Dell POWEREDGE M1000E User Manual
Page 283
2-253
Cisco Catalyst Blade Switch 3130 and 3032 for Dell Command Reference
OL-13271-03
Chapter 2 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Cisco IOS Commands
ipv6 access-list
The IPv6 neighbor discovery process makes use of the IPv6 network layer service; therefore, by default,
IPv6 ACLs implicitly allow IPv6 neighbor discovery packets to be sent and received on an interface. In
IPv4, the Address Resolution Protocol (ARP), which is equivalent to the IPv6 neighbor discovery
process, uses a separate data-link layer protocol; therefore, by default, IPv4 ACLs implicitly allow ARP
packets to be sent and received on an interface.
Use the ipv6 traffic-filter interface configuration command with the access-list-name argument to apply
an IPv6 ACL to an IPv6 interface. You can apply inbound and outbound IPv6 ACLs to Layer 3 physical
interfaces or switch virtual interfaces for routed ACLs, but only inbound IPv6 ACLs to Layer 2
interfaces for port ACLs.
Note
An IPv6 ACL applied to an interface with the ipv6 traffic-filter command filters traffic that is forwarded
by the switch and does not filter traffic generated by the switch.
Examples
This example puts the switch in IPv6 access list configuration mode and configures the IPv6 ACL named
list2 and applies the ACL to outbound traffic on an interface. The first ACL entry prevents all packets
from the network FE80:0:0:2::/64 (packets that have the link-local prefix FE80:0:0:2 as the first 64 bits
of their source IPv6 address) from leaving the interface. The second entry in the ACL permits all other
traffic to leave the interface. The second entry is necessary because an implicit deny-all condition is at
the end of each IPv6 ACL.
Switch(config)# ipv6 access-list list2
Switch(config-ipv6-acl)# deny FE80:0:0:2::/64 any
Switch(config-ipv6-acl)# permit any any
Switch(config-ipv6-acl)# exit
Switch(config)# interface gigabitethernet1/0/3
Switch(config-if)# no switchport
Switch(config-if)# ipv6 address 2001::/64 eui-64
Switch(config-if)# ipv6 traffic-filter list2 out
Note
IPv6 ACLs that rely on the implicit deny condition or specify a deny any any statement to filter traffic
should contain permit statements for link-local addresses to avoid the filtering of protocol packets.
Additionally IPv6 ACLs that use deny statements to filter traffic should also use a permit any any
statement as the last statement in the list.
Related Commands
Command
Description
deny (IPv6 access-list
configuration)
Sets deny conditions for an IPv6 access list.
Filters incoming or outgoing IPv6 traffic on an interface.
permit (IPv6
access-list
configuration)
Sets permit conditions for an IPv6 access list.
Displays the contents of all current IPv6 access lists.