Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPv6 ACLs for ZBFW with changing IPv6 prefix?

Hi all

Is there a trick to keep IPv6 ACLs for ZBFW working when the IPv6 prefix will change ?



6RD based residential internet access.

Provider has a /28 6RD-Prefix, and will append the whole 32bits of the DHCP assigned public IPv4 address, leaving a /60 to use at home. Inside should be subnet 0, DMZ should be subnet 1 from that /60.

A few of my DMZ IPv6 hosts should be reachable from the outside world on specific udp/tcp ports, without having to open the whole DMZ subnet towards the IPv6 internet.

No big deal, one would think...

zone security Z-INTERNET
 description * the outside world *
zone security Z-DMZ

zone security Z-OUTSIDE
zone-pair security ZP-OUTSIDE-TO-DMZ source Z-OUTSIDE destination Z-DMZ
 service-policy type inspect PMAP-INBOUND-TRAFFIC

policy-map type inspect PMAP-INBOUND-TRAFFIC
 class type inspect CMAP-IN-TRACE-TRAFFIC
 class type inspect CMAP-IN-INSPECT-TRAFFIC
 class class-default
  drop log

class-map type inspect match-any CMAP-IN-TRACE-TRAFFIC
 match access-group name ACLv6-ICMP-UNREACH   <-- some ICMP listed in this ACL, irrelevant here

class-map type inspect match-any CMAP-IN-INSPECT-TRAFFIC
 match access-group name ACLv6-INBOUND-TRAFFIC 


Now.. what would I put into ACLv6-INBOUND-TRAFFIC? Manually setting...

ipv6 access-list ACLv6-INBOUND-TRAFFIC
 sequence 10 permit tcp any host <MYcurrent6RDPREFIX>1::<$MYHOSTID> eq http


... works well, until MY6currentRDPREFIX becomes MYnew6RDPREFIX. It does so seldomly, but it does, especially after outages.


For adressing (and re-adressing) the DMZ interface, "ipv6 general prefix MY6RDPREFIX 6rd tunnel6" helps a lot and it works pretty well.

However, one cannot seem to make use of "ipv6 general prefix" in an ipv6 ACL, neither as source nor destination (and neither when defining a stateful DHCPv6 server, for that matter).

router6rd(config-ipv6-acl)#permit ip any ?
  X:X:X:X::X/<0-128>  IPv6 destination prefix x:x::y/<z>
  any                 Any destination prefix
  host                A single destination host



D'oh. What now?

I do know that scanning the whole /64 would take aeons to complete, but I would like to use predetermined addresses with SLAAC and stateless DHCPv6 (with the help of

Opening the entire subnet makes me cringe, even more since these hosts are bound to be in some public DNS as well. For that matter, it becomes largely irrelevant if the Host-ID comes from ip-token, EUI-64, RFC7217 or privacy extensions (allright, the latter wouldn't quite apply here, I know.)


Am I caught in the "IPv6 is like IPv4 but with longer addresses" trap? Should I just do away with my wish to have only the given DMZ servers reachable, and open up the entire subnet? 


Or: Is there a completely different way of doing ZBFW things in IPv6 that I didn't think of?


thanks for your thoughts and ideas.


CreatePlease login to create content