Dell Networking 2024 Reference Manual page 503

Since ACLs have an implicit deny all at the end of the last access-group, IPv6
ACLs need an explicit permit icmp any any nd-na and permit icmp any any
nd-ns statements as match conditions. These additional conditions allow for
ICMPv6 neighbor discovery to occur.
The 'no' form of this command is not supported, since the rules within an
IPv6 ACL cannot be deleted individually. Rather, the entire IPv6 ACL must
be deleted and reentered.
For the N4000 series:
• The IPv6 ACL "routing" keyword is not supported when an IPv6 address is
specified.
• For ingress (in) ACLs, the IPv6 ACL "fragment" keyword matches only on
the first two IPv6 extension headers for the fragment header (next header
code 44). If the fragment header appears in the third or subsequent header,
it is not matched.
For the N2000/N3000 Series series, for ingress (in) ACLs:
• The IPv6 ACL "fragment" keyword matches only on the first IPv6
extension header for the fragment header (next header code 44). If the
fragment header appears in the second or a subsequent header, it is not
matched.
• The IPv6 ACL "routing" keyword matches only on the first IPv6 extension
header for the routing header (next header code 43). If the fragment
header appears in the second or a subsequent header, it is not matched.
• For all series switches, port ranges are not supported on egress (out) ACLs.
Only the eq operator is supported in an egress ACL.
Example
The following example creates rules in an IPv6 ACL named "STOP_HTTP"
to discard any HTTP traffic from the 2001:DB8::/32 network, but allow all
other traffic from that network:
console(config)#ipv6 access-list STOP_HTTP
console(Config-ipv6-acl)#deny ipv6 2001:DB8::/32 any eq http
console(Config-ipv6-acl)#permit ipv6 2001:DB8::/32 any
console(Config-ipv6-acl)#
IPv6 Access List Commands
503