Creating an extended IPv6 ACL

1. Enter configure terminal to access global configuration mode.
   

   device# configure terminal
   

2. Enter the ipv6 access-list extended command to create the access list.
   

   device(config)# ipv6 access-list extended ipv6_acl_1
   

3. Enter rules, specifying the needed parameters.
   

   device(conf-ip6acl-ext)# seq 10 deny ipv6 2001:2002:1234:1::/64 2001:1001:1234:1::/64 count
   

4. Apply the ACL to the appropriate interface, specifying the in direction.
   

   device(conf-ip6acl-ext)# exit
   device(config)# interface ethernet 0/22
   device(conf-if-eth-0/22)# ipv6 access-group ipv6_acl_1 in
   

Example

The following example shows how to create an extended IPv6 ACL, define rules for it (including a rule that filters by DSCP ID), and apply the ACL to an interface.

device# configure terminal
device(config)# ipv6 access-list extended ip_acl_1
device(conf-ip6acl-ext)# seq 10 deny ipv6 any any dscp 3
device(conf-ip6acl-ext)# seq 20 deny ipv6 2001:2002:1234:1::/64 2001:1001:1234:1::/64 count
device(conf-ip6acl-ext)# exit
device(config)# interface ethernet 0/22
device(conf-if-eth-0/22)# ipv6 access-group ipv6_acl_1 in

Example

The following example creates an IPv6 extended ACL, defines rules in the ACL, and applies it as a receive-path ACL.

device(config)# ipv6 access-list extended ipv6-receive-acl-example
device(conf-ipacl-ext)# hard-drop tcp host 10::1 any count 
device(conf-ipacl-ext)# hard-drop udp any host 20::1 count 
device(conf-ipacl-ext)# permit tcp host 10::2 any eq telnet count 
device(conf-ipacl-ext)# permit tcp host 10::2 any eq bgp count 
device(conf-ipacl-ext)# hard-drop tcp host 10::3 host ff02::1 count

device(conf-ipacl-ext)# exit
device(config)# ipv6 receive access-group ipv6-receive-acl-example