diff --git a/Extension-A.md b/Extension-A.md
new file mode 100644
index 0000000..61dce97
--- /dev/null
+++ b/Extension-A.md
@@ -0,0 +1,95 @@
+ACL Configuration (Access Control Lists)
+
+🔹 Must-Have ACL Rules
+
+SSH access only from Hamburg clients to infrastructure (e.g., router):
+
+ipv6 access-list SSH_ONLY_FROM_HH
+ permit tcp 2001:db8:1000:10::/64 any eq 22
+ deny tcp any any eq 22
+ permit ipv6 any any
+interface GigabitEthernet0/0
+ ipv6 traffic-filter SSH_ONLY_FROM_HH in
+
+HTTP/HTTPS access for Hamburg clients to Webservers:
+
+ipv6 access-list HH_WEB_ACCESS
+ permit tcp 2001:db8:1000:10::/64 host 2001:db8:3000:50::10 eq 80
+ permit tcp 2001:db8:1000:10::/64 host 2001:db8:3000:50::10 eq 443
+interface GigabitEthernet0/0/0.10
+ ipv6 traffic-filter HH_WEB_ACCESS in
+
+Lübeck clients access Webservers only via HTTPS:
+
+ipv6 access-list HL_HTTPS_ONLY
+ permit tcp 2001:db8:2000:30::/64 host 2001:db8:3000:50::10 eq 443
+ deny tcp 2001:db8:2000:30::/64 host 2001:db8:3000:50::10 eq 80
+ permit ipv6 any any
+interface GigabitEthernet0/0/0.30
+ ipv6 traffic-filter HL_HTTPS_ONLY in
+
+🔸 Should-Have Security Rule
+
+Deny ICMPv6 to Routers from all but management VLANs:
+
+ipv6 access-list ICMP_PROTECT
+ permit icmp 2001:db8:1000:fff0::/64 any
+ deny icmp any any
+ permit ipv6 any any
+interface Vlan1
+ ipv6 traffic-filter ICMP_PROTECT in
+
+DHCPv6 Configuration
+
+🔹 Must-Have: SLAAC with DHCPv6 (Stateless) – General Setup
+
+interface GigabitEthernet0/0/0.30
+ ipv6 address 2001:db8:2000:30::1/64
+ ipv6 nd other-config-flag
+ ipv6 dhcp server VLAN30-DHCP
+
+ipv6 dhcp pool VLAN30-DHCP
+ dns-server 2001:4860:4860::8888
+ domain-name example.local
+
+🔸 Should-Have: Stateful DHCPv6 on Hamburg Router
+
+interface GigabitEthernet0/0/0.10
+ ipv6 address 2001:db8:1000:10::1/64
+ ipv6 dhcp server HH-STATEFUL
+ ipv6 nd managed-config-flag
+
+ipv6 dhcp pool HH-STATEFUL
+ address prefix 2001:db8:1000:10::/64
+ dns-server 2001:4860:4860::8888
+ domain-name hh.example.local
+
+⚙️ Could-Have: Centralized DHCPv6 Setup (Documented)
+
+Place DHCPv6 server on Berlin server or core router.
+
+On all edge routers, you would configure:
+
+interface GigabitEthernet0/0
+ ipv6 helper-address 2001:db8:3000:50::10
+
+(Note: Not implemented in PT, but conceptually shown for transition presentation.)
+
+✅ OSPFv3 Configuration (Replacing Static Routing)
+
+🔹 Must-Have: Full OSPFv3 Setup with Process 42 and Area 0
+
+ipv6 unicast-routing
+ipv6 router ospf 42
+ router-id 1.1.1.1
+interface GigabitEthernet0/0/0
+ ipv6 ospf 42 area 0
+interface Serial0/1/0
+ ipv6 ospf 42 area 0
+
+Repeat with appropriate router-id (2.2.2.2, 3.3.3.3, etc.) on other routers.
+
+
+
+
+