IPv6 ACL configuration (example)
Permit full IPv6 access for the management station.
- For traffic from the workgroup at 2001:db8::1:20:0/121:
Deny Telnet access to server “1” (2001:db8::1:10:3).
Deny the workgroup any IPv6 access to server “2” (2001:db8::1:10:4).
- For traffic from the workgroup at 2001:db8::1:30:0/121:
Deny Telnet access to server “2” (2001:db8::1:10:4).
Deny the workgroup any IPv6 access to server (2001:db8::1:10:3).
Deny inbound or outbound ICMP multicast-router-solicitations from all switches on the VLAN.
Permit all other IPv6 traffic. (Supersedes the implicit
deny ipv6 any any
at the end of the ACL, which would deny any IPv6 traffic not filtered by the configured ACEs in the ACL.)
Continuing the example, you would use the following commands to configure the ACL:
Switch(config)# ipv6 access-list Test-01 Switch(config-ipv6-acl)# Switch(config-ipv6-acl)#permit ipv6 host 2001:db8::1:10:10 any Switch(config-ipv6-acl)#deny tcp 2001:db8::1:20:0/121 host 2001:db8::1:10:3 eq telnet log Switch(config-ipv6-acl)#deny ipv6 2001:db8::1:20:0/121 host 2001:db8::1:10:4 log Switch(config-ipv6-acl)#deny tcp 2001:db8::1:30:0/121 host 2001:db8::1:10:4 eq telnet log Switch(config-ipv6-acl)#deny ipv6 2001:db8::1:30:0/121 host 2001:db8::1:10:3 Switch(config-ipv6-acl)#deny icmp any any router-solicitation Switch(config-ipv6-acl)#permit ipv6 any any Switch(config-ipv6-acl)#exit
The configuration of the example in the switch appears as follows:
Switch(config)# show access-list config ipv6 access-list "Test-01" 10 permit ipv6 2001:db8::1:10:10/128 ::/0 20 deny tcp 2001:db8::1:20:0/121 2001:db8::1:10:3/128 eq 23 log 30 deny ipv6 2001:db8::1:20:0/121 2001:db8::1:10:4/128 log 40 deny tcp 2001:db8::1:30:0/121 2001:db8::1:10:4/128 eq 23 log 50 deny ipv6 2001:db8::1:30:0/121 2001:db8::1:10:3/128 60 deny icmp ::/0 ::/0 133 70 permit ipv6 ::/0 ::/0 exit