IPv6 Extended ACLs 1

By Chris October 5, 2016 09:05

Are you comfortable matching packets with extended IPv6 ACLs? How about with TCP and UDP ports in those ACLs? Here’s a 10-minute lab exercise to practice; all you need is the time and a piece of paper or a place to type!


Configure an extended IPv6 access list to control that traffic as detailed in the following rules:

  • Create one or more extended named ACLs, each of which with a name that begins with “ExtACL01”, which performs the following functions:
    • Permit all traffic coming from the telnet and SSH server at address 2001:0:0:10::100, going to the 2001:0:0:30::/64 subnet, as displayed in the figure
    • Permit all ICMP traffic from all hosts in the 2001:0:0:20::/64 subnet, doing to the 2001:0:0:40::/64 subnet
  • In each ACL, deny all other traffic so that the denied packet counters are counted and listed by the output of the show ipv6 access-list command
  • Apply the ACL as an inbound ACL on router R1
  • You may (and should) use different ACLs, one for each interface on which an ACL needs to be enabled
  • As seen in the initial configurations:
    • Assume all router interfaces shown in the lab are up, working and have correct IPv6 addresses assigned
    • Assume routing between all devices is configured and operational, that is, before adding the IPv6 ACLs, all existing IPv6 addresses are pingable
    • Assume that at least one device exists on each VLAN with an IP address ending in :100 with correct gateways configured


Figure 1: Two Router ROAS Topology for IPv6 ACL Lab


Initial Configuration

Examples 1, 2, 3 and 4 shows the beginning configuration state of R1, R2, SW1 and SW2.

Example 1: R1 Config


Example 2: R2 Config


Example 3: SW1 Config


Example 4: SW2 Config


Answer on Paper, or Maybe Test in Lab

Next, write your answer on paper. Or if you have some real gear, or other tools, configure the lab with those tools.

To test your solution, if you happen to try it with VIRL or real gear, you can check by verifying it with the show ipv6 access-lists and show ipv6 interfaces commands. If possible you could also configure hosts to the topology to ensure the access-list is working as expected.


Do this Lab with Cisco’s VIRL

You can do these labs on paper and still get a lot out of the lab. As an extra help, we have added files for the Virtual Internet Routing Lab (VIRL) software as well. The .VIRL file found here is a file that when used with VIRL will load a lab topology similar to this lab’s topology, with the initial configuration shown in the lab. This section lists any differences between the lab exercise and the .VIRL file’s topology and configuration.

Download this lab’s VIRL file!

The virl topology matches this lab topology exactly. The host info does as well.


Host device info:

This table lists host information pre-configured in VIRL, information that might not be required by the lab but may be useful to you.

Device IP Address User/password
Host-A 2001:0:0:10::100 cisco/cisco
Host-B 2001:0:0:20::100 cisco/cisco
Host-C 2001:0:0:30::100 cisco/cisco
Host-D 2001:0:0:40::100 cisco/cisco


Handy Host Commands:

To see PC IP address: ifconfig eth1

Ping example: ping6 -c4 2001:0:0:10::100

Trace example: tracepath6 2001:0:0:10::1


Answers: Local SPAN 2
Answers: IPv6 Extended ACLs 1
By Chris October 5, 2016 09:05
Write a comment


  1. As January 15, 13:30

    Hi! I have a subsidiary question.
    What’s the difference beetween “ipv6 access-class” and “ipv6 traffic-filter” command?
    Many thanks!

    Reply to this comment
    • certskills January 19, 13:20

      The first is the command you use in VTY mode to enable the ACL for all VTY traffic (Telnet, SSH). The second is the interface subcommand to enable the ACL for packets entering/exiting an interface.

      Reply to this comment
View comments

Write a comment

Comment; Identify w/ Social Media or Email


Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.