ipv6 access-group

Use this command to apply access restrictions to inbound or outbound frames on an interface when operating in router mode.


ipv6 access-group name {in | out} [all-traffic | routed-traffic]
no ipv6 access-group name {in | out} [all-traffic | routed-traffic]


name Specifies the name of the IPv6 access list to be applied to the interface.
in Filters inbound frames.
out Filters outbound frames.
all-traffic (Optional) Specifies that the assigned ACL is applied to all traffic on the interface, not just the routed traffic.
routed-traffic (Optional) Specifies that the assigned ACL is applied only to the routed traffic on the interface. (Default)




Interface configuration.


Access lists must be applied per routing interface. An entry (rule) can either be applied to inbound or outbound frames. An access list can be applied before it is created. The uncreated applied access list will have no affect.

By default, an IPv6 ACL is only applied to routed traffic. To apply the IPv6 ACL to all traffic, use the all-traffic option.

The no ipv6 access-group command removes the specified access list from this interface.


This example shows how to apply the standard access list acl10 for all inbound frames on VLAN 50. Based upon the definition of access list acl10, only frames with source fe80:0:0:0:21f:45ff:fe3d:21aa/64 are routed. All the frames with other sources received on VLAN 50 are dropped:

System(su-config)->ipv6 access-list standard acl10
System(su-cfg-ipv6-std-acl)->permit fe80:0:0:0:21f:45ff:fe3d:21aa/64 log
System(su-config)->interface vlan 50
System(su-config-intf-vlan.0.50)->ipv6 access-group acl10 in