ports. To apply the above-configured ACL use the following commands on router2.

R2(config)#interface FastEthernet 0/0

R2(config-if) ipv6 traffic-filter NO-ACCESS-SERVER0 in

R2(config-if)exit

R2(config)

Verifying IPv6 ACLs

We can use similar commands to verify an IPv6 access list to those used for IPv4 ACLs. We can use the show ipv6 interface command to verify and confirm that ACL is configured inbound or outbound on the interface.

We can use the show access-lists command to displays and verify all access lists configured on the router including both IPv4 and IPv6 ACLs. The difference here is the sequence number; the sequence numbers of IPv6 ACLs occur at the end of the statement and not the beginning as with IPv4 access lists.

The IPv6 ACEs appear in the order they were entered during configuration. They are not always incremented by 10. The IPv6 access lists are also processed and displayed in the order the statements are entered.  We can also verify the IPv6 ACL configuration using the show running-config command.