There are similarities in operation and configuration of IPv6 ACLs and its predecessor IPv4 ACLs. If you are familiar with the basic operation and configuration of IPv4 access controls list, you will find IPv6 ACLs easy to understand and configure too, the only difference is just the IPv6 addressing.
IPv6 has only one type of ACL, which is comparable to anIPv4 extended named ACL.
There are no numbered ACLs in IPv6, only named ACL.
IPv6 uses the ipv6 traffic-filter command to perform the ACLs function, unlike IPv4 that uses the command ip access-group to apply ACL to an interface.
IPv6 ACLs do not use wildcard masks. Instead, the prefix-length is used to indicate how much of an IPv6 source or destination address should be matched.
How to Configure IPv6 ACLs example topology.
In the example below, we will configure IPv6 ACL on the router to restrict access to its VTY Lines. We will allow only the PC 1 to telnet into R1 while other traffics will be denied.
To do this; You must use the ipv6 access-list command to create a named IPv6 ACL.
IPv6 uses name ACLs as in IPv4, but IPv6 name ACLs are alphanumeric, case sensitive and must be unique.
To determine if a packet is forwarded or dropped, you must use the permit or deny statements to specify this action.
You use the ipv6 access-class command to apply the ACL to the VTY lines.
ACL Configuration Example.
From the configuration example below, the permit statement only allows the PC1 to telnet into R1.
Apply the ACL to the VTY lines, using the ipv6 access-class command and with in as the direction.
R1(config)#ipv6 access-list NO_TELNET
R1(config-ipv6-acl)#permit tcp host 2001:db8:FC31e:1::1 any eq 23
R1(config)#line vty 0 15
R1(config-line)#ipv6 access-class NO_TELNET in
VERIFY IPV6 ACLS
To verify all ACLs configured on the router, use the show access-lists command, this will display both IPv4 and IPv6 ACLs configured on the router.
To verify all IPv6 ACLs configured on the router,use the show ipv6 access-list command, this will display all configured IPv6 access lists and their name.
R1#show ipv6 access-list
IPv6 access list NO_TELNET
permit tcp host 2001:DB8:FC31E:1::1 any eq telnet