Future Consideration Feature Request | Variable support in ACLs for IPv6 prefix
I've deployed successfully IPv6 on my network, although my ISP sometimes changes the IPv6 scope, which impacts the ACLs so some systems are not accessible from the Internet over IPv6.
So for example I currently have a group profile with the systems that are allowed to have inbound SSH traffic (TCP/22), but this is hard coded:
2001:c0ff:ee:5838::1:241 / 128
So as you can see the prefix is 2001:c0ff:ee:5838::, would be nice to have a 'variable' to use in groups that will auto-populate the prefix, so when it changes it still works.
So I was thinking about (for example) to use [IPv6_PREFIX], so it looks like:
[IPv6_PREFIX]1:241 / 128
To update the DNS Records with Cloudflare, I wrote a small script that does an update of the AAAA record using the API of them.
Hi @Clive_A,
The IPv6 prefix will come from the WAN (via the ISP) and "pushed" to the LAN, the LAN is configured this way:
I indeed found the IPv6 group for ACLs applicable to the whole subnet (2001:c0ff:ee:5838::/64), but I have not found a solution whereby I can have an ACL for a specific IPv6 address, that takes into count a potential prefix change.
In my case I want to have one system (2001:c0ff:ee:5838::1:241/128) over SSH accessible from the Internet over SSH (TCP/22) and all the other systems that do offer SSH should not be accessible. So I currently have an ACL that blocks everything incoming and another one that only allows inbound SSH to that specific system.
The system Berrystone is the one that should be accessible from the Internet using SSH.
The IPv6 Group:IPv6 berrystone looks like:
So if the provider pushes a new prefix to me (for example) 2001:b4b4:aa:1234::/64, the IPv6 Group:IPv6 berrystone needs to be changed.
Hope I clarified the feature request more, if not, please let me know.
I looked if there was already something in place, but was not able to find it.
DISCLAIMER: The IPv6 prefixes showed are not the actual ones I have in use due to privacy.
This is in my home-lab (as professional IT Engineer, I would like to have good stuff).
Understand it's not a mainstream request, at my work at a big international company IPv6 is unfortunately not yet on the roadmap to be deployed in the Datacenters/Office LAN. 
Hi @paderijk
Thanks for posting in our business forum.
paderijk wrote
This is in my home-lab (as professional IT Engineer, I would like to have good stuff).
Understand it's not a mainstream request, at my work at a big international company IPv6 is unfortunately not yet on the roadmap to be deployed in the Datacenters/Office LAN.
Understand that. If others vote on this, our dev can pull this to the request pool for further evaluation. 
