IPv6 ACL configuration in a routed environment
Suppose that you want to implement these policies on a switch configured for IPv6 routing and membership in VLANs 15, 14, and 13:
Policy A
Procedure
- Permit IPv6 Telnet traffic from 2001:db8:0:1af::144 to 2001:db8:0:1ae::178.
- Deny all other IPv6 traffic from network 2001:db8:0:1af::/64 (VLAN 15) to 2001:db8:0:1ae::/64 (VLAN 14).
- Permit all other IPv6 traffic from 2001:db8:0:1af::/64 (VLAN 15) to any destination.
Policy B
-
Permit File Transfer Protocol traffic from IPv6 address 2001:db8:0:1ae::100 (on VLAN 14) to 2001:db8:0:1ad::55 (on VLAN 13). The TCP port number assigned for File Transfer Protocol traffic is "21".
-
Deny File Transfer Protocol traffic from other hosts on network 2001:db8:0:1ae::/64 to any destination.
-
Permit all other IPv6 traffic.
To implement the policies described above, configure ACLs on the switch as shown in below:
Switch B shown in Example of an IPv6 ACL application
Switch(config-ipv6-acl)# permit tcp host 2001:db8:0:1ae::100 host 2001:db8:0:1ad::55 eq 21
Switch(config-ipv6-acl)# deny tcp 2001:db8:0:1ae::/64 any
Switch(config-ipv6-acl)# permit ipv6 any any
Switch(config-ipv6-acl)# exit
Switch(config-ipv6-acl)# vlan 1 ipv6 access-group List-02 in
Switch(config-ipv6-acl)# permit tcp host 2001:db8:0:1af::144 host 2001:db8:0:1ae::178 eq telnet
Switch(config-ipv6-acl)# deny ipv6 2001:db8:0:1af::/64 2001:db8:0:1ae::/64
Switch(config-ipv6-acl)# permit ipv6 2001:db8:0:1af::/64 any
Switch(config-ipv6-acl)# exit
Switch(config)# vlan 1 ipv6 access-group List-01 in