cisco ipv6 acls


in the usual ipv4 variety, i have a web/ssh server with static NAT entries in my 1841 router.  i also use NAT overloading for users behind the router in RFC1918 space.  the NAT overload offers some semblance of protection by not having end users directly accessible from the internet.

i use an ipv6 tunnel from hurricane electric‘s free tunnel broker service.  i’ve got a full /48 of routable ipv6 address space and have 3-4 /64s carved up.  i set it up for CCNP lab’ing.  it works but not terribly fast.  however, the cisco 1841 is a router and just forwards packets by default.  therefore, it needs an ACL to stop my internal network from being accessible from the outside while still allowing the internal network to access the outside. next piece of the puzzle was to allow http/s and ssh access to my server from the outside.

i chose eui-64 because i’m lazy.

here’s my tunnel config, relevant sections bolded:

1841#sh run int tu0
Building configuration…
Current configuration : 346 bytes
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ip route-cache flow
ipv6 address 2001:470:7:806::2/64
ipv6 enable
ipv6 traffic-filter inbound in
ipv6 traffic-filter outbound out

ipv6 flow ingress
ipv6 flow egress
tunnel source FastEthernet0/0
tunnel destination x.y.z.a
tunnel mode ipv6ip

‘inside’ interface config with relevant bits:

1841#sh run int fa0/1
Building configuration…
Current configuration : 308 bytes
interface FastEthernet0/1
description inside
ipv6 address 2001:470:E24F:2::/64 eui-64
ipv6 enable

here’s the tricky part: i needed the REFLECT keyword to make stateful.  also needed to use both inbound and outbound ACLs together.

1841#sh run | beg access-list inbound
ipv6 access-list inbound
sequence 50 permit tcp any host 2001:470:E24F:2:202:B3FF:FEAB:733F eq 22
permit tcp any host 2001:470:E24F:2:202:B3FF:FEAB:733F eq www
permit tcp any host 2001:470:E24F:2:202:B3FF:FEAB:733F eq 443
sequence 130 evaluate OUTREFLECT
permit tcp any host 2001:470:E24F:2:202:B3FF:FEAB:733F eq domain
permit udp any host 2001:470:E24F:2:202:B3FF:FEAB:733F eq domain
ipv6 access-list outbound
sequence 30 permit ipv6 2001:470:8:806::/64 any reflect OUTREFLECT
permit ipv6 2001:470:E24F::/48 any reflect OUTREFLECT
ipv6 access-list sshaccess
permit ipv6 2001:470:E24F::/48 any

my server MAC has changed since i did this, i should probably update this ACL since the eui-64 address changed. 🙂

should limit ipv6 ssh access to my router from my internal network too, using the sshaccess ACL from above.

1841#sh run | beg vty
line vty 0 4
access-class 10 in
ipv6 access-class sshaccess in
transport input ssh

world ipv6 day is coming. ready?

Categories : geek


  1. I implemented a similar scheme but I used “ip inspect” on the outbound as I’m not (yet) familiar with reflexive ACLs. Beware of some IOS bugs with this feature in 12.4T, I had to roll back my IPv6 tunnel router to 12.4 to get around this, the symptoms are much reduced ipv6 tcp throughput when using ipv6 inspect tcp.

    ipv6 inspect name V6-INSPECT tcp
    ipv6 inspect name V6-INSPECT udp
    ipv6 inspect name V6-INSPECT ftp
    ipv6 inspect name V6-INSPECT icmp

    interface Tunnel0
    description Hurricane Electric IPv6 Tunnel Broker
    no ip address
    ipv6 address 2001:DB8:1F00:1D00::2/64
    ipv6 enable
    ipv6 traffic-filter IPV6_OUTSIDE_F0 in
    ipv6 inspect V6-INSPECT out

    nickb, July 1, 2012
  2. Thanks, I forgot about the inspection stuff. It’s a bit more graceful than reflective ACLs too.

    Nick, July 1, 2012

Leave a comment