IPv6 ACL Chaining with a Common ACL

ACL Chaining, also known as Multi-Access Control List (ACL), allows you to split ACLs. This document describes how with the IPv6 ACL Chaining Support feature, you can explicitly split ACLs into common and user-specific ACLs and bind both ACLs to a target for traffic filtering on a device. In this way, the common ACLs in Ternary Content Addressable Memory (TCAM) are shared by multiple targets, thereby reducing the resource usage.

Information About IPv6 ACL Chaining with a Common ACL

ACL Chaining Overview

The packet filter process supports only a single Access control list (ACL) to be applied per direction and per protocol on an interface. This leads to manageability and scalability issues if there are common ACL entries needed on many interfaces. Duplicate Access control entries (ACEs) are configured for all those interfaces, and any modification to the common ACEs needs to be performed for all ACLs.

A typical ACL on the edge box for an Internet Service Provider (ISP) has two sets of ACEs:

  • Common ISP specific ACEs

  • Customer/interface specific ACEs

The purpose of these address blocks is to deny access to ISP's protected infrastructure networks and anti-spoofing protection by allowing only customer source address blocks. This results in configuring unique ACL per interface and most of the ACEs being common across all ACLs on a device. ACL provisioning and modification is very cumbersome, hence, any changes to the ACE impacts every target.

IPv6 ACL Chaining with a Common ACL

With IPv6 ACL Chaining, you can configure a traffic filter with the following:

  • Common ACL

  • Specific ACL

  • Common and Specific ACL

Each Access control list (ACL) is matched in a sequence. For example, if you have specified both the ACLs - a common and a specific ACL, the packet is first matched against the common ACL; if a match is not found, it is then matched against the specific ACL.


Note
Any IPv6 ACL may be configured on a traffic filter as a common or specific ACL. However, the same ACL cannot be specified on the same traffic filter as both common and specific.

How to Configure IPv6 ACL Chaining with a Common ACL

Before you begin

IPv6 ACL chaining is configured on an interface using an extension of the existing IPv6 traffic-filter command: ipv6 traffic-filter [common common-acl] [specific-acl] [ in | out ]

Note
You may choose to configure either of the following:
  • Only a common ACL. For example: ipv6 traffic-filter common common-acl
  • Only a specific ACL. For example: ipv6 traffic-filter common-acl
  • Both ACLs. For example: ipv6 traffic-filter common common-acl specific-acl

The ipv6 traffic-filter command is not additive. When you use the command, it replaces earlier instances of the command. For example, the command sequence: ipv6 traffic-filter [common common-acl] [specific-acl] in ipv6 traffic-filter [specific-acl] in binds a common ACL to the traffic filter, removes the common ACL and then binds a specific ACL.

Configuring the IPv6 ACL to an Interface

Perform this task to configure the interface to accept a common access control list (ACL) along with an interface-specific ACL:

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. interface type number }
  4. ipv6 traffic filter {common-access-list-name {in | out} }
  5. end

DETAILED STEPS

  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode. Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

interface type number }

Example:


Device(config)# interface gigabitethernet 0/0/0

Specifies the interface type and number, and enters interface configuration mode.

Step 4

ipv6 traffic filter {common-access-list-name {in | out} }

Example:


Device(config)# ipv6 traffic-filter outbound out

Applies the specified IPv6 access list to the interface specified in the previous step.

Step 5

end

Example:

Device(config-if)# end

(Optional) Exits the configuration mode and returns to privileged EXEC mode.

Configuration Examples for IPv6 ACL Chaining with a Common ACL

You may configure the following combinations in no particular order:

  • A common ACL, for example: ipv6 traffic-filter common common-acl in
  • A specific ACL, for example: ipv6 traffic-filter specific-acl in
  • Both ACLs, for example: ipv6 traffic-filter common common-acl specific-acl in

Example: Configuring an Interface to Accept a Common ACL

This example shows how to replace an access control list (ACL) configured on the interface without explicitly deleting the ACL: 

interface gigabitethernet 0/0/0
ipv6 access-group common  C_acl ACL1 in
end
replace interface acl ACL1 by ACL2
interface gigabitethernet 0/0/0
ipv6 access-group common  C_acl ACL2 in
end

This example shows how to delete a common ACL from an interface. A common ACL cannot be replaced on interfaces without deleting it explicitly from the interface. 

interface gigabitethernet 0/0/0
ipv6 access-group common  C_acl1 ACL1 in
end
change the common acl to C_acl2
interface gigabitethernet 0/0/0
no ipv6 access-group common  C_acl1  ACL1 in
end
interface gigabitethernet 0/0/0
ipv6 access-group common  C_acl2  ACL1 in
end

Note
When reconfiguring a common ACL, you must ensure that no other interface on the line card is attached to the common ACL.

Note
If both common ACL and interface ACL are attached to an interface and only one of the above is reconfigured on the interface, then the other is removed automatically.

This example shows how to remove the interface ACL:

interface gigabitethernet 0/0/0
ipv6 access-group common C_acl1 ACL1 in
end

Additional References for IPv6 ACL Chaining with a Common ACL

Related Documents

Related Topic Document Title

IPv4 ACL Chaining Support

Security Configuration Guide: Access Control Lists, Cisco IOS XE Release 3S

Security commands

Technical Assistance

Description Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/support

Feature Information for IPv6 ACL Chaining with a Common ACL

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1. Feature Information for IPv6 ACL Chaining with a Common ACL

Feature Name

Releases

Feature Information

IPv6 ACL Chaining with a Common ACL

Cisco IOS XE Release 3.11S

Cisco IOS XE Release 3.6E

The ACL Chaining feature, also known as Multi-ACLs, allows you to explicitly split IPv6 traffic filter access control lists (ACLs) into common and per-session ACLs. In this way, the common access control entries (ACEs) that are used reduces resource usage of each ACL entry per session in the Ternary Content Addressable Memory (TCAM).

The following commands were introduced or modified: ip access-group common .