Commands for applying an ACL with logging

Switch(config)# ipv6 access-list NO-TELNET
Switch(config-ipv6-acl)# remark "deny fe80::10:3 Telnet traffic."
Switch(config-ipv6-acl)# deny tcp host fe80::10:3 any eq telnet log
Switch(config-ipv6-acl)# permit ipv6 any any
Switch(config-ipv6-acl)# exit
Switch(config)# vlan 10 ipv6 access-group NO-TELNET vlan ¹
Switch(config)# logging 10.10.50.173
Switch(config)# logging facility syslog
Switch(config)# debug destination logging
Switch(config)# debug destination session
Switch(config)# debug acl
Switch(config)# write mem
Switch(config)# show debug
 Debug Logging
 Destination:
 Logging --
 10.10.50.173
 Facility = syslog
 Severity = debug
 System Module = all-pass
 Priority Desc =
 Session

 Enabled debug types:
 event
 acl log
Switch(config)# show access-list NO-TELNET config

ipv6 access-list "NO-TELNET"
   10 remark "deny fe80::10:3 TELNET TRAFFIC"
   10 deny tcp fe80::10:3/128 ::/0 eq 23 log
   20 permit ipv6 ::/0 ::/0
 exit

¹ Assigns the ACL named "NOTELNET" as a VACL to filter Telnet traffic from FE80::10:3 entering the switch on VLAN 10

ACL log application

Suppose that you want to configure the following operation:

For VLAN 10, configure an ACL with an ACL-ID of "NO-TELNET" and use the RACL in option to deny Telnet traffic entering the switch from IP address 2001:db8:0:4b1::10:3 to any routed destination. (This assignment will not filter Telnet traffic from 2001:db8:0:4b1::10:3 to destinations on VLAN 10 itself.)
Configure the switch to send an ACL log message to the current console session and to a syslog server at 2001:db8:0:4b1::20:3 on VLAN 20 if the switch detects a packet match denying a Telnet attempt from 2001:db8:0:4b1::10:3.

(This example assumes that IPv6 routing is already configured on the switch.)