IPv6 ACL Configuration
#configure terminal | Enter configure mode. |
(config)#ipv6 access-list ipv6-acl-01 | Create an IPv6 access list named as icmp-acl-01. |
(config-ipv6-acl)#11 deny ipipv6 any any flow-label 100 | Create access rule sequence number 11 to deny IPv4 encapsulated packets in IPv6 with any source address to any destination address with flow label 100. |
(config-ipv6-acl)#default permit-all | Update the default rule to permit all. |
(config-ipv6-acl)#exit | Exit access list mode |
(config)#interface xe10 | Enter interface mode. |
(config-if)#no switchport | Configure the interface as Layer 3. |
(config-if)#ipv6 address 1:1::1:3/64 | Assign an IPv6 address. |
(config-if)#ipv6 access-group ipv6-acl-01 in | Apply access group ipv6-acl-01 for inbound traffic to the interface. |
(config-if)#end | Exit interface and configure mode. |
Validation
Use the commands below to verify the match count. When inbound IPv6 packets reach interface xe10 with IPv4 packets encapsulated with flow label 100, then count for access rule 11 increases equal to the number of packets sent.
#show ipv6 access-lists ipv6-acl-01
IPv6 access-list ipv6-acl-01
11 deny ipipv6 any any flow-label 100 [match=1000]
default permit all
For all other IPv6 packets, access rule 100 is invoked and the match counts increase equal to the number of packets sent.
#show ipv6 access-lists ipv6-acl-01
IPv6 access-list ipv6-acl-01
11 deny ipipv6 any any flow-label 100
default permit-all [match=2000]
Note: Use the command clear ipv6 access-list counters to clear statistics of all IPv6 ACLs configured or clear ipv6 access-list <ipv6 access-list name> counters to clear statistics of the particular IPv6 ACL.
Last modified date: 08/28/2023