Cisco Catalyst 3560X-24P Command Reference Manual page 321

Chapter 2 Catalyst 3750-X and 3560-X Switch Cisco IOS Commands
Every IPv6 ACL has implicit permit icmp any any nd-na, permit icmp any any nd-ns, and deny ipv6
Note
any any statements as its last match conditions. The two permit conditions allow ICMPv6 neighbor
discovery. To disallow ICMPv6 neighbor discovery and to deny icmp any any nd-na or icmp any any
nd-ns, there must be an explicit deny entry in the ACL. For the implicit deny ipv6 any any statement
to take effect, an IPv6 ACL must contain at least one entry.
The IPv6 neighbor discovery process makes use of the IPv6 network layer service; therefore, by default,
IPv6 ACLs implicitly allow IPv6 neighbor discovery packets to be sent and received on an interface. In
IPv4, the Address Resolution Protocol (ARP), which is equivalent to the IPv6 neighbor discovery
process, uses a separate data-link layer protocol; therefore, by default, IPv4 ACLs implicitly allow ARP
packets to be sent and received on an interface.
Use the ipv6 traffic-filter interface configuration command with the access-list-name argument to apply
an IPv6 ACL to an IPv6 interface. You can apply inbound and outbound IPv6 ACLs to Layer 3 physical
interfaces or switch virtual interfaces for routed ACLs, but only inbound IPv6 ACLs to Layer 2 interfaces
for port ACLs.
An IPv6 ACL applied to an interface with the ipv6 traffic-filter command filters traffic that is forwarded
Note
by the switch and does not filter traffic generated by the switch.
Examples This example puts the switch in IPv6 access list configuration mode and configures the IPv6 ACL named
list2 and applies the ACL to outbound traffic on an interface. The first ACL entry prevents all packets
from the network FE80:0:0:2::/64 (packets that have the link-local prefix FE80:0:0:2 as the first 64 bits
of their source IPv6 address) from leaving the interface. The second entry in the ACL permits all other
traffic to leave the interface. The second entry is necessary because an implicit deny-all condition is at
the end of each IPv6 ACL.
Switch(config)# ipv6 access-list list2
Switch(config-ipv6-acl)# deny FE80:0:0:2::/64 any
Switch(config-ipv6-acl)# permit any any
Switch(config-ipv6-acl)# exit
Switch(config)# interface gigabitethernet1/0/3
Switch(config-if)# no switchport
Switch(config-if)# ipv6 address 2001::/64 eui-64
Switch(config-if)# ipv6 traffic-filter list2 out
IPv6 ACLs that rely on the implicit deny condition or specify a deny any any statement to filter traffic
Note
should contain permit statements for link-local addresses to avoid the filtering of protocol packets.
Additionally IPv6 ACLs that use deny statements to filter traffic should also use a permit any any
statement as the last statement in the list.
OL-21522-02
Catalyst 3750-X and 3560-X Switch Command Reference
ipv6 access-list
2-289