This post quickly discusses simple Cisco IOS IPv6 Access Control Lists (ACLs). As summarized in the figure, the construction logic of the ACL is basically identical to the classic v4 ACLs (those that do not use object-groups). The permit (or deny) statements are created by specifying the following elements (in this order):
- source of the traffic
- destination of the traffic
- services involved (from source to destination)
One noticeable difference refers to the way in which v6 ACLs are applied to interfaces: the correct command to accomplish that task is the ipv6 traffic -filter (and not something such as “ipv6 access-group”).
Object-groups for v6 elements are not supported on IOS yet.
IOS supports IPv6 ACLs that allow filtering based on the v6 extension headers.
** Related Posts:
- IPv6 series: https://alexandremspmoraes.wordpress.com/tag/ipv6/
- ACL Series: https://alexandremspmoraes.wordpress.com/tag/acl/