How to deny web access from a host to a server in an IPv6 network

The most popular and one of the most important simulation in the CCNA exam is the access-list question where candidates are asked to deny web access from a PC to a certain server while making sure that all other forms of access are allowed for the PC and other connected users. In this demonstration, I will share with us on how to use IPv6 access-list to solve this Cisco exam question. Lets jump in!

Network Topology:

Our network topology is going to have a single Cisco 2811 router, a 2960 LAN switch, two PCs and a server. See below:

Network diagram with a web server and two PCS


>>PC0 should have web access to to server0.

>>No other PC on the LAN should have web access to server0.

>>Because there are other services available on the network, all other forms of access from hosts on the LAN to server0 should be permitted.

>>Setup to be accomplished using IPv6.


To implement IPV6 access-list on our network, first we have to enable IPv6 unicast-routing on the router and configure the interfaces with IPv6 addresses. See below:

Router#conf t
Router(config)#hostname TimiGate
TimiGate(config)#ipv6 unicast-routing
TimiGate(config)#int f0/0
TimiGate(config-if)#ipv6 add 2000::1/64
TimiGate(config-if)#no shut
TimiGate(config-if)#int f0/1
TimiGate(config-if)#ipv6 add 2001::1/64
TimiGate(config-if)#no shut

Now, we configure IPv6 access-list

TimiGate(config)#ipv6 access-list cisco
TimiGate(config-ipv6-acl)#permit tcp host 2001::2 host 2000::2 eq www (this line permits PC0 web access to server0).
TimiGate(config-ipv6-acl)#deny tcp any host 2000::2 eq www (this line denies web access from any other host to server0).
TimiGate(config-ipv6-acl)#permit ip any any  (this line permits all other forms of traffics from any PC to any PC, including server0).


Next, we apply the access-list to the interface connecting to the server in an outbound direction.
TimiGate(config)#int f0/0
TimiGate(config-if)#ipv6 traffic-filter cisco out


To verify, open the web browser on PC0 and type in the IPv6 address of server0. It should be successful. Next, go to PC1 and repeat the same. It should not be able to access server0 via web browser. Finally, while still on PC1, initiate icmp request to server0. It should be successful.

To see packets being matched by the access-list, use the command sh access-list. See below:

To get the Packet Tracer file of this LAB, kindly drop your email in the comment box below. Thank you.

Spread the love

Leave a Comment