Filtering IPv6

Problem

You want to filter IPv6 traffic using access-lists.

Solution

Cisco supports named access-lists for IPv6:

Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#ipv6 access-list EXAMPLES
Router1(config-ipv6-acl)#permit ipv6 AAAA:5::/64 any
Router1(config-ipv6-acl)#permit ipv6 host AAAA:5::FE:1 any
Router1(config-ipv6-acl)#permit tcp any any eq telnet established
Router1(config-ipv6-acl)#deny tcp any any eq telnet syn
Router1(config-ipv6-acl)#sequence 55 permit udp any any eq snmp
Router1(config-ipv6-acl)#remark this is a comment
Router1(config-ipv6-acl)#sequence 66 remark this comment has a sequence number
Router1(config-ipv6-acl)#permit icmp any any reflect ICMP-REFLECT
Router1(config-ipv6-acl)#deny ipv6 any host AAAA:6::1 log
Router1(config-ipv6-acl)#deny ipv6 any any log-input
Router1(config-ipv6-acl)#exit
Router1(config)#interface FastEthernet0/0
Router1(config-if)#ipv6 traffic-filter EXAMPLES in
Router1(config-if)#exit
Router1(config)#end
Router1#

Discussion

The ACL shown in this example isn’t particularly useful, but it does show many of the features available with IPv6 access-lists. There are only named IPv6 access-lists, as numbered lists do not exist. However, as we previously saw in Recipes 19.11 and 19.15, this is not a drawback. Anything you can do with numbered access-lists, you can do with named access-lists, and several features such as reflexive access-lists and the ability to edit individual lines ...

Get Cisco IOS Cookbook, 2nd Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.