ACL configuration and operating rules

  • RACLs and routed IPv6 traffic: Except for IPv6 traffic with a DA on the switch itself, RACLs filter only routed IPv6 traffic that is entering or leaving the switch on a given VLAN. Thus, if routing is not enabled on the switch, there is no routed IPv6 traffic for RACLs to filter.

    VACLs and switched or routed IPv6 traffic: A VACL filters IPv6 traffic leaving the switch on the VLAN(s) to which it is assigned.

  • Per switch ACL limits for all ACL types: At a minimum an ACL must have one, explicit “permit” or “deny” Access Control Entry. You can configure up to 2048 ACLs (IPv4 and IPv6 combined). Total ACEs in all ACLs depends on the combined resource usage by ACL and other features.

  • Implicit deny: In any static ACL, the switch implicitly (automatically) applies an implicit deny ipv6 any any that does not appear in show listings. This means that the ACL denies any packet it encounters that does not have a match with an entry in the ACL. Thus, if you want an ACL to permit any IPv6 packets that you have not expressly denied, you must enter a permit ipv6 any any as the last ACE in an ACL. Because, for a given packet, the switch sequentially applies the ACEs in an ACL until it finds a match, any packet that reaches a permit ipv6 any any entry will be permitted, and will not encounter the implicit “Deny” ACE the switch automatically includes at the end of the ACL (see An ACE that permits all IPv6 traffic not implicitly denied). For implicit deny operation in RADIUS-assigned (dynamic) ACLs, see “Configuring RADIUS Server Support for Switch Services” in the latest Access Security Guide for your Switch.

  • Explicitly permitting IPv6 traffic: Entering a permit ipv6 any any ACE in an ACL permits the IPv6 traffic not previously permitted or denied by that ACL. Any ACEs listed after that point do not have any effect.

  • Explicitly denying IPv6 traffic: Entering a deny ipv6 any any ACE in an ACL denies IPv6 traffic not previously permitted or denied by that ACL. Any ACEs listed after that point have no effect.

  • Replacing one ACL with another of the same type: For a specific interface, the most recent ACL assignment using a given application replaces any previous ACL assignment using the same application on the same interface. For example, if you assigned a VACL named “Test-01” to filter inbound or outbound IPv6 traffic on VLAN 20, butlater, you assigned another VACL named “Test-02” to filter inbound IPv6 traffic on this same VLAN, VACL “Test-02” replaces VACL “Test- 01” as the ACL to use. For example, if you assigned an RACL named “Test-01” to filter inbound routed IPv6 traffic on VLAN 20, but later, you assigned another RACL named “Test-02” to filter inbound routed IPv6 traffic on this same VLAN, RACL “Test-02” replaces RACL “Test- 01” as the ACL to use.

  • Static port ACLs: These are applied per-port, per port-list, or per static trunk. Adding a port to a trunk applies the trunk’s ACL configuration to the new member. If a port is configured with an ACL, the ACL must be removed before the port is added to the trunk. Also, removing a port from an ACL-configured trunk removes the ACL configuration from that port.

  • VACLs: These filter IPv6 traffic leaving the switch through any port belonging to the designated VLAN.

  • VACLs operate on static VLANs: You can assign an ACL to any VLAN that is statically configured on the switch. ACLs do not operate with dynamic VLANs.

  • VACLs and RACLs operate on static VLANs: You can assign an ACL to any VLAN that is statically configured on the switch. ACLs do not operate with dynamic VLANs.

  • A VACL affects all physical ports in a static VLAN: A VACL assigned to a VLAN applies to all physical ports on the switch belonging to that VLAN, including ports that have dynamically joined the VLAN.

  • RACLs screen routed IPv6 traffic entering or leaving the switch on a given VLAN interface: This means that the following traffic is subject to ACL filtering: