IPv6 Access List
IPv6 access lists provide packet filtering and traffic classification for IPv6 traffic on NX-OS through ordered sequences of permit/deny rules that match on Layer 3 and Layer 4 header fields including protocol, source/destination IPv6 prefixes, ports, DSCP, flow labels, and TCP flags. Each ACL supports per-ACE statistics, fragment handling policies, extension header filtering, address and port groups for object-based matching, ICMPv6 type/code filtering, HTTP method matching, packet length operators, time-range restrictions, VLAN/VNI-based filtering, capture sessions, telemetry actions, and redirect options. IPv6 access lists are applied to interfaces for ingress/egress traffic filtering and referenced by other features for comprehensive IPv6 traffic control and security enforcement.
Diagram
Section titled “Diagram”
Classes
Section titled “Classes”configuration (nxos.devices)
Section titled “configuration (nxos.devices)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| ipv6_access_lists | List | [ipv6_access_lists] | No |
ipv6_access_lists (nxos.devices.configuration)
Section titled “ipv6_access_lists (nxos.devices.configuration)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Yes | ||
| extension_header | Choice | permit-all, deny-all | No | |
| fragments | Choice | permit-all, deny-all | No | |
| ignore_routable | Boolean | true, false | No | |
| statistics_per_entry | Boolean | true, false | No | |
| entries | List | [entries] | No |
entries (nxos.devices.configuration.ipv6_access_lists)
Section titled “entries (nxos.devices.configuration.ipv6_access_lists)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| sequence_number | Integer | min: 1, max: 4294967295 | Yes | |
| remark | String | No | ||
| action | Choice | permit, deny | No | |
| protocol | Any | Choice[ipv6, tcp, udp, gre, esp, ahp, icmp, eigrp, ospf, nos, pim, pcp, sctp, udf] or String or Integer or String[Regex: ^.*[\$\%]\{.*$] | No | |
| source | Class | [source] | No | |
| destination | Class | [destination] | No | |
| dscp | Integer | min: 0, max: 63 | No | |
| flow_label | Integer | min: 0, max: 1048576 | No | |
| fragment | Boolean | true, false | No | |
| log | Boolean | true, false | No | |
| established | Boolean | true, false | No | |
| ack | Boolean | true, false | No | |
| fin | Boolean | true, false | No | |
| psh | Boolean | true, false | No | |
| rst | Boolean | true, false | No | |
| syn | Boolean | true, false | No | |
| urg | Boolean | true, false | No | |
| icmp_type | Integer | min: 0, max: 255 | No | |
| icmp_code | Integer | min: 0, max: 255 | No | |
| icmp_message | String | No | ||
| http_method | Choice | get, put, head, post, delete, trace, connect | No | |
| time_range | String | No | ||
| redirect | String | No | ||
| packet_length_operator | Choice | none, eq, neq, lt, gt, range | No | |
| packet_length_1 | Integer | min: 19, max: 9210 | No | |
| packet_length_2 | Integer | min: 19, max: 9210 | No | |
| vlan | Integer | min: 0, max: 4095 | No | |
| vni | Integer | min: 0, max: 16777216 | No | |
| rev | Boolean | true, false | No | |
| tcp_flags_mask | Integer | min: 0, max: 64 | No | |
| tcp_option_length | Integer | min: 0, max: 41 | No | |
| capture_session | Integer | min: 0, max: 48 | No | |
| dscp_mask | Integer | min: 0, max: 63 | No | |
| load_share | Boolean | true, false | No | |
| priority_all | Boolean | true, false | No | |
| protocol_mask | String | No | ||
| redirect_all_interface_type | Choice | ethernet, loopback, mgmt, port-channel, vlan, vni | No | |
| redirect_all_interface_id | Any | String or Integer[min: 0] | No | |
| telemetry_path | Boolean | true, false | No | |
| telemetry_queue | Boolean | true, false | No |
source (nxos.devices.configuration.ipv6_access_lists.entries)
Section titled “source (nxos.devices.configuration.ipv6_access_lists.entries)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| prefix | Any | IP or Choice[any] or String[Regex: ^.*[\$\%]\{.*$] | No | |
| prefix_length | Integer | min: 0, max: 128 | No | |
| prefix_mask | String | No | ||
| addrgroup | String | No | ||
| port_operator | Choice | none, eq, neq, lt, gt, range | No | |
| port_1 | Any | String or Integer or String[Regex: ^.*[\$\%]\{.*$] | No | |
| port_2 | Any | String or Integer or String[Regex: ^.*[\$\%]\{.*$] | No | |
| portgroup | String | No |
destination (nxos.devices.configuration.ipv6_access_lists.entries)
Section titled “destination (nxos.devices.configuration.ipv6_access_lists.entries)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| prefix | Any | IP or Choice[any] or String[Regex: ^.*[\$\%]\{.*$] | No | |
| prefix_length | Integer | min: 0, max: 128 | No | |
| prefix_mask | String | No | ||
| addrgroup | String | No | ||
| port_operator | Choice | none, eq, neq, lt, gt, range | No | |
| port_1 | Any | String or Integer or String[Regex: ^.*[\$\%]\{.*$] | No | |
| port_2 | Any | String or Integer or String[Regex: ^.*[\$\%]\{.*$] | No | |
| portgroup | String | No |
Examples
Section titled “Examples”Example 1: Management plane protection ACL — restrict SSH and SNMP access to trusted IPv6 subnets
nxos: devices: - name: SPINE1 configuration: ipv6_access_lists: - name: ACLv6-MGMT-ACCESS statistics_per_entry: true entries: - sequence_number: 10 remark: "Allow SSH from management subnet" - sequence_number: 20 action: permit protocol: tcp source: prefix: "2001:db8:cafe::" prefix_length: 48 destination: prefix: any port_operator: eq port_1: 22 - sequence_number: 30 remark: "Allow SNMP from monitoring servers" - sequence_number: 40 action: permit protocol: udp source: prefix: "2001:db8:cafe:100::" prefix_length: 64 destination: prefix: any port_operator: eq port_1: 161 - sequence_number: 1000 action: deny protocol: ipv6 source: prefix: any destination: prefix: any log: trueExample 2: Data center tenant ACL with ICMPv6 neighbor discovery, TCP flags, and DSCP
nxos: devices: - name: LEAF1 configuration: ipv6_access_lists: - name: ACLv6-TENANT-IN statistics_per_entry: true fragments: deny-all entries: - sequence_number: 10 remark: "Allow ICMPv6 neighbor discovery" - sequence_number: 20 action: permit protocol: icmp source: prefix: any destination: prefix: any icmp_message: nd-ns - sequence_number: 30 action: permit protocol: icmp source: prefix: any destination: prefix: any icmp_message: nd-na - sequence_number: 40 remark: "Allow established TCP sessions" - sequence_number: 50 action: permit protocol: tcp source: prefix: any destination: prefix: "2001:db8:10::" prefix_length: 48 established: true - sequence_number: 60 remark: "Allow HTTPS inbound with DSCP EF" - sequence_number: 70 action: permit protocol: tcp source: prefix: any destination: prefix: "2001:db8:10::" prefix_length: 48 port_operator: eq port_1: 443 dscp: 46 - sequence_number: 1000 action: deny protocol: ipv6 source: prefix: any destination: prefix: any log: trueExample 3: Advanced IPv6 ACL with extension header filtering, flow label, and capture session
nxos: devices: - name: BORDER-LEAF1 configuration: ipv6_access_lists: - name: ACLv6-SECURITY statistics_per_entry: true extension_header: deny-all ignore_routable: true entries: - sequence_number: 10 remark: "Capture suspicious traffic for analysis" - sequence_number: 20 action: permit protocol: tcp source: prefix: "2001:db8:99::" prefix_length: 48 destination: prefix: any port_operator: eq port_1: 443 capture_session: 1 telemetry_queue: true - sequence_number: 30 remark: "Allow DNS queries" - sequence_number: 40 action: permit protocol: udp source: prefix: any destination: prefix: "2001:db8:10::53" prefix_length: 128 port_operator: eq port_1: 53 - sequence_number: 50 remark: "Allow ICMPv6 echo for troubleshooting" - sequence_number: 60 action: permit protocol: icmp source: prefix: any destination: prefix: any icmp_message: echo-request - sequence_number: 1000 action: deny protocol: ipv6 source: prefix: any destination: prefix: any log: true