Answers: IPv6 Standard ACL 1

By certskills September 9, 2016 09:10

The previous lab exercise requires you to configure a standard IPv6 ACL. The address range matching should be pretty straightforward. You also need to choose where to put the ACL, and for which direction of flow for the packets. As usual, check the requirements from the previous lab exercise and make your own answer first – it’s an exercise for you. Enjoy!


Figure 1: Two Router ROAS Topology for IPv6 Standard ACLs


Example 5: R2 Config

interface GigabitEthernet0/2.1
 ipv6 traffic-filter StdACL01 out
interface GigabitEthernet0/2.2
 ipv6 traffic-filter StdACL01 out
ipv6 access-list StdACL01
 deny ipv6 2001:0:0:10::/64 2001:0:0:30::/64
 deny ipv6 2001:0:0:10::/64 2001:0:0:40::/64
 deny ipv6 host 2001:0:0:20::100 2001:0:0:30::/64
 deny ipv6 host 2001:0:0:20::100 2001:0:0:40::/64
 permit ipv6 any any



With this lab you were tasked with configuring a standard IPv6 ACL. The requirement to create a standard IPv6 ACL versus an extended IPv6 ACL is actually pretty subtle, because the difference in commands is not as obvious as it is with IPv4 standard and extended ACLs. In short, IPv6 ACLs that match only the source and destination IPv6 address fields are standard IPv6 ACLs. If your ACL matched only on the source and destination IPv6 addresses, then you met the first requirement.

Next, before choosing whether to place a particular address range as the source or destination address, you must choose both the location and direction for the ACL. The lab requirement wording listed source addresses from the IPv6 prefixes at the top of the figure, with destination prefixes at the bottom of the figure. You could have placed the ACL on either R1 or R2 in this case, and for either direction, and still met the lab’s requirements. For the purposes of this lab, the answer shows the ACL on router R2, for the direction from the upper subnets to the lower subnets. Also, the solution enables the ACL in the outbound direction on the ROAS subinterfaces (the subinterfaces of R2’s G0/2 physical interface.)

The matching is relatively straightforward. The first requirement lists a source subnet of 2001:0:0:10::/64, and with two destination subnets. To match for this requirement, you need one statement, one for each destination subnet. The second requirement is similar, with a source host address of 2001:0:0:20::100, and with the same two destination subnets. In this case, the source address field can be matched with the host keyword before the host IPv6 address.

The ACL closes with a permit ipv6 any any command, which meets the requirement to permit all other traffic.

This lab also might have made you wonder if the ACL could have been applied to the G0/2 physical interface in this case, filtering all IPv6 traffic exiting the interface, and the answer is no. An ACL applied under physical interface G0/2 – not one of its subinterfaces – would be considered for packets routed out G0/2, but not for packets routed out its subinterfaces. So, as shown in the answer, the ipv6 traffic-filter StdACL01 out command is used as a subcommand on both subinterfaces.

IPv6 Standard ACL 1
Multilink PPP 1
By certskills September 9, 2016 09:10
Notify of

Your e-mail address will not be published.
Required fields are marked*


Newest Most Voted
Inline Feedbacks
View all comments
October 8, 2016 12:55 pm

Hi Wendell, if the ACL is applied though on R2 g0/1 interface for inbound direction, would it be wrong?


December 20, 2016 1:34 pm

Example 5 shows
interface GigabitEthernet0/2.2
ip traffic-filter StdACL01 out

should it not be
interface GigabitEthernet0/2.2
ipv6 traffic-filter StdACL01 out

December 25, 2017 8:15 am

Can we applied acl on R1 g0/1 or on R2 g0/1?

August 23, 2018 8:24 am

Dear Mr. Odom,

Unlike IPv4 standard ACL an IPv6 standard ACL has destination part in its statement. Therefore it breaks the rule for standard ACL to locate it closer to destination for the purpose to avoid filtering packets which are flowing to other destinations. As far as destination is known in the statement the matched packets can be filtered earlier. This will reduce unnecessary packets from flowing through the network and processing by the routers. So, I would apply the StdACL01 to R1’s Gi0/2.1 and Gi0/2.2 subinterfaces inbound.
What do you think?
Thank you in advance. Your labs are very interesting and useful. Much appreciated.

Best regards,