Implicit deny override

If a packet does not have a match with the criteria in any of the ACEs in the ACL, the ACL denies (drops) the packet. If you have to override the implicit deny so that a packet that does not have a match will be permitted, configure permit ipv6 any any as the last ACE in the ACL. This directs the ACL to permit (forward) packets that do not have a match with any earlier ACE listed in the ACL and prevents these packets from being filtered by the implicit deny ipv6 any any.

Overriding an implicit deny

Suppose the following ACL with five ACEs is assigned to filter the IPv6 traffic from an authenticated client on a given port in the switch:

10 permit ipv6 ::/0 fe80::136:24/128
20 permit ipv6 ::/0 fe80::156:7/128
30 deny ipv6 ::/0 fe80::156:3/128
40 deny tcp ::/0 ::/0 eq 23
50 permit ipv6 ::/0 ::/0
(deny ipv6 ::/0 ::/0)
For an inbound packet with a destination IP address of FE80::156:3, the ACL:
  1. Compares the packet to the first ACE first (line 10).

  2. Since there is not a match with the first ACE, the ACL compares the packet to the second ACE, where there is also not a match (line 20).

  3. The ACL compares the packet to the third ACE. There is an exact match, so the ACL denies (drops) the packet (line 30).

  4. The packet is not compared to the fourth ACE (line 40).

  5. The last line demonstrates the "deny any any" ACE implicit in every IPv6 ACL. Inbound IPv6 traffic from an authenticated client that does not have a match with any of the five explicit ACEs in this ACL will be denied by the implicit "deny any any".

As shown above, the ACL tries to apply the first ACE in the list. If there is not a match, it tries the second ACE, and so on. When a match is found, the ACL invokes the configured action for that entry (permit or drop the packet) and no further comparisons of the packet are made with the remaining ACEs in the list. This means that when an ACE whose criteria matches a packet is found, the action configured for that ACE is invoked, and any remaining ACEs in the ACL are ignored. Because of this sequential processing, successfully implementing an ACL depends in part on configuring ACEs in the correct order for the overall policy you want the ACL to enforce.