Overview of Access Control List

An access control list (ACL) contains one or more access control entries (ACEs) specifying the criteria the switch uses to either permit (forward) or deny (drop) IP packets traversing the switch's interfaces. This chapter describes how to configure, apply, and edit static IPv6 ACLs for filtering IPv6 traffic in a network populated with the switches and how to monitor IPv6 ACL actions.

Because the switches operate in an IPv4/IPv6 dual stack mode, IPv6 and IPv4 ACLs can operate simultaneously in these switches. However:
  • Static IPv6 ACLs and IPv4 ACLs do not filter each other's traffic.

  • IPv6 and IPv4 ACEs cannot be configured in the same static ACL.

  • RADIUS-assigned ACLs can be configured to filter either IPv4 traffic only, or both IPv4 and IPv6 traffic.

IPv6 traffic filtering with ACLs can help to improve network performance and restrict network use by creating policies for:
  • Switch management accessPermits or denies in-band management access. This includes limiting and/or preventing the use of designated protocols that run on top of IPv6, such as TCP, UDP, ICMP, and others. Also included are the use of DSCP criteria and control for application transactions based on source and destination IPv6 addresses and transport layer port numbers.

  • Application access securityEliminates unwanted IPv6 traffic in a path by filtering IPv6 packets where they enter or leave the switch on specific VLAN interfaces.

The ACLs described in this chapter can filter IPv6 traffic to or from a host, a group of contiguous hosts, or entire subnets.

CAUTION:

The ACLs described in this chapter can enhance network security by blocking selected IPv6 traffic and can serve as part of your network security program. However, because ACLs do not provide user or device authentication or protection from malicious manipulation of data carried in IPv6 packet transmissions, they should not be relied upon for a complete security solution.

Static IPv6 ACLs on the switches do not screen non-IPv6 traffic such as IPv4, AppleTalk, and IPX packets.