IPv6 counter operation with multiple interface assignments

Where the same IPv6 ACL is assigned to multiple interfaces, the switch maintains a separate instance of each ACE counter in the ACL. When there is a match with traffic on one of the ACL's assigned interfaces, only the affected ACE counters for that interface are incremented. Other instances of the same ACL applied to other interfaces are not affected.
NOTE:

The examples of counters in this section use small values to help illustrate counter operation. The counters in real-time network applications are much more active and show higher values.

IPv6 counter operation with multiple interface assignments

Suppose that:
  • An ACL named "V6-01" is configured as shown in the following example, to block Telnet access to a workstation at FE80::20:2, which is connected to a port belonging to VLAN 20.

  • The ACL is assigned as a PACL (port ACL) on port 2, which is also a member of VLAN 20:

ACL "V6-01" and command for PACL assignment on port 2

Switch(config)# show access-list V6-01 config

ipv6 access-list "V6-01"
     10 permit icmp ::/0 fe80::20:2/128 128
     20 deny tcp ::/0 fe80::20:2/128 eq 23 log
     30 permit ipv6 ::/0 ::/0
   exit

 Switch(config)# int b2 ipv access-group V6-01 in1

1 Assigns the ACL to port 2

Application to filter traffic inbound on port B2

Using the topology shown, a workstation at FE80::20:117 on port B2 attempting to ping and Telnet to the workstation at FE80::20:2 is filtered through the PACL instance of the "V6-01" ACL assigned to port B2, resulting in the following:

Ping and Telnet from FE80::20:117 to FE80::20:2 filtered by the assignment of "V6-01" as a PACL on port B2

Switch# ping6 fe80::20:2%vlan20
fe80:0000:0000:0000:0000:0000:0020:0002 is alive, time = 5 ms
Switch# telnet fe80::20:2%vlan20
Telnet failed: Connection timed out.
Switch#

Resulting ACE hits on ACL "V6-01"

Switch# show statistics aclv6 IP-01 port 2

 Hit Counts for ACL IPV6-ACL

 Total

(1)1   10 permit icmp fe80::20:3/128 fe80::20:2/128 128
(5)2   20 deny tcp ::/0 fe80::20:2/128 eq 23 log
(4)3   30 permit ipv6 ::/0 ::/0

1 Shows the successful ping permitted by ACE 10

2 Indicates denied attempts to Telnet to FE80::20:2 via the instance of the "V6-01" PACL assignment on port 2

3 Indicates permitted attempts to reach any accessible destination via the instance of the “V6-01”PACL assignment on port 2