The offline process

  1. Begin by doing one of the following:
    1. To edit one or more existing ACLs, use copy command–output tftp to copy the current version of the ACL configuration to a file in your TFTP server. For example, to copy the ACL configuration to a file named acl–001.txt in the TFTP directory on a server at FE80::2a1:200:
      Switch# copy command–output 'show access-list config'
      tftp fe80::2a1:200 acl–001.txt pc
    2. To create a new ACL, open a text (.txt) file in the appropriate directory on a TFTP server accessible to the switch.
  2. Use a text editor to create or edit the ACLs in the *.txt ASCII file format.
  3. If you are replacing an ACL on the switch with a new ACL that uses the same number or name Syntax:, begin the command file with a no ip access-list command to remove the earlier version of the ACL from the switch's running-config file. Otherwise, the switch will append the new ACEs in the ACL you download to the existing ACL. For example, if you planned to use the copy command to replace an ACL named "List-120", you would place this command at the beginning of the edited file: no ipv6 access-list List–120
    no ipv6 access-list List–120 1
    ip access-list "List–120"
      10 remark "THIS ACE ALLOWS TELNET"
      10 permit tcp fe80::17/128 ::/0 eq 23
      20 deny ipv6 fe80::123/128 fe80::/125 log
      30 deny ipv6 fe80::255/128 fe80::/125 log
      40 permit ipv6 ::/0 ::/0
    1 Removes an existing ACL and replaces it with a new version with the same identifier. To append new ACEs to an existing ACL instead of replacing it, you would omit the first line and ensure that the sequence numbering for the new ACEs begin with a number greater than the highest number in the existing list.
  4. Use copy tftp command–file to download the file as a list of commands to the switch.
    Using copy tftp command–file to configure an ACL in the switch
    Switch(config)# copy tftp command–file fe80::1ad:17 acl–001.txt pc
    Running configuration may change, do you want to continue[y/n]? y
      1. ipv6 access-list "acl–001"
      6.    ; CREATED ON JUNE 10
     10.    10 remark "Telnet Denied Here"
     13.    10 deny tcp 2001:db8:0:1af::/64 ::/0 eq 23
     16.    30 deny tcp ::/0 ::/0 log
     19.    40 deny icmp 2001:db8:0:1af::/64 ::/0 134
     22.    50 deny icmp 2001:db8:0:1af::/64 ::/0 133
     27.    ; PERMITS IPV6 ANY ANY
     31.    60 permit ipv6 ::/0 ::/0
     34.    exit
     36.    vlan 20 ipv6 access–group acl–001 vlan

    Blank lines may appear in the command output when you copy the command file to the switch. However, they are eliminated in the copy of the ACL in switch memory. This is normal operation.

  5. In this example, the command to assign the ACL to a VLAN was included in the .txt command file. If this is not done in your applications, the next step is to manually assign the new ACL to the intended VLAN: vlan <vid> ipv6 access–group <identifier> <vlan-in|vlan-out>
  6. You can then use the show run or show access-list config command to inspect the switch configuration to ensure that the ACL was properly downloaded. Verifying the .txt file download to the switch:
    Switch(config)# show run
    . . .
    ipv6 access-list "acl–001"
       10 remark "Telnet Denied Here"
       10 deny tcp ::/0 ::/0 eq 23
       30 deny tcp ::/0 ::/0 log
       40 deny icmp ::/0 ::/0 134
       50 deny icmp ::/0 ::/0 133
       60 permit ipv6 ::/0 ::/0
    . . .
    vlan 20 1
       ipv6 access–group "acl–001" vlan-in
    . . .
    1 As a part of the instruction set included in the .txt file, the ACL is assigned to inbound IP traffic on VLAN 20

    The comment preceded by " ; " in the .txt source file for this configuration do not appear in the ACL configured in the switch

  7. If the configuration appears satisfactory, save it to the startup-config file:
    Switch(config)# write memory