IPv6 ACL configuration (example)

Suppose that you wanted to implement the following IPv6 traffic policy on a switch connecting two workgroups on the same VLAN to dedicated servers and to a campus intranet (see the following figure):
  • Permit full IPv6 access for the management station.

  • For traffic from the workgroup at 2001:db8::1:20:0/121:
    • Deny Telnet access to server “1” (2001:db8::1:10:3).

    • Deny the workgroup any IPv6 access to server “2” (2001:db8::1:10:4).

  • For traffic from the workgroup at 2001:db8::1:30:0/121:
    • Deny Telnet access to server “2” (2001:db8::1:10:4).

    • Deny the workgroup any IPv6 access to server (2001:db8::1:10:3).

  • Deny inbound or outbound ICMP multicast-router-solicitations from all switches on the VLAN.

  • Permit all other IPv6 traffic. (Supersedes the implicit deny ipv6 any any at the end of the ACL, which would deny any IPv6 traffic not filtered by the configured ACEs in the ACL.)

Figure 11: Example of controlling workgroup access to servers

Continuing the example, you would use the following commands to configure the ACL:

Switch(config)# ipv6 access-list Test-01
Switch(config-ipv6-acl)#
Switch(config-ipv6-acl)#permit ipv6 host 2001:db8::1:10:10 any
Switch(config-ipv6-acl)#deny tcp 2001:db8::1:20:0/121 host 2001:db8::1:10:3 eq
telnet log
Switch(config-ipv6-acl)#deny ipv6 2001:db8::1:20:0/121 host 2001:db8::1:10:4
log
Switch(config-ipv6-acl)#deny tcp 2001:db8::1:30:0/121 host 2001:db8::1:10:4 eq
telnet log
Switch(config-ipv6-acl)#deny ipv6 2001:db8::1:30:0/121 host 2001:db8::1:10:3
Switch(config-ipv6-acl)#deny icmp any any router-solicitation
Switch(config-ipv6-acl)#permit ipv6 any any
Switch(config-ipv6-acl)#exit

The configuration of the example in the switch appears as follows:

Switch(config)# show access-list config

ipv6 access-list "Test-01"
     10 permit ipv6 2001:db8::1:10:10/128 ::/0
     20 deny tcp 2001:db8::1:20:0/121 2001:db8::1:10:3/128 eq 23 log
     30 deny ipv6 2001:db8::1:20:0/121 2001:db8::1:10:4/128 log
     40 deny tcp 2001:db8::1:30:0/121 2001:db8::1:10:4/128 eq 23 log
     50 deny ipv6 2001:db8::1:30:0/121 2001:db8::1:10:3/128
     60 deny icmp ::/0 ::/0 133
     70 permit ipv6 ::/0 ::/0
    exit