IPv6 ACL configuration in a routed environment (example)

  1. Suppose that you want to implement these policies on a switch configured for IPv6 routing and membership in VLANs 15, 14, and 13:
    Policy A:
    1. Permit IPv6 Telnet traffic from 2001:db8:0:1af::144 to 2001:db8:0:1ae::178.

    2. Deny all other IPv6 traffic from network 2001:db8:0:1af::/64 (VLAN 15) to 2001:db8:0:1ae::/64 (VLAN 14).

    3. Permit all other IPv6 traffic from 2001:db8:0:1af::/64 (VLAN 15) to any destination. (See “A” in the following figure.)

    Policy B:
    1. Permit FTP traffic from IPv6 address 2001:db8:0:1ae::100 (on VLAN 14) to 2001:db8:0:1ad::55 (on VLAN 13)1.

    2. Deny FTP traffic from other hosts on network 2001:db8:0:1ae::/64 to any destination.

    3. Permit all other IPv6 traffic.


    The TCP port number assigned for FTP traffic is “21”.

    Figure 12: Example of an IPv6 ACL application
  2. To implement the policies described above, configure ACLs on the switch as shown

    Switch A shown in the figure:

    Switch(config-ipv6-acl)# permit tcp host 2001:db8:0:1af::144 host 2001:db8:0:1ae::178 eq telnet
    Switch(config-ipv6-acl)# deny ipv6 2001:db8:0:1af::/64 2001:db8:0:1ae::/64
    Switch(config-ipv6-acl)# permit ipv6 2001:db8:0:1af::/64 any
    Switch(config-ipv6-acl)# exit
    Switch(config)# vlan 1 ipv6 access-group List-01 in

    Switch B shown in the figure:

    Switch(config-ipv6-acl)# permit tcp host 2001:db8:0:1ae::100 host 2001:db8:0:1ad::55 eq 21
    Switch(config-ipv6-acl)# deny tcp 2001:db8:0:1ae::/64 any
    Switch(config-ipv6-acl)# permit ipv6 any any
    Switch(config-ipv6-acl)# exit
    Switch(config-ipv6-acl)# vlan 1 ipv6 access-group List-02 in