The sequence of entries in an ACL is significant

When the switch uses an ACL to determine whether to permit or deny a packet, it compares the packet to the criteria specified in the individual ACEs in the ACL, beginning with the first ACE in the list and proceeding sequentially until a match is found. When a match is found, the switch applies the indicated action (permit or deny) to the packet. This is significant because, once a match is found for a packet, subsequent ACEs in the same ACL are not applied to that packet, regardless of whether they match the packet.

ACE that permits all IPv6 traffic not implicitly denied

Suppose that you have applied the ACL shown, to inbound IPv6 traffic on VLAN 1 (the default VLAN): 
ipv6 access-list "Sample-List-2"
10 deny ipv6 2001:db8::235:10/128 ::/0
20 deny ipv6 2001:db8::245:89/128 ::/0
30 permit tcp 2001:db8::18:100/128 2001:db8::237:1/128
40 deny tcp 2001:db8::18:100/128 ::/0
50 permit ipv6 ::/0 ::/0
(Implicit deny ipv6 any any)
exit

After the last explicit ACE, there is always an Implicit Deny. However, in this case it will not be used because the last permit ipv6 ACL allows all IPv6 packets that earlier ACEs have not already permitted or denied.

Line #

Action

N/A

Shows IP type (IPv6) and ID (Sample-List-2).

10

A packet from source address 2001:db8:235:10 will be denied (dropped). This ACE filters out all packets received from 2001:db8:235:10. As a result, IPv6 traffic from that device will not be allowed, and packets from that device will not be compared against any later entries in the list.

20

A packet from IPv6 source address 2001:db8::245:89 will be denied (dropped). This ACE filters out all packets received from 2001:db8::245:89. As the result, IPv6 traffic from that device will not be allowed, and packets from that device will not be compared against any later entries in the list.

30

A TCP packet from SA 2001:db8::18:100 with a DA of 2001:db8::237:1 will be permitted (forwarded). Since no earlier ACEs in the list have filtered TCP packets from 2001:db8::18:100 with a destination of 2001:db8::237:1, the switch will use this ACE to evaluate such packets. Any packets that meet this criteria will be forwarded. (Any packets that do not meet this TCP source-destination criteria are not affected by this ACE.)

40

A TCP packet from source address 2001:db8::18:100 to any destination address will be denied (dropped). Since, in this example, the intent is to block TCP traffic from 2001:db8::18:100 to any destination except the destination stated in the ACE at line 30, this ACE must follow the ACE at line 30. (If their relative positions were exchanged, all TCP traffic from 2001:db8::18:100 would be dropped, including the traffic for the 2001:db8::237:1 destination.)

50

Any packet from any IPv6 source address to any IPv6 destination address will be permitted (forwarded). The only traffic filtered by this ACE will be packets not permitted or denied by the earlier ACEs.

60

The implicit deny (deny ipv6 any any) is a function the switch automatically adds as the last action in all IPv6 ACLs. It denies (drops) traffic from any source to any destination that has not found a match with earlier entries in the ACL. In this example, the ACE at line 50 permits (forwards) any traffic not already permitted or denied by the earlier entries in the list, so there is no traffic remaining for action by the implicit deny function.

exit

Defines the end of the ACL.