ipv6 traffic-filter [name] [in|out]
Applies an IPv6 ACL to filter inbound or outbound traffic on an interface.
ipv6 traffic-filter [name] [in|out]When to Use This Command
- Restrict IPv6 traffic from a specific subnet entering an interface
- Allow only certain IPv6 services (e.g., HTTP, SSH) outbound on a WAN interface
- Block IPv6 ICMPv6 messages from untrusted sources
- Implement IPv6 access control for guest network segments
Command Examples
Apply IPv6 ACL inbound on GigabitEthernet0/1
ipv6 traffic-filter BLOCK_TELNET inNo output is generated upon successful application. Use 'show ipv6 interface GigabitEthernet0/1' to verify the ACL is applied.
Apply IPv6 ACL outbound on Serial0/0/0
ipv6 traffic-filter ALLOW_HTTP outNo output is generated upon successful application. Use 'show ipv6 interface Serial0/0/0' to verify the ACL is applied.
Understanding the Output
This command does not produce output when executed. To verify the ACL is applied, use 'show ipv6 interface [interface]'. The output will include a line like 'Inbound IPv6 ACL: [acl-name]' or 'Outbound IPv6 ACL: [acl-name]'. If no ACL is applied, it will show 'Inbound IPv6 ACL: not set' or 'Outbound IPv6 ACL: not set'. Ensure the ACL name matches exactly and the direction is correct.
CCNA Exam Tips
Remember that 'ipv6 traffic-filter' is the IPv6 equivalent of 'ip access-group' for IPv4.
The ACL must be created before applying it; otherwise, the command is rejected.
Only one ACL per direction (in/out) per interface is allowed; applying a new one replaces the old.
The ACL is processed in order; an implicit 'deny ipv6 any any' exists at the end.
Common Mistakes
Forgetting to create the ACL before applying it, resulting in 'ACL not found' error.
Applying the ACL in the wrong direction (e.g., inbound instead of outbound).
Using 'ipv6 access-group' instead of 'ipv6 traffic-filter' (the correct command).
Related Commands
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions