Courseiva
ACLGlobal Config

ipv6 access-list [name]

Creates or enters IPv6 access list configuration mode to define a named IPv6 access control list for filtering IPv6 traffic based on source/destination addresses, ports, and protocols.

Syntax·Global Config
ipv6 access-list [name]

When to Use This Command

  • Restricting inbound IPv6 traffic on a WAN interface to allow only specific services like HTTP and HTTPS from a remote branch.
  • Permitting OSPFv3 adjacency formation between routers while blocking all other IPv6 traffic on a point-to-point link.
  • Creating an IPv6 ACL to limit management access (SSH, SNMP) to the router from a specific IPv6 management subnet.
  • Filtering outbound IPv6 traffic from a guest VLAN to prevent access to internal corporate resources.

Command Examples

Basic IPv6 ACL to permit SSH from a specific host

ipv6 access-list PERMIT-SSH

This command enters IPv6 ACL configuration mode for the ACL named PERMIT-SSH. No output is displayed; subsequent permit/deny statements define the ACL entries.

IPv6 ACL with multiple entries and applying to interface

ipv6 access-list FILTER-ICMP permit icmp any any echo-request permit icmp any any echo-reply deny icmp any any permit ipv6 any any ! interface GigabitEthernet0/0 ipv6 traffic-filter FILTER-ICMP in

This sequence creates an ACL named FILTER-ICMP that permits ICMP echo-request and echo-reply (ping), denies all other ICMP, then permits all other IPv6 traffic. The ACL is applied inbound on GigabitEthernet0/0 using the ipv6 traffic-filter command.

Understanding the Output

The ipv6 access-list command itself does not produce output; it enters ACL configuration mode. To view the ACL, use 'show ipv6 access-list [name]'. The output lists each ACE (Access Control Entry) with sequence numbers, permit/deny action, protocol, source/destination addresses (with prefix lengths), and optional port or ICMP type. Key fields: 'sequence' (order of evaluation), 'permit/deny' (action), 'ipv6 any any' (match all), 'eq' (equals port). Good ACLs have specific entries before general ones. Watch for implicit deny at the end; if no permit matches, traffic is dropped. Also check for 'log' keyword to see if logging is enabled.

CCNA Exam Tips

1.

Remember that IPv6 ACLs use 'ipv6 traffic-filter' (not 'ip access-group') to apply to interfaces.

2.

IPv6 ACLs have an implicit deny ipv6 any any at the end; always include a permit statement if you want to allow traffic not explicitly denied.

3.

CCNA exam may test the order of ACEs: the first match wins, so place more specific entries before general ones.

4.

Know that IPv6 ACLs can filter based on upper-layer protocols (TCP, UDP, ICMPv6) and use port numbers with 'eq', 'gt', 'lt', 'range'.

Common Mistakes

Forgetting to apply the ACL to an interface with 'ipv6 traffic-filter' — the ACL is defined but not enforced.

Using 'ip access-group' (IPv4 command) instead of 'ipv6 traffic-filter' for IPv6 ACLs.

Misordering ACEs: placing a broad permit/deny before a specific one, causing the specific rule to never be evaluated.

Related Commands

ipv6 traffic-filter [name] [in|out]

Applies an IPv6 ACL to filter inbound or outbound traffic on an interface.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions