Allowing for the implied deny function

In any ACL having one or more ACEs, there is always a packet match. This is because the switch automatically applies the implicit deny as the last ACE in any ACL. This function is not visible in ACL listings, but is always present; see An ACE that permits all IPv6 traffic not implicitly denied. This means that if you configure the switch to use an ACL for filtering either inbound or outbound traffic on a VLAN, any IPv6 packets not specifically permitted or denied by the explicit entries you create is denied by the implicit deny action. If you want to preempt the implicit deny (so that IPv6 traffic not specifically addressed by earlier ACEs in a given ACL is permitted), insert an explicit permit ipv6 any any as the last explicit ACE in the ACL.