Deny FTP
The topology for the examples is shown in Figure 1.
In the first example shown in Figure 2, router R1 is configured with an IPv6 access list to deny FTP traffic to 2001:DB8:CAFE:11::/64. Ports for both FTP data (port 20) and FTP control (port 21) need to be blocked. Because he filter is applied inbound on the G0/0 interface on R1 only traffic from the 2001:DB8:CAFE:10::/64 network will be denied.
Restricted Access
In the second example shown in Figure 3, an IPv6 ACL is configured to give the LAN on R3 limited access to the LANs on R1. Comments are added in the configuration to document the ACL. The following features have been labelled in the ACL:
1. The first two permit statements allow access from any device to the web server at 2001:DB8:CAFE:10::10.
2. All other devices are denied access to the 2001:DB8:CAFE:10::/64 network.
3. PC3 at 2001:DB8:CAFE:30::12 is permitted Telnet access to PC2 which has the IPv6 address 2001:DB8:CAFE:11::11.
4. All other devices are denied Telnet access to PC2.
5. All other IPv6 traffic is permitted to all other destinations.
6. The IPv6 access list is applied to interface G0/0 in the inbound direction, so only the 2001:DB8:CAFE:30::/64 network is affected.