How are ACLs different in IPv6?

Access control lists are used not just for filtering traffic on interfaces but also used to match traffic for use in redistribution between routing protocols, policy-based routing, NAT, debugging and a myriad of other uses. While there are a couple of changes to the syntax of access-lists when moving from IPv4 to IPv6, they work largely the same.

There is, however, one change to the functionality of access-lists in IPv6 that you should be on the lookout for. That change is to how the router processes the implicit deny statement at the end of every access-list.

In IPv4, once an access-list is processed and a packet is found to not match any of the lines, the traffic is dropped as if there was a "deny ip any any" line at the end. This line is called an "implicit deny". Often though, network engineers will unnecessarily explicitly deny all traffic just to be sure. While this doesn't change the actions of access-lists in IPv4, it can affect basic connectivity in IPv6.

The problem with an explicit deny statement in IPv6 comes back to the use of ICMP for neighbor discovery. Instead of just an implicit "deny ip any any" functionality at the end of every access-list, there's actually two additional lines that are processed before, a "permit icmp any any nd-na" and "permit icmp any any nd-ns". Neighbor discovery and neighbor solicitation packets perform a similar function to ARP in IPv4.

Otherwise, Cisco has changed the syntax of the commands slightly, but the overall process is the same. You still create the access-list and then apply it to the interface just as before. Instead of "ip access-group [access-list name]" we use "ipv6 traffic-filter [access-list name]". In my opinion, this command is easier for the beginner to remember and more obvious to the casual observer.

To simplify things even further, there's no longer a concept of "standard vs extended" or "numbered vs named". All IPv6 access-list are extended named access-lists.

ipv6 access-list ACCESS_IN
  permit tcp any eq 80 2001:db8:1:1::/64
  permit tcp any eq 443 2001:db8:1:1::/64
!
ipv6 access-list ACCESS_OUT
  permit tcp 2001:db8:1:1::/64 any eq 80
  permit tcp 2001:db8:1:1::/64 any eq 443
!
interface GigabitEthernet0/1
  ipv6 traffic-filter ACCESS_OUT out
  ipv6 traffic-filter ACCESS_IN in
Ryan Harris

I’m Ryan and I’m a Senior Network Engineer for BlueAlly (formerly NetCraftsmen) in North Carolina doing routing, switching, and security. I’m very interested in IPv6 adoption, SD-Access, and Network Optimization. Multi-vendor with the majority of my work being with Cisco and Palo Alto.

Previous
Previous

DNA Center - Advanced Template Scripting

Next
Next

IPv6 Unicast Reverse Path Forwarding Check