IPv6 counter operation with multiple interface assignments


The examples of counters in this section use small values to help illustrate counter operation. The counters in real-time network applications are generally much more active and show higher values.

Where the same IPv6 ACL is assigned to multiple interfaces, the switch maintains a separate instance of each ACE counter in the ACL. When there is a match with traffic on one of the ACL's assigned interfaces, only the affected ACE counters for that interface are incremented. Other instances of the same ACL applied to other interfaces are not affected.

For example, suppose that:
  • An ACL named "V6-01" is configured as shown in the following figure, to block Telnet access to a workstation at FE80::20:2, which is connected to a port belonging to VLAN 20.

  • The ACL is assigned as a PACL (port ACL) on port 2, which is also a member of VLAN 20:

ACL "V6-01" and command for PACL assignment on port 2

Switch(config)# show access-list V6-01 config

ipv6 access-list "V6-01"
     10 permit icmp ::/0 fe80::20:2/128 128
     20 deny tcp ::/0 fe80::20:2/128 eq 23 log
     30 permit ipv6 ::/0 ::/0

Switch(config)# int b2 ipv access-group V6-01 in 1
1 Assigns the ACL to port 2
Figure 14: Application to filter traffic inbound on port 2

Using the topology in the preceding figure, a workstation at FE80::20:117 on port 2 attempting to ping and Telnet to the workstation at FE80::20:2 is filtered through the PACL instance of the "V6-01" ACL assigned to port 2, resulting in the following example:

Ping and Telnet from FE80::20:117 to FE80::20:2 filtered by the assignment of "V6-01" as a PACL on port 2

Switch# ping6 fe80::20:2%vlan20
fe80:0000:0000:0000:0000:0000:0020:0002 is alive, time = 5 ms
Switch# telnet fe80::20:2%vlan20
Telnet failed: Connection timed out.

Resulting ACE hits on ACL “V6-01”

Switch# show statistics aclv6 IP-01 port 2

 Hit Counts for ACL IPV6-ACL


(1)1   10 permit icmp fe80::20:3/128 fe80::20:2/128 128
(5)2   20 deny tcp ::/0 fe80::20:2/128 eq 23 log
(4)3   30 permit ipv6 ::/0 ::/0

1 Shows the successful ping permitted by ACE 10

2 Indicates denied attempts to Telnet to FE80::20:2 via the instance of the "V6-01" PACL assignment on port 2

3 Indicates permitted attempts to reach any accessible destination via the instance of the "V6-01"PACL assignment on port 2