Creating an extended IPv6 ACL

An extended ACL permits or denies traffic according to one or more parameters, including source address, port, protocol (TCP or UDP), and TCP flags.

1. Enter configure terminal to access global configuration mode.
   

   device# configure terminal
   

2. Enter the ipv6 access-list extended command to create the access list.
   

   device(config)# ipv6 access-list extended ipv6_acl_1
   

3. Enter rules, specifying the needed parameters.
   

   device(conf-ip6acl-ext)# seq 10 deny ipv6 2001:2002:1234:1::/64 2001:1001:1234:1::/64 count
   

4. Apply the ACL to the appropriate interface, specifying the in direction.
   

   device(conf-ip6acl-ext)# exit
   device(config)# interface ethernet 0/22
   device(conf-if-eth-0/22)# ipv6 access-group ipv6_acl_1 in
   

Example

The following example shows how to create an extended IPv6 ACL, define rules for it (including a rule that filters by DSCP ID), and apply the ACL to an interface.

device# configure terminal
device(config)# ipv6 access-list extended ip_acl_1
device(conf-ip6acl-ext)# seq 10 deny ipv6 any any dscp 3
device(conf-ip6acl-ext)# seq 20 deny ipv6 2001:2002:1234:1::/64 2001:1001:1234:1::/64 count
device(conf-ip6acl-ext)# exit
device(config)# interface ethernet 0/22
device(conf-if-eth-0/22)# ipv6 access-group ipv6_acl_1 in

Example

The following example creates an IPv6 extended ACL, defines rules in the ACL, and applies it as a receive-path ACL.

device(config)# ipv6 access-list extended ipv6-receive-acl-example
device(conf-ipacl-ext)# hard-drop tcp host 10::1 any count 
device(conf-ipacl-ext)# hard-drop udp any host 20::1 count 
device(conf-ipacl-ext)# permit tcp host 10::2 any eq telnet count 
device(conf-ipacl-ext)# permit tcp host 10::2 any eq bgp count 
device(conf-ipacl-ext)# hard-drop tcp host 10::3 host ff02::1 count

device(conf-ipacl-ext)# exit
device(config)# ipv6 receive access-group ipv6-receive-acl-example