ACL Configuration Structure

Individual ACEs in an IPv6 ACL include:
  • Optional remark statements

  • A permit/deny statement

  • Source and destination IPv6 addressing

  • Choice of IPv6 criteria

  • Optional ACL log command (for deny or permit entries)

General structure options for an IPv6 ACL

ipv6 access-list identifier

  [ seq-# ]

  [ remark remark-str ]

   permit | deny 
   0 - 255
   esp
   ah
   sctp
   icmp
       SA  [operator  value ]
       DA  [operator  value ] 
               [type [code] | icmp-msg ] 
               [dscp  codepoint | precedence ]
               ipv6
               tcp
        SA  [operator  value ]
        DA  [operator  value ]
               [dscp codepoint | precedence]
               [established]
               [ack | fin | rst | syn]
               udp
         SA  [operator  value ]
         DA  [operator  value ]
      [log] (Allowed only with “deny” or "permit" ACEs.)
         Implicit Deny Any Any 
   exit

Displayed ACL configuration

Switch# show run
.
.
.
ipv6 access-list "Sample-List-1"
   10 permit ipv6 2001:db8:0:130::55/128 2001:db8:0:130::240/128
   20 permit tcp ::/0 ::/0 eq 23
   30 remark "ALLOWS HTTP FROM SINGLE HOST."
   30 permit tcp 2001:db8:0:140::14/128 eq 80 ::/0 eq 3871
   40 remark "DENIES HTTP FROM ANY TO ANY."
   40 deny tcp ::/0 ::/0 eq 80 log
   50 deny udp 2001:db8:0:150::44/128 eq 69 2001:db8:0:120::19/128 range 3680 3690 log
   60 deny udp ::/0 2001:db8:0:150::121/128 log
   70 permit ipv6 2001:db8:0:01::/56 ::/0
   exit

Line

Action

10

Permits all IPv6 traffic from the host at 2001:db8:0:130::55 to the host at 2001:db8:0:130::240.

20

Permits all Telnet traffic from any source to any destination.

30

Includes a remark and permits TCP port 80 traffic received at any destination as port 3871 traffic.

40

Includes a remark and denies TCP port 80 traffic received at any destination, and causes a log message to be generated when a match occurs.

50

Denies UDP port 69 (TFTP) traffic sent from the host at 2001:db8:0:150::44 to the host at 2001:db8:0:120::19 with a destination port number in the range of 3680 to 3690 and causes a log message to be generated when a match occurs.

60

Denies UDP traffic from any source to the host at 2001:db8:0:150::121 and causesa log message to be generated when a match occurs.

70

Permits all IPv6 traffic with an SA prefix of 2001:db8:0:01/56 that is not already permitted or denied by the preceding ACEs in the ACL.

NOTE:

An implicit deny IPv6 any any is automatically applied following the last line (70, in this case) and denies all IPv6 traffic not already permitted or denied by the ACEs in lines 10 through 70.