Cisco Catalyst SD-WAN Policies Configuration Guide, Releases 26.x and Later

PDF

Configure localized policy for IPv6 using the CLI

Updated: April 24, 2026

Want to summarize with AI?

Log in

Configure localized policy for IPv6 using the CLI by defining mirroring and policing parameters, creating access lists with match-action sequences, and applying them to interfaces.

This task allows you to implement traffic control and security policies for IPv6 traffic by creating access lists with specific match criteria and corresponding actions such as dropping, counting, mirroring, or policing packets.

Use this configuration when you need to control IPv6 traffic flow through your network interfaces by applying specific filtering, mirroring, and policing policies. This is particularly useful for traffic management, security enforcement, and network monitoring.

Before you begin

Follow these steps to configure localized policy for IPv6 using the CLI:

Procedure

1.

Define mirroring parameters (for unicast traffic only):

Example:
2.

Define policing parameters:

Example:

Device(config)# policy policer policer_On_gige
Device (config-policer-policer_On_gige)# rate ?
Description: Bandwidth for 1g interfaces: <8..1000000000>bps;for 10g interfaces: 
<8..10000000000>bps Possible completions: <0..2^64-1>
Device(config-policer-policer_On_gige)# burst
Description: Burst rate, in bytes Possible completions:<15000..10000000>
Device(config-policer-policer_On_gige)# exceed drop
3.

Create an access list instance:

Example:

Device (config)# policy ipv6 access-list ipv6_access_list
4.

Create a series of match–action pair sequences:

Example:

Device(config-access-list-ipv6_access_list)# sequence 100

The match–action pairs are evaluated in order, by sequence number, starting with the lowest numbered pair and ending when the route matches the conditions in one of the pairs. Or if no match occurs, the default action is taken (either rejecting the route or accepting it as is).
5.

Define match parameters for packets:

Example:

Device(config-sequence-100)# match traffic-class 10
Device(config-match)# exit
6.

Define actions to take when a match occurs:

Example:

Device(config-sequence-100)# action accept count traffic_class10_count
Device(config-sequence-100)# action drop
Device(config-sequence-100)# action accept class class1
Device(config-sequence-100)# action accept policer policer_On_gige
7.

Create additional numbered sequences of match–action pairs within the access list, as needed.
8.

If you want nonmatching packets to be accepted, configure the default action for the access list:

Example:

If a packet does not match any of the conditions in one of the sequences, it is rejected by default.
9.

Apply the access list to an interface:

Example:

Device(config)# sdwan interface GigabitEthernet5
Device(config-interface-GigabitEthernet5)
# ipv6 access-list ipv6_access_list in
Device(config-interface-GigabitEthernet5)
# commit

Applying the access list in the inbound direction (in) affects packets being received on the interface. Applying it in the outbound direction (out) affects packets being transmitted on the interface.

The IPv6 access list is configured and applied to the specified interface, enabling traffic filtering based on the defined match criteria and actions. The policy will now process IPv6 packets according to the configured sequences and take the appropriate actions such as dropping, counting, mirroring, or policing traffic as specified.