IPv6 ACL configuration in a routed environment

Suppose that you want to implement these policies on a switch configured for IPv6 routing and membership in VLANs 15, 14, and 13:

Policy A

Procedure
  1. Permit IPv6 Telnet traffic from 2001:db8:0:1af::144 to 2001:db8:0:1ae::178.
  2. Deny all other IPv6 traffic from network 2001:db8:0:1af::/64 (VLAN 15) to 2001:db8:0:1ae::/64 (VLAN 14).
  3. Permit all other IPv6 traffic from 2001:db8:0:1af::/64 (VLAN 15) to any destination.

Policy B

  • Permit File Transfer Protocol traffic from IPv6 address 2001:db8:0:1ae::100 (on VLAN 14) to 2001:db8:0:1ad::55 (on VLAN 13). The TCP port number assigned for File Transfer Protocol traffic is "21".

  • Deny File Transfer Protocol traffic from other hosts on network 2001:db8:0:1ae::/64 to any destination.

  • Permit all other IPv6 traffic.

Example of an IPv6 ACL application

To implement the policies described above, configure ACLs on the switch as shown in below:

Switch B shown in Example of an IPv6 ACL application

Switch(config-ipv6-acl)# permit tcp host 2001:db8:0:1ae::100 host 2001:db8:0:1ad::55 eq 21
Switch(config-ipv6-acl)# deny tcp 2001:db8:0:1ae::/64 any
Switch(config-ipv6-acl)# permit ipv6 any any
Switch(config-ipv6-acl)# exit
Switch(config-ipv6-acl)# vlan 1 ipv6 access-group List-02 in
Switch(config-ipv6-acl)# permit tcp host 2001:db8:0:1af::144 host 2001:db8:0:1ae::178 eq telnet
Switch(config-ipv6-acl)# deny ipv6 2001:db8:0:1af::/64 2001:db8:0:1ae::/64
Switch(config-ipv6-acl)# permit ipv6 2001:db8:0:1af::/64 any
Switch(config-ipv6-acl)# exit
Switch(config)# vlan 1 ipv6 access-group List-01 in