Answers: IPv6 Standard ACL 1

By Wendell September 9, 2016 09:10

The previous lab exercise requires you to configure a standard IPv6 ACL. The address range matching should be pretty straightforward. You also need to choose where to put the ACL, and for which direction of flow for the packets. As usual, check the requirements from the previous lab exercise and make your own answer first – it’s an exercise for you. Enjoy!


Figure 1: Two Router ROAS Topology for IPv6 Standard ACLs


Example 5: R2 Config



With this lab you were tasked with configuring a standard IPv6 ACL. The requirement to create a standard IPv6 ACL versus an extended IPv6 ACL is actually pretty subtle, because the difference in commands is not as obvious as it is with IPv4 standard and extended ACLs. In short, IPv6 ACLs that match only the source and destination IPv6 address fields are standard IPv6 ACLs. If your ACL matched only on the source and destination IPv6 addresses, then you met the first requirement.

Next, before choosing whether to place a particular address range as the source or destination address, you must choose both the location and direction for the ACL. The lab requirement wording listed source addresses from the IPv6 prefixes at the top of the figure, with destination prefixes at the bottom of the figure. You could have placed the ACL on either R1 or R2 in this case, and for either direction, and still met the lab’s requirements. For the purposes of this lab, the answer shows the ACL on router R2, for the direction from the upper subnets to the lower subnets. Also, the solution enables the ACL in the outbound direction on the ROAS subinterfaces (the subinterfaces of R2’s G0/2 physical interface.)

The matching is relatively straightforward. The first requirement lists a source subnet of 2001:0:0:10::/64, and with two destination subnets. To match for this requirement, you need one statement, one for each destination subnet. The second requirement is similar, with a source host address of 2001:0:0:20::100, and with the same two destination subnets. In this case, the source address field can be matched with the host keyword before the host IPv6 address.

The ACL closes with a permit ipv6 any any command, which meets the requirement to permit all other traffic.

This lab also might have made you wonder if the ACL could have been applied to the G0/2 physical interface in this case, filtering all IPv6 traffic exiting the interface, and the answer is no. An ACL applied under physical interface G0/2 – not one of its subinterfaces – would be considered for packets routed out G0/2, but not for packets routed out its subinterfaces. So, as shown in the answer, the ipv6 traffic-filter StdACL01 out command is used as a subcommand on both subinterfaces.

Multilink PPP 1
IPv6 Standard ACL 1
By Wendell September 9, 2016 09:10
Write a comment


  1. Erjol October 8, 12:55

    Hi Wendell, if the ACL is applied though on R2 g0/1 interface for inbound direction, would it be wrong?


    Reply to this comment
  2. Kram December 20, 13:34

    Example 5 shows
    interface GigabitEthernet0/2.2
    ip traffic-filter StdACL01 out

    should it not be
    interface GigabitEthernet0/2.2
    ipv6 traffic-filter StdACL01 out

    Reply to this comment
  3. Sunny December 25, 08:15

    Can we applied acl on R1 g0/1 or on R2 g0/1?

    Reply to this comment
View comments

Write a comment

Comment; Identify w/ Social Media or Email


Subscribe to our mailing list and get interesting stuff and updates to your email inbox.