RACL applications

RACL filter applications on routed IPv6 Traffic

RACLs filter route IPv6 traffic entering the switch on VLANs configured with the "in" ACL option:


vlan <vid> ipv6 access-group <identifier> <in|vlan-in>

In this figure:
  • You would assign an inbound ACL on VLAN 1 or an outbound ACL on VLAN 2 to filter a packet routed between subnets on different VLANs, that is, a packet sent from the workstation 2001:db8:0:111::2 on VLAN 1 to the server at 2001:db8:0:222::25 on VLAN 2. (An outbound ACL on VLAN 1 or an inbound or outbound ACL on VLAN 2 would not filter the packet.)

  • Where multiple subnets are configured on the same VLAN, you can use either inbound or outbound ACLs to filter routed IPv6 traffic between the subnets on the VLAN if the traffic source and destination IP addresses are on devices external to the switch.

Figure 4: RACL filter applications on routed IPv6 traffic

The switch allows one inbound IPv6 RACL assignment and one outbound IPv6 RACL assignment configured per IP routing interface. This is in addition to any other IPv6 ACL assigned to the IP routing interface or to any ports on the VLAN. You can use the same RACL or different RACLs to filter inbound and outbound routed IPv6 traffic on an IP routing interface.

IPv6 RACLs do not filter traffic that remains in the same subnet from source to destination (switched traffic) unless the destination address (DA) or source address (SA) is on the switch itself.