Filtering routed IPv6 traffic

For a given VLAN interface on a switch configured for routing, you can assign an ACL as an RACL to filter inbound or outbound routed IPv6 traffic and another to filter outbound routed IPv6 traffic. You can also assign the same ACL to filter traffic on multiple VLANs. For limits and operating rules, see ACL configuration and operating rules.

Syntax:

vlan <vid> ipv6 access-group <identifier> <in|out>

no vlan <vid> ipv6 access-group <identifier> <in|out>

Assigns an ACL to a VLAN as an RACL to filter routed IP traffic entering or leaving the switch on that VLAN. You can use either the global configuration level or the VLAN context level to assign or remove an RACL.

<vid> : VLAN Identification Number.

<identifier> : The alphanumeric name by which the ACL can be accessed. An identifier can have up to 64 characters.

<in>: Keyword for assigning the ACL to filter routed traffic entering the switch on the specified VLAN.

<out>: Keyword for assigning the ACL to filter routed traffic leaving the switch on the specified VLAN.

NOTE:

The switch allows you to assign an “empty” ACL to a VLAN. In this case, if you later populate the empty ACL with one or more ACEs for that same identifier, the ACL automatically becomes active on the assigned VLAN. Also, where a given ACL is assigned to an interface, if you delete the ACL from the running configuration without also using the “no” form of this command to remove the assignment to the interface, then the ACL becomes “empty”, but remains assigned to the interface and continues to exist (as an empty ACL) in the running configuration. In this case, if you later repopulate the ACL with an explicit ACE, then the ACL immediately reactivates and begins filtering traffic (which includes use of the implicit deny).