IPv6 ACLs

Configuring IPv6 ACLs

In IPv6 there are only named ACLs. The configuration is similar to that of an IPv4 extended named ACL.

Figure 1 shows the command syntax for IPv6 ACLs. The syntax is similar to the syntax used for an IPv4 extended ACL. One significant difference is the use of the IPv6 prefix-length instead of an IPv4 wildcard mask.

There are three basic steps to configure an IPv6 ACL:

Step 1. From global configuration mode, use the ipv6 access-list name command to create an IPv6 ACL. Like IPv4 named ACLs, IPv6 names are alphanumeric, case sensitive, and must be unique. Unlike IPv4, there is no need for a standard or extended option.

Step 2. From the named ACL configuration mode, use the permit or deny statements to specify one or more conditions to determine if a packet is forwarded or dropped.

Step 3. Return to privileged EXEC mode with the end command.

Figure 2 demonstrates the steps to create an IPv6 ACL with a simple example based on the previous topology. The first statement names the IPv6 access list NO-R3-LAN-ACCESS. Similar to IPv4 named ACLs, capitalizing IPv6 ACL names is not required, but makes them stand out when viewing the running-config output.

The second statement denies all IPv6 packets from the 2001:DB8:CAFE:30::/64 destined for any IPv6 network. The third statement allows all other IPv6 packets.

Figure 3 shows the ACL in context with the topology.