IPv6 ACL configuration in a routed environment (example)

  1. Suppose that you want to implement these policies on a switch configured for IPv6 routing and membership in VLANs 15, 14, and 13:
    Policy A:
    1. Permit IPv6 Telnet traffic from 2001:db8:0:1af::144 to 2001:db8:0:1ae::178.

    2. Deny all other IPv6 traffic from network 2001:db8:0:1af::/64 (VLAN 15) to 2001:db8:0:1ae::/64 (VLAN 14).

    3. Permit all other IPv6 traffic from 2001:db8:0:1af::/64 (VLAN 15) to any destination. (See “A” in the following figure.)

    Policy B:
    1. Permit FTP traffic from IPv6 address 2001:db8:0:1ae::100 (on VLAN 14) to 2001:db8:0:1ad::55 (on VLAN 13)1.

    2. Deny FTP traffic from other hosts on network 2001:db8:0:1ae::/64 to any destination.

    3. Permit all other IPv6 traffic.


    The TCP port number assigned for FTP traffic is “21”.

    Example of an IPv6 ACL application
  2. To implement the policies described above, configure ACLs on the switch as shown

    Switch A shown in the figure:

    Switch(config-ipv6-acl)# permit tcp host 2001:db8:0:1af::144 host 2001:db8:0:1ae::178 eq telnet
    Switch(config-ipv6-acl)# deny ipv6 2001:db8:0:1af::/64 2001:db8:0:1ae::/64
    Switch(config-ipv6-acl)# permit ipv6 2001:db8:0:1af::/64 any
    Switch(config-ipv6-acl)# exit
    Switch(config)# vlan 1 ipv6 access-group List-01 in

    Switch B shown in the figure:

    Switch(config-ipv6-acl)# permit tcp host 2001:db8:0:1ae::100 host 2001:db8:0:1ad::55 eq 21
    Switch(config-ipv6-acl)# deny tcp 2001:db8:0:1ae::/64 any
    Switch(config-ipv6-acl)# permit ipv6 any any
    Switch(config-ipv6-acl)# exit
    Switch(config-ipv6-acl)# vlan 1 ipv6 access-group List-02 in