Command Reference, Cisco Ios Xe Everest 16.5.1A (Catalyst 3650 Switches - Cisco Catalyst 3650 series Command Reference Manual

ipv6 access-list
IPv6 ACLs are defined by a unique name (IPv6 does not support numbered ACLs). An IPv4 ACL and an
Note
IPv6 ACL cannot share the same name.
IPv6 is automatically configured as the protocol type in permit any any and deny any any statements that
are translated from global configuration mode to IPv6 access list configuration mode.
Every IPv6 ACL has implicit permit icmp any any nd-na, permit icmp any any nd-ns, and deny ipv6 any
any statements as its last match conditions. (The former two match conditions allow for ICMPv6 neighbor
discovery.) An IPv6 ACL must contain at least one entry for the implicit deny ipv6 any any statement to take
effect. The IPv6 neighbor discovery process makes use of the IPv6 network layer service; therefore, by default,
IPv6 ACLs implicitly allow IPv6 neighbor discovery packets to be sent and received on an interface. In IPv4,
the Address Resolution Protocol (ARP), which is equivalent to the IPv6 neighbor discovery process, makes
use of a separate data link layer protocol; therefore, by default, IPv4 ACLs implicitly allow ARP packets to
be sent and received on an interface.
Use the ipv6 traffic-filter interface configuration command with the access-list-name argument to apply an
IPv6 ACL to an IPv6 interface. Use the ipv6 access-class line configuration command with the access-list-name
argument to apply an IPv6 ACL to incoming and outgoing IPv6 virtual terminal connections to and from the
device.
An IPv6 ACL applied to an interface with the ipv6 traffic-filter command filters traffic that is forwarded,
not originated, by the device.
Examples The example configures the IPv6 ACL list named list1 and places the device in IPv6 access list configuration
mode.
Device(config)# ipv6 access-list list1
Device(config-ipv6-acl)#
The following example configures the IPv6 ACL named list2 and applies the ACL to outbound traffic on
Ethernet interface 0. Specifically, the first ACL entry keeps all packets from the network FEC0:0:0:2::/64
(packets that have the site-local prefix FEC0:0:0:2 as the first 64 bits of their source IPv6 address) from exiting
out of Ethernet interface 0. The second entry in the ACL permits all other traffic to exit out of Ethernet interface
0. The second entry is necessary because an implicit deny all condition is at the end of each IPv6 ACL.
Device(config)# ipv6 access-list list2 deny FEC0:0:0:2::/64 any
Device(config)# ipv6 access-list list2 permit any any
Device(config)# interface ethernet 0
Device(config-if)# ipv6 traffic-filter list2 out

Command Reference, Cisco IOS XE Everest 16.5.1a (Catalyst 3650 Switches)

774