ACL Chaining, also known as Multi-Access Control List (ACL), allows you to split ACLs. This document describes how with the IPv6 ACL Chaining Support feature, you can explicitly split ACLs into common and user-specific ACLs and bind both ACLs to a target for traffic filtering on a device. In this way, the common ACLs in Ternary Content Addressable Memory (TCAM) are shared by multiple targets, thereby reducing the resource usage.
Your software release may not support all the features that are documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. The Feature Information Table at the end of this document provides information about the documented features and lists the releases in which each feature is supported.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/. An account on http://www.cisco.com/ is not required.
Contents
Hardware Compatibility Matrix for the Cisco cBR Series Routers
![Cisco cBR Converged Broadband Routers DOCSIS Software Configuration Guide for Cisco IOS XE Cupertino 17.9 - IPv6 ACL Chaining with a Common ACL [Cisco cBR Series Converged Broadband Routers] (1)](https://i0.wp.com/www.cisco.com/content/dam/en/us/td/i/templates/note.gif "Cisco cBR Converged Broadband Routers DOCSIS Software Configuration Guide for Cisco IOS XE Cupertino 17.9 - IPv6 ACL Chaining with a Common ACL [Cisco cBR Series Converged Broadband Routers] (1)") Note | |
| Cisco CMTS Platform | Processor Engine | Interface Cards |
|---|---|---|
| Cisco cBR-8 Converged Broadband Router | Cisco IOS-XE Release 16.5.1 and Later Releases Cisco cBR-8 Supervisor:
| Cisco IOS-XE Release 16.5.1 and Later Releases Cisco cBR-8 CCAP Line Cards:
Digital PICs:
Cisco cBR-8 Downstream PHY Module:
Cisco cBR-8 Upstream PHY Modules:
|
Note | Do not use DPICs (8X10G and 2x100G) to forward IP traffic, as it may cause buffer exhaustion, leading to line card reload. The only allowed traffic on a DPICs DEPI, UEPI, and GCP traffic from the Cisco cBR-8 router to Remote PHY devices. Other traffic such as DHCP, SSH, and UTSC should flow via another router, since DPICs cannot be used for normal routing. |
Information About IPv6 ACL Chaining with a Common ACL
ACL Chaining Overview
The packet filter process supports only a single Access control list (ACL) to be applied per direction and per protocol on an interface. This leads to manageability and scalability issues if there are common ACL entries needed on many interfaces. Duplicate Access control entries (ACEs) are configured for all those interfaces, and any modification to the common ACEs needs to be performed for all ACLs.
-
Common ISP specific ACEs
-
Customer/interface specific ACEs
The purpose of these address blocks is to deny access to ISP's protected infrastructure networks and anti-spoofing protection by allowing only customer source address blocks. This results in configuring unique ACL per interface and most of the ACEs being common across all ACLs on a device. ACL provisioning and modification is very cumbersome, hence, any changes to the ACE impacts every target.
IPv6 ACL Chaining with a Common ACL
With IPv6 ACL Chaining, you can configure a traffic filter with the following:
-
Common ACL
-
Specific ACL
-
Common and Specific ACL
Each Access control list (ACL) is matched in a sequence. For example, if you have specified both the ACLs - a common and a specific ACL, the packet is first matched against the common ACL; if a match is not found, it is then matched against the specific ACL.
Note | |
How to Configure IPv6 ACL Chaining with a Common ACL
Before you begin
Note | |
- Only a common ACL. For example: ipv6 traffic-filter common common-acl
- Only a specific ACL. For example: ipv6 traffic-filter common-acl
- Both ACLs. For example: ipv6 traffic-filter common common-acl specific-acl
The ipv6 traffic-filter command is not additive. When you use the command, it replaces earlier instances of the command. For example, the command sequence: ipv6 traffic-filter [common common-acl] [specific-acl] in ipv6 traffic-filter [specific-acl] in binds a common ACL to the traffic filter, removes the common ACL and then binds a specific ACL.
Configuring IPv6 ACL to an Interface
Perform this task to configure the interface to accept a common access control list (ACL) along with an interface-specific ACL:
SUMMARY STEPS
- enable
- configure terminal
- interface type number
- ipv6 traffic filter {common-access-list-name {in | out} }
- end
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step1 | enable Example: | Enables privileged EXEC mode. Enter your password if prompted. |
| Step2 | configure terminal Example: | Enters global configuration mode. |
| Step3 | interface type number Example: | Specifies the interface type and number, and enters interface configuration mode. |
| Step4 | ipv6 traffic filter {common-access-list-name {in | out} } Example: | Applies the specified IPv6 access list to the interface specified in the previous step. |
| Step5 | end Example: | (Optional) Exits the configuration mode and returns to privileged EXEC mode. |
Configuration Examples for IPv6 ACL Chaining with a Common ACL
You may configure the following combinations in no particular order:
- A common ACL, for example: ipv6 traffic-filter common common-acl in
- A specific ACL, for example: ipv6 traffic-filter specific-acl in
- Both ACLs, for example: ipv6 traffic-filter common common-acl specific-acl in
Example: Configuring an Interface to Accept a Common ACL
This example shows how to replace an access control list (ACL) configured on the interface without explicitly deleting the ACL:
interface TenGigabitEthernet4/1/0ipv6 access-group common C_acl ACL1 inendreplace interface acl ACL1 by ACL2interface TenGigabitEthernet4/1/0ipv6 access-group common C_acl ACL2 inendThis example shows how to delete a common ACL from an interface. A common ACL cannot be replaced on interfaces without deleting it explicitly from the interface.
interface TenGigabitEthernet4/1/0ipv6 access-group common C_acl1 ACL1 inendchange the common acl to C_acl2interface TenGigabitEthernet4/1/0no ipv6 access-group common C_acl1 ACL1 inendinterface TenGigabitEthernet4/1/0ipv6 access-group common C_acl2 ACL1 inendNote | |
Note | |
This example shows how to remove the interface ACL:
interface TenGigabitEthernet4/1/0ipv6 access-group common C_acl1 ACL1 inendAdditional References for IPv6 ACL Chaining with a Common ACL
Related Documents
| Related Topic | Document Title |
|---|---|
| IPv4 ACL Chaining Support | Security Configuration Guide: Access Control Lists, Cisco IOS XE Release 3S |
| Security commands |
|
Technical Assistance
| Description | Link |
|---|---|
| The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. | http://www.cisco.com/support |
Feature Information for IPv6 ACL Chaining with a Common ACL
Use CiscoFeature Navigator to find information about the platform support and software image support. CiscoFeature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access CiscoFeature Navigator, go to the https://cfnng.cisco.com/ link. An account on the Cisco.com page is not required.
Note | The following table lists the software release in which a given feature is introduced. Unless noted otherwise, subsequent releases of that software release train also support that feature. |
| Feature Name | Releases | Feature Information |
|---|---|---|
| IPv6 access lists | Cisco IOS XE Fuji 16.7.1 | This feature was integrated into Cisco IOS XE Fuji 16.7.1 on theCisco cBR Series Converged Broadband Routers. |
![Cisco cBR Converged Broadband Routers DOCSIS Software Configuration Guide for Cisco IOS XE Cupertino 17.9 - IPv6 ACL Chaining with a Common ACL [Cisco cBR Series Converged Broadband Routers] (2024)](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8/h8AAvMB+NzmkbcAAAAASUVORK5CYII=)