Cisco Catalyst 3750 Metro Command Reference Manual page 229

Chapter 2 Catalyst 3750 Metro Switch Cisco IOS Commands
The IPv6 neighbor discovery process uses the IPv6 network layer service; therefore, by default, IPv6
ACLs implicitly allow IPv6 neighbor discovery packets to be sent and received on an interface. In IPv4,
the Address Resolution Protocol (ARP), which is equivalent to the IPv6 neighbor discovery process, uses
a separate data-link layer protocol; therefore, by default, IPv4 ACLs implicitly allow ARP packets to be
sent and received on an interface.
Use the ipv6 traffic-filter interface configuration command with the access-list-name argument to apply
an IPv6 ACL to an IPv6 interface. You can apply inbound and outbound IPv6 ACLs to Layer 3 physical
interfaces or to switch virtual interfaces for routed ACLs, but only inbound IPv6 ACLs to Layer 2
interfaces for port ACLs.
An IPv6 ACL applied to an interface with the ipv6 traffic-filter command filters traffic that is forwarded
Note
by the switch and does not filter traffic generated by the switch.
Examples This example puts the switch in IPv6 access list configuration mode, configures the IPv6 ACL named
list2, and applies the ACL to outbound traffic on an interface. The first ACL entry prevents all packets
from the network FE80:0:0:2::/64 (packets that have the link-local prefix FE80:0:0:2 as the first 64 bits
of their source IPv6 address) from leaving the interface. The second entry in the ACL permits all other
traffic to leave the interface. The second entry is necessary because an implicit deny-all condition is at
the end of each IPv6 ACL.
Switch(config)# ipv6 access-list list2
Switch(config-ipv6-acl)# deny FE80:0:0:2::/64 any
Switch(config-ipv6-acl)# permit any any
Switch(config-ipv6-acl)# exit
Switch(config)# interface gigabitethernet0/3
Switch(config-if)# no switchport
Switch(config-if)# ipv6 address 2001::/64 eui-64
Switch(config-if)# ipv6 traffic-filter list2 out
IPv6 ACLs that rely on the implicit deny condition or specify a deny any any statement to filter traffic
Note
should contain permit statements for link-local addresses to avoid the filtering of protocol packets.
Additionally IPv6 ACLs that use deny statements to filter traffic should also use a permit any any
statement as the last statement in the list.
Related Commands Command
deny (IPv6 access-list
configuration)
ipv6 traffic-filter
permit (IPv6
access-list
configuration)
show ipv6 access-list
OL-9645-10
Description
Sets deny conditions for an IPv6 access list.
Filters incoming or outgoing IPv6 traffic on an interface.
Sets permit conditions for an IPv6 access list.
Displays the contents of all current IPv6 access lists.
Catalyst 3750 Metro Switch Command Reference
ipv6 access-list
2-201