What is IPv6 ACLs?
There are similarities in the operation and configuration of IPv6 ACLs and its predecessor IPv4 ACLs. If you are familiar with the basic operation and configuration of the IPv4 access controls list, you will find IPv6 ACLs easy to understand and configure too, the only difference is just the IPv6 addressing.
An IPv6 Access Control List (ACL) refers to the rules and configurations used in networks to manage and filter IPv6 traffic. ACLs are crucial for network security and traffic management.
Here’s an overview of IPv6 ACLs:
Purpose of IPv6 ACLs: IPv6 ACLs are used to permit or deny traffic based on various criteria such as source and destination IPv6 addresses, traffic type, and port numbers. This control can be applied for security purposes, traffic flow management, or to enforce network policies
Types of IPv6 ACLs:
Standard ACLs: These are simpler and control traffic based solely on the source IPv6 address.
Extended ACLs: These are more complex and can filter traffic based on both source and destination IPv6 addresses, as well as on protocol types, port numbers, and other parameters.
Configuration: IPv6 ACLs are configured on network devices like routers and switches. Each ACL contains a series of entries, known as access control entries (ACEs), that specify the action (permit or deny) and match criteria.
Stateless Nature: Unlike stateful firewalls, IPv6 ACLs are typically stateless. They don’t keep track of the state of network connections and make decisions based solely on the rules defined in the ACLs.
Implicit Deny: At the end of every IPv6 ACL, there is an implicit “deny all” statement. This means that if a packet doesn’t match any of the specified rules in the ACL, it will be denied by default.
Placement and Direction:
Inbound ACLs: Applied to traffic entering the network device.
Outbound ACLs: Applied to traffic exiting the network device. The placement and direction of ACLs significantly impact their effectiveness and should be carefully planned based on the network topology and security requirements.
Use in IPv6 Networks: Given the extensive address space of IPv6, ACLs in IPv6 environments can be more complex compared to IPv4, especially when considering the use of address prefixes and the need to accommodate various IPv6 address types (like link-local, multicast, etc.).
Security and Management Challenges: Proper management of IPv6 ACLs is critical. Poorly configured ACLs can lead to security vulnerabilities or disrupt normal network operations.
How to Configure IPv6 ACLs example topology.
In the example below, we will configure IPv6 ACL on the router to restrict access to its VTY Lines. We will allow only PC 1 to telnet into R1 while other traffic will be denied.
To do this; You must use the ipv6 access-list command to create a named IPv6 ACL.
IPv6 uses name ACLs as in IPv4, but IPv6 name ACLs are alphanumeric, case sensitive, and must be unique.
To determine if a packet is forwarded or dropped, you must use the permit or deny statements to specify this action.
You use the ipv6 access-class command to apply the ACL to the VTY lines.
ACL Configuration Example.
Apply the ACL to the VTY lines, using the ipv6 access-class command and within the direction.
R1(config)#ipv6 access-list NO_TELNET
R1(config-ipv6-acl)#permit tcp host 2001:db8:FC31e:1::1 any eq 23
R1(config-ipv6-acl)#exit
R1(config)#line vty 0 15
R1(config-line)#ipv6 access-class NO_TELNET in
R1(config-line)#exit
R1(config)#
From the configuration example, the permit statement only allows the PC1 to telnet into R1.
VERIFY IPV6 ACLS
To verify all ACLs configured on the router, use the show access-lists command, this will display both IPv4 and IPv6 ACLs configured on the router.
To verify all IPv6 ACLs configured on the router, use the show ipv6 access-list command, this will display all configured IPv6 access lists and their name.
R1#show ipv6 access-list
IPv6 access list NO_TELNET
permit tcp host 2001:DB8:FC31E:1::1 any eq telnet
In conclusion, IPv6 ACLs are a fundamental aspect of network security and traffic management in modern IPv6 networks. Their effective implementation requires careful planning and a thorough understanding of network requirements and potential security risks.
