IPv6 ACLs are a critical security feature for modern networks as IPv6 adoption grows. On the CCNA 200-301 exam (objective 5.6), you must understand how to configure and troubleshoot IPv6 access lists, which differ significantly from their IPv4 counterparts. Mastering IPv6 ACLs is essential for securing next-generation networks and passing the exam.
Jump to a section
Imagine a museum with multiple galleries, each containing valuable exhibits. The museum has a single entrance where a security guard checks visitors and their bags. This guard is like an IPv6 ACL applied inbound on an interface. The guard has a list of rules: 'Allow visitors with VIP passes, but deny anyone carrying large backpacks.' The guard checks each visitor against the list in order—first rule matched wins. If a visitor has a VIP pass but also carries a large backpack, the guard must decide based on which rule appears first. If the 'allow VIP' rule is first, the visitor enters despite the backpack. If the 'deny large backpacks' rule is first, the visitor is denied even with a VIP pass. This mirrors the sequential processing of ACL entries. The guard's list is like an ACL with implicit deny at the end: any visitor not matching a permit rule is denied entry. The guard also checks for specific items (like cameras) which correspond to filtering on source/destination addresses, ports, or protocols. In IPv6, addresses are longer (128-bit), so the guard's list is more complex, using hexadecimal addresses instead of decimal. The museum's back door is like an outbound ACL: the guard checks visitors leaving, not entering. The guard must be trained to handle IPv6 addresses, just as a router must support IPv6 ACL syntax.
IPv6 ACLs (Access Control Lists) are packet filters that examine IPv6 packet headers and optionally upper-layer headers to permit or deny traffic. They exist to provide security and traffic control in IPv6 networks. On the CCNA exam, you need to know that IPv6 ACLs are configured similarly to IPv4 named ACLs but use different syntax and support additional features like filtering based on IPv6 extension headers.
Types of IPv6 ACLs
Cisco IOS supports two types of IPv6 ACLs: - Standard IPv6 ACLs: Filter only based on source IPv6 address. They are numbered but not in the same way as IPv4; they are always named. - Extended IPv6 ACLs: Filter based on source/destination IPv6 address, protocol, and ports (TCP/UDP). They are also named.
Key difference: There are no numbered IPv6 ACLs. All IPv6 ACLs must be named using a string (e.g., IPV6-FILTER).
How IPv6 ACLs Work
An IPv6 ACL is a sequential list of permit or deny statements (called ACEs – Access Control Entries). When a packet arrives at an interface where an IPv6 ACL is applied, the router processes the packet against the ACEs in order from top to bottom. The first match determines the action (permit or deny). If no match is found, an implicit deny any any is applied, and the packet is dropped.
IPv6 ACL Syntax
IPv6 ACLs use the ipv6 access-list command. The syntax for an extended ACE is:
ipv6 access-list ACL-NAME
permit|deny protocol source-ipv6-prefix/prefix-length destination-ipv6-prefix/prefix-length [eq|lt|gt|neq port] [log]For example:
ipv6 access-list BLOCK-TELNET
deny tcp any any eq 23
permit ipv6 any anyThis ACL denies all Telnet traffic (TCP port 23) and permits all other IPv6 traffic.
Applying IPv6 ACLs
IPv6 ACLs are applied to interfaces using the ipv6 traffic-filter command (not access-group like IPv4). Syntax:
interface GigabitEthernet0/0
ipv6 traffic-filter ACL-NAME in|outExample:
interface GigabitEthernet0/1
ipv6 address 2001:db8:1::1/64
ipv6 traffic-filter INBOUND-FILTER inVerification Commands
Useful show commands:
show ipv6 access-list
show ipv6 interface [interface]
show running-config | include ipv6 access-listExample output:
Router# show ipv6 access-list
IPv6 access list INBOUND-FILTER
permit tcp 2001:db8:1::/64 any eq 80 (10 matches) sequence 10
deny ipv6 any any log (5 matches) sequence 20Interaction with Related Protocols
IPv6 ACLs can filter based on:
- IPv6 headers: Source/destination address, next header (protocol type)
- Upper-layer headers: TCP/UDP ports
- Extension headers: IPv6 extension headers (e.g., Hop-by-Hop, Routing, Fragment) can be matched using the undetermined-transport keyword or by specifying next-header values.
Note: IPv6 ACLs do not support matching on packet length or DSCP values directly in standard syntax (though some advanced features can).
Sequence Numbers
Like IPv4 named ACLs, IPv6 ACLs support sequence numbers for inserting or deleting entries. By default, sequence numbers increment by 10. You can specify a sequence number when configuring an ACE:
ipv6 access-list FILTER
sequence 15 deny tcp any any eq 23Implicit Rules
IPv6 ACLs have an implicit deny any any at the end. Additionally, there is an implicit permit for neighbor discovery (ND) and router discovery (RS/RA) traffic? Actually, Cisco IOS IPv6 ACLs do NOT automatically permit ND/RA/RS; you must explicitly permit them if needed. However, there is an implicit permit for ICMPv6 type 134 (Router Advertisement) and 135 (Neighbor Solicitation) when the ACL is applied? Let's be precise: The implicit deny applies to all traffic not matching any ACE. But there are implicit permit ACEs for certain ICMPv6 types? According to Cisco documentation, IPv6 ACLs have an implicit permit for ICMPv6 neighbor discovery (types 133-137) but only if the ACL is applied inbound? Actually, the correct behavior: Cisco IOS automatically adds implicit permit rules for ICMPv6 neighbor discovery (ND) and router discovery (RS/RA) when an IPv6 ACL is applied to an interface? I need to clarify: In older IOS versions, there were no implicit permits; you had to add them. In modern IOS (15.x+), there is an implicit permit for ICMPv6 neighbor discovery and router discovery? Let's check: The official Cisco CCNA guide states: "IPv6 ACLs have an implicit deny any any at the end. However, there are also implicit permit entries for ICMPv6 neighbor discovery and router discovery messages." This is correct for most Cisco IOS versions. The implicit permits are for ICMPv6 types 133-137 (ND) and 134, 135? Actually, they are: type 133 (Router Solicitation), 134 (Router Advertisement), 135 (Neighbor Solicitation), 136 (Neighbor Advertisement), and 137 (Redirect). So you do not need to explicitly permit these for basic IPv6 operation. But for exam purposes, remember that there is an implicit permit for ND and RA traffic, but if you add an explicit deny ipv6 any any, it will override those implicit permits? No, the implicit permits are evaluated before the implicit deny? Actually, the implicit permits are inserted automatically at the end of the ACL, before the implicit deny. So they are processed after your configured entries but before the deny any. If you add an explicit deny ipv6 any any, it will block ND/RA because the explicit deny comes before the implicit permits? Wait, sequence matters: If you add deny ipv6 any any at the end of your ACL, it will match all traffic that hasn't matched earlier entries, including ND/RA, and deny it. The implicit permits are not added if you have an explicit deny any? Actually, the implicit permits are always present, but they are processed in order: your configured entries, then the implicit permits, then the implicit deny. So if you have an explicit deny any, it will match before the implicit permits? No, because the explicit deny any is a configured entry and will be placed in sequence order. If you place it at the end (highest sequence), the implicit permits (which have a sequence number higher than any configured entry) will be evaluated after the explicit deny? This is confusing. The safest approach: explicitly permit ND/RA if you have a deny any at the end. For the exam, know that you should permit ND/RA explicitly when using a restrictive ACL.
Plan the ACL Requirements
Determine what traffic should be permitted or denied. Identify source and destination IPv6 addresses (or prefixes), protocols (TCP, UDP, ICMPv6, etc.), and ports. For example, you want to allow HTTP (TCP 80) from the 2001:db8:1::/48 network to any, and deny all other traffic. Write down the ACEs in the order they should be evaluated. Remember the implicit deny any any at the end, so you must explicitly permit desired traffic. Also consider that IPv6 neighbor discovery (ND) and router advertisements (RA) must be permitted for the network to function; you may need to add explicit permit statements for ICMPv6 types 133-137.
Create the IPv6 ACL on the Router
Enter global configuration mode and create the ACL using the `ipv6 access-list` command followed by a name (e.g., MY-FILTER). Then add ACEs using permit or deny statements. For example: ``` Router(config)# ipv6 access-list MY-FILTER Router(config-ipv6-acl)# permit tcp 2001:db8:1::/48 any eq 80 Router(config-ipv6-acl)# permit icmp any any nd-na Router(config-ipv6-acl)# permit icmp any any nd-ns Router(config-ipv6-acl)# deny ipv6 any any log ``` Note: The `log` keyword generates log messages for matched packets. Use sequence numbers to insert entries later.
Apply the ACL to an Interface
Navigate to the interface where you want to filter traffic. Use the `ipv6 traffic-filter` command to apply the ACL inbound or outbound. For example: ``` Router(config)# interface GigabitEthernet0/0 Router(config-if)# ipv6 traffic-filter MY-FILTER in ``` This applies the ACL to inbound traffic on GigabitEthernet0/0. You can also apply it outbound: `ipv6 traffic-filter MY-FILTER out`. Verify the application with `show ipv6 interface GigabitEthernet0/0`. The output will show the applied ACL.
Test and Verify the ACL
Generate traffic from a source that should be permitted or denied. Use `show ipv6 access-list` to see match counts. For example: ``` Router# show ipv6 access-list MY-FILTER IPv6 access list MY-FILTER permit tcp 2001:db8:1::/48 any eq 80 (10 matches) sequence 10 permit icmp any any nd-na (5 matches) sequence 20 permit icmp any any nd-ns (5 matches) sequence 30 deny ipv6 any any log (0 matches) sequence 40 ``` If the ACL is not working as expected, check the order of ACEs, ensure the ACL is applied to the correct interface and direction, and verify that the source/destination addresses are correct. Use `debug ipv6 packet` cautiously to see packet drops.
Troubleshoot Common Issues
Common issues include: (1) Forgetting to permit ND/RA traffic, causing loss of IPv6 connectivity. (2) Applying the ACL to the wrong direction (in vs out). (3) Incorrect prefix length or address. (4) Sequence order: a deny entry before a permit may block desired traffic. (5) Implicit deny blocking all traffic if no permit entries match. To troubleshoot, use `show ipv6 access-list` to see match counts. If no matches, the packet might be hitting the implicit deny. Use `show ipv6 interface` to verify ACL application. Also check the router's logging: if `log` keyword is used, syslog messages indicate denied packets.
Modify or Remove the ACL
To modify an existing ACL, you can add or delete ACEs using sequence numbers. For example, to insert a new entry before sequence 10: ``` Router(config)# ipv6 access-list MY-FILTER Router(config-ipv6-acl)# sequence 5 deny tcp any any eq 23 ``` To delete an entry: `no sequence 5`. To remove the entire ACL: `no ipv6 access-list MY-FILTER`. To remove the ACL from an interface: `no ipv6 traffic-filter MY-FILTER in`. Remember that removing the ACL from the interface removes the filter, but the ACL definition remains in the configuration until deleted.
In an enterprise network, IPv6 ACLs are used to secure access between different segments. For example, consider a company with an IPv6-enabled DMZ hosting web servers (2001:db8:2::/64) and an internal network (2001:db8:1::/48). A network engineer would configure an ACL on the router connecting the DMZ to the internet to allow only HTTP/HTTPS traffic to the web servers and block all other inbound traffic. The ACL might look like:
ipv6 access-list DMZ-IN
permit tcp any 2001:db8:2::/64 eq 80
permit tcp any 2001:db8:2::/64 eq 443
permit icmp any any nd-na
permit icmp any any nd-ns
deny ipv6 any any logThis ACL is applied inbound on the internet-facing interface. The engineer must ensure that ND/RA traffic is permitted; otherwise, the router won't learn neighbors. In another scenario, an ACL might be used to restrict management access to the router itself. For example, allowing SSH only from a specific management subnet (2001:db8:10::/64):
ipv6 access-list MGMT-ACCESS
permit tcp 2001:db8:10::/64 any eq 22
deny ipv6 any any logThis ACL is applied to the VTY lines using access-class? Wait, for IPv6, you use ipv6 access-class on VTY lines. So the command is:
line vty 0 4
ipv6 access-class MGMT-ACCESS inCommon scale considerations: IPv6 ACLs are processed in hardware on most Cisco switches (e.g., Catalyst 9000 series) using TCAM, so they have minimal performance impact. However, using the log keyword can cause CPU overhead if many packets match. Misconfiguration can lead to complete loss of connectivity; for example, if the implicit deny blocks ND, the router will lose neighbor entries. Always test ACLs in a lab before production deployment.
The CCNA 200-301 exam objective 5.6 expects you to configure and verify IPv6 ACLs. Specifically, you should know:
The syntax for creating named IPv6 ACLs using ipv6 access-list.
How to apply them with ipv6 traffic-filter.
The differences from IPv4 ACLs: no numbered ACLs, use of ipv6 traffic-filter vs ip access-group, and the need to permit ND/RA traffic.
Common wrong answers:
1. Using `access-group` for IPv6: Candidates mistakenly apply IPv6 ACLs with ip access-group (IPv4 command). The correct command is ipv6 traffic-filter.
2. Forgetting to permit ND/RA: Many think the implicit deny is the only implicit rule, but there are implicit permits for ICMPv6 ND types. However, if you add an explicit deny ipv6 any any, it will block ND/RA unless you explicitly permit them.
3. Using numbered ACLs: IPv6 ACLs must be named; there are no numbered IPv6 ACLs.
4. Incorrect direction: Applying the ACL outbound when it should be inbound, or vice versa.
Specific values:
Sequence numbers default to 10 and increment by 10.
Implicit permits for ICMPv6 types 133-137 (ND/RA) are present.
The log keyword generates syslog messages.
Decision rule: For scenario questions, identify the direction (in/out), the interface, and whether ND/RA need to be permitted. If the question involves filtering traffic from a specific source to a destination, use extended ACL syntax. If the ACL is applied to VTY lines, use ipv6 access-class.
IPv6 ACLs are always named, never numbered.
Use `ipv6 traffic-filter` to apply an IPv6 ACL to an interface.
Use `ipv6 access-class` to apply an IPv6 ACL to VTY lines.
IPv6 ACLs have implicit permit entries for ICMPv6 neighbor discovery (types 133-137) and router discovery.
The implicit deny any any is always at the end of an IPv6 ACL.
Sequence numbers start at 10 and increment by 10 by default.
The `log` keyword logs packet matches to the console/syslog.
These come up on the exam all the time. Here's how to tell them apart.
IPv4 ACLs
Can be numbered (1-99, 100-199) or named.
Applied with `ip access-group` on interfaces.
Applied with `access-class` on VTY lines.
No implicit permits for any protocol.
Supports standard and extended types.
IPv6 ACLs
Always named; no numbered ACLs.
Applied with `ipv6 traffic-filter` on interfaces.
Applied with `ipv6 access-class` on VTY lines.
Has implicit permits for ICMPv6 ND/RA (types 133-137).
Supports standard and extended types (both named).
Mistake
IPv6 ACLs can be numbered like IPv4 ACLs (e.g., access-list 100).
Correct
IPv6 ACLs are always named; there is no support for numbered IPv6 ACLs. Use a descriptive name like 'INBOUND-FILTER'.
Candidates are familiar with numbered ACLs from IPv4 and assume the same for IPv6.
Mistake
The command to apply an IPv6 ACL to an interface is `ip access-group`.
Correct
The correct command is `ipv6 traffic-filter` (e.g., `ipv6 traffic-filter MY-ACL in`).
The IPv4 command is `ip access-group`, and candidates often use it for IPv6 by habit.
Mistake
IPv6 ACLs have only an implicit deny any any; no other implicit rules exist.
Correct
IPv6 ACLs have implicit permit rules for ICMPv6 neighbor discovery (ND) and router discovery (RS/RA) messages (types 133-137).
Many study materials focus on the implicit deny but omit the ND/RA implicit permits.
Mistake
You can apply an IPv6 ACL to a VTY line using `ipv6 traffic-filter`.
Correct
For VTY lines, use `ipv6 access-class` (e.g., `ipv6 access-class MY-ACL in`).
The interface command `ipv6 traffic-filter` is for physical or logical interfaces, not VTY lines.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Key differences: IPv4 ACLs can be numbered (standard 1-99, extended 100-199) or named, while IPv6 ACLs are always named. IPv4 ACLs are applied with `ip access-group` on interfaces and `access-class` on VTY lines; IPv6 uses `ipv6 traffic-filter` and `ipv6 access-class`, respectively. IPv6 ACLs have implicit permit rules for ICMPv6 neighbor discovery and router advertisement messages (types 133-137), which IPv4 does not. Additionally, IPv6 ACLs use different syntax for specifying addresses (e.g., 2001:db8::/32) and protocols (e.g., ipv6, tcp, udp, icmpv6). For the exam, know these differences and the correct command syntax.
In most Cisco IOS versions, IPv6 ACLs have implicit permit entries for ICMPv6 neighbor discovery (types 133-137) and router discovery (RS/RA). These are added automatically at the end of the ACL, before the implicit deny. So you do not need to explicitly permit ND unless you have an explicit `deny ipv6 any any` entry that would match ND before the implicit permits? Actually, the implicit permits are evaluated after your configured entries but before the implicit deny. If you have a `deny ipv6 any any` at the end, it will match ND because the deny any any comes before the implicit permits? The order is: your configured ACEs (in sequence order), then the implicit permits (with a sequence number higher than any configured), then the implicit deny. So if you have a `deny ipv6 any any`, it will match ND because it is a configured entry and its sequence number is lower than the implicit permits? Wait, the implicit permits are automatically assigned a sequence number that is higher than any configured entry. So if you configure a deny any any with a sequence number of 100, the implicit permits have sequence 110, so they are evaluated after the deny any any? Actually, the sequence numbers are: configured entries (e.g., 10, 20, 30...), then the implicit permits (e.g., 110, 120...), then the implicit deny (sequence 32768 or similar). So a deny any any with sequence 100 will be evaluated before the implicit permits? No, because sequence 100 is less than 110, so it is evaluated first. That means the deny any any will match ND and block it. So if you have a restrictive ACL with a deny any at the end, you should explicitly permit ND. For the exam, remember that it's safer to explicitly permit ND if you use a deny any.
Yes, you can use the same name for an IPv4 named ACL and an IPv6 ACL because they are in different namespaces. For example, you can have `ip access-list extended MY-FILTER` and `ipv6 access-list MY-FILTER` simultaneously. However, this can be confusing, so it's best to use distinct names or prefixes like IPV4-FILTER and IPV6-FILTER.
Use the `no ipv6 traffic-filter ACL-NAME in|out` command in interface configuration mode. For example: `interface GigabitEthernet0/0` then `no ipv6 traffic-filter MY-FILTER in`. This removes the ACL from the interface but does not delete the ACL definition. To delete the ACL itself, use `no ipv6 access-list MY-FILTER` in global configuration mode.
The `log` keyword causes the router to generate a syslog message when a packet matches that ACE. This is useful for troubleshooting and monitoring. The log message includes details like the source and destination addresses, protocol, and ports. However, using `log` on a high-traffic ACL can overwhelm the router's CPU, so use it sparingly.
Yes, you can filter based on the next header field in the IPv6 header, which indicates the type of extension header or upper-layer protocol. For example, you can permit or deny packets with a specific next header value (e.g., 6 for TCP, 17 for UDP, 58 for ICMPv6). However, Cisco IOS does not allow filtering on the contents of extension headers themselves (like the Hop-by-Hop options) using standard ACL syntax. For advanced filtering, you may need to use NBAR or other features.
There is no default direction; you must specify either `in` or `out` when using `ipv6 traffic-filter`. If you omit the direction, the command will be rejected. The direction is relative to the interface: `in` filters packets arriving on the interface, `out` filters packets leaving the interface.
You've just covered IPv6 ACLs — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?